From 5623edae66a2c6057664c5eedd0f60cb84215ed3 Mon Sep 17 00:00:00 2001 From: djust270 Date: Wed, 12 Oct 2022 14:58:52 -0400 Subject: [PATCH 001/152] Added Get-AppAUMID function --- ...ation-user-model-id-of-an-installed-app.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 27d56ce3c5..8b57c08b2f 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -109,3 +109,40 @@ listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") ``` + +## Example +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start Menu + +```powershell +function Get-AppAUMID { +param ( +[string]$AppName +) +$Apps = (New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() +if ($AppName){ + $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} + if ($Result){ + Return $Result + } + else {"Unable to locate {0}" -f $AppName} +} +else { + $Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}} + Return $Result +} +} +``` + +The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. + +```powershell +# Get the AUMID for OneDrive +Get-AppAUMID -AppName OneDrive + +# Get the AUMID for Microsoft Word +Get-AppAUMID -AppName Word + +# List all apps and their AUMID in the Start Menu +Get-AppAUMID +``` + From 6934aed167e5e7aff7a11103d354ba4a9029a78c Mon Sep 17 00:00:00 2001 From: djust270 Date: Wed, 12 Oct 2022 14:59:15 -0400 Subject: [PATCH 002/152] Updated Get-AppAUMID --- .../find-the-application-user-model-id-of-an-installed-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 8b57c08b2f..0e134f6c34 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -118,7 +118,7 @@ function Get-AppAUMID { param ( [string]$AppName ) -$Apps = (New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() +$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() if ($AppName){ $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} if ($Result){ From b1a2f3c79d904537fb2c337903c7d764f03261c6 Mon Sep 17 00:00:00 2001 From: David Just <57944742+djust270@users.noreply.github.com> Date: Thu, 13 Oct 2022 05:15:41 -0400 Subject: [PATCH 003/152] Update windows/configuration/find-the-application-user-model-id-of-an-installed-app.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../find-the-application-user-model-id-of-an-installed-app.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 0e134f6c34..4960887e14 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -111,7 +111,8 @@ listAumids("allusers") ``` ## Example -The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start Menu + +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. ```powershell function Get-AppAUMID { From 3635446ec3c7e6e34083ba6b64004104096a2b55 Mon Sep 17 00:00:00 2001 From: David Just <57944742+djust270@users.noreply.github.com> Date: Thu, 13 Oct 2022 05:15:53 -0400 Subject: [PATCH 004/152] Update windows/configuration/find-the-application-user-model-id-of-an-installed-app.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../find-the-application-user-model-id-of-an-installed-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 4960887e14..4e3e609d5e 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -143,7 +143,7 @@ Get-AppAUMID -AppName OneDrive # Get the AUMID for Microsoft Word Get-AppAUMID -AppName Word -# List all apps and their AUMID in the Start Menu +# List all apps and their AUMID in the Start menu Get-AppAUMID ``` From 135613a95f7b63b8b42feb39a57f59952a060094 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 30 Nov 2022 18:05:42 -0500 Subject: [PATCH 005/152] Add Update CSP --- .../mdm/policies-in-policy-csp-admx-backed.md | 2 +- ...in-policy-csp-supported-by-group-policy.md | 2 +- .../mdm/policy-csp-update.md | 7859 +++++++++-------- 3 files changed, 4034 insertions(+), 3829 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0224b374cf..87e3ab8e39 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 11/30/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index df5363e3dd..98bd07aa66 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 11/30/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7c1858edb3..f189fb67c0 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,4086 +1,4291 @@ --- -title: Policy CSP - Update -description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled. +title: Update Policy CSP +description: Learn more about the Update Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 11/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 06/15/2022 -ms.reviewer: -manager: aaroncz -ms.collection: highpri +ms.topic: reference --- + + + # Policy CSP - Update - -
- - -## Update policies - -
-
- Update/ActiveHoursEnd -
-
- Update/ActiveHoursMaxRange -
-
- Update/ActiveHoursStart -
-
- Update/AllowAutoUpdate -
-
- Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork -
-
- Update/AllowMUUpdateService -
-
- Update/AllowNonMicrosoftSignedUpdate -
-
- Update/AllowUpdateService -
-
- Update/AutoRestartDeadlinePeriodInDays -
-
- Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates -
-
- Update/AutoRestartNotificationSchedule -
-
- Update/AutoRestartRequiredNotificationDismissal -
-
- Update/AutomaticMaintenanceWakeUp -
-
- Update/BranchReadinessLevel -
-
- Update/ConfigureDeadlineForFeatureUpdates -
-
- Update/ConfigureDeadlineForQualityUpdates -
-
- Update/ConfigureDeadlineGracePeriod -
-
- Update/ConfigureDeadlineGracePeriodForFeatureUpdates -
-
- Update/ConfigureDeadlineNoAutoReboot -
-
- Update/ConfigureFeatureUpdateUninstallPeriod -
-
- Update/DeferFeatureUpdatesPeriodInDays -
-
- Update/DeferQualityUpdatesPeriodInDays -
-
- Update/DeferUpdatePeriod -
-
- Update/DeferUpgradePeriod -
-
- Update/DetectionFrequency -
-
- Update/DisableDualScan -
-
- Update/DisableWUfBSafeguards -
-
- Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection -
-
- Update/EngagedRestartDeadline -
-
- Update/EngagedRestartDeadlineForFeatureUpdates -
-
- Update/EngagedRestartSnoozeSchedule -
-
- Update/EngagedRestartSnoozeScheduleForFeatureUpdates -
-
- Update/EngagedRestartTransitionSchedule -
-
- Update/EngagedRestartTransitionScheduleForFeatureUpdates -
-
- Update/ExcludeWUDriversInQualityUpdate -
-
- Update/FillEmptyContentUrls -
-
- Update/IgnoreMOAppDownloadLimit -
-
- Update/IgnoreMOUpdateDownloadLimit -
-
- Update/ManagePreviewBuilds -
-
- Update/NoUpdateNotificationDuringActiveHours -
-
- Update/PauseDeferrals -
-
- Update/PauseFeatureUpdates -
-
- Update/PauseFeatureUpdatesStartTime -
-
- Update/PauseQualityUpdates -
-
- Update/PauseQualityUpdatesStartTime -
-
- Update/PhoneUpdateRestrictions -
-
- Update/RequireDeferUpgrade -
-
- Update/RequireUpdateApproval -
-
- Update/ScheduleImminentRestartWarning -
-
- Update/ScheduleRestartWarning -
-
- Update/ScheduledInstallDay -
-
- Update/ScheduledInstallEveryWeek -
-
- Update/ScheduledInstallFirstWeek -
-
- Update/ScheduledInstallFourthWeek -
-
- Update/ScheduledInstallSecondWeek -
-
- Update/ScheduledInstallThirdWeek -
-
- Update/ScheduledInstallTime -
-
- Update/SetAutoRestartNotificationDisable -
-
- Update/SetDisablePauseUXAccess -
-
- Update/SetDisableUXWUAccess -
-
- Update/SetEDURestart -
-
- Update/SetPolicyDrivenUpdateSourceForDriverUpdates -
-
- Update/SetPolicyDrivenUpdateSourceForFeatureUpdates -
-
- Update/SetPolicyDrivenUpdateSourceForOtherUpdates -
-
- Update/SetPolicyDrivenUpdateSourceForQualityUpdates -
-
- Update/SetProxyBehaviorForUpdateDetection -
-
- Update/ProductVersion -
-
- Update/TargetReleaseVersion -
-
- Update/UpdateNotificationLevel -
-
- Update/UpdateServiceUrl -
-
- Update/UpdateServiceUrlAlternate -
-
- - -
- - -**Update/ActiveHoursEnd** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default is 17 (5 PM). - - - -ADMX Info: -- GP Friendly name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursEndTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ActiveHoursMaxRange** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - - - -ADMX Info: -- GP Friendly name: *Specify active hours range for auto-restarts* -- GP name: *ActiveHoursMaxRange* -- GP element: *ActiveHoursMaxRange* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ActiveHoursStart** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. - -The default value is 8 (8 AM). - - - -ADMX Info: -- GP Friendly name: *Turn off auto-restart for updates during active hours* -- GP name: *ActiveHours* -- GP element: *ActiveHoursStartTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/AllowAutoUpdate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - -If the policy isn't configured, end-users get the default behavior (Auto download and install). - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateMode* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page. -- 5: Turn off automatic updates. -- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured. - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you won't get security updates as well. - - - - -
- - -**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Option to download updates automatically over metered connections (off by default). The supported value type is integer. - + + + + + +## ActiveHoursEnd + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursEnd +``` + + + +Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. **Note**: The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 17 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ActiveHours_Title | +| Friendly Name | Turn off auto-restart for updates during active hours | +| Element Name | End | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## ActiveHoursMaxRange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursMaxRange +``` + + + +Enable this policy to specify the maximum number of hours from the start time that users can set their active hours. + +The max active hours range can be set between 8 and 18 hours. + +If you disable or do not configure this policy, the default max active hours range will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[8-18]` | +| Default Value | 18 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ActiveHoursMaxRange_Title | +| Friendly Name | Specify active hours range for auto-restarts | +| Element Name | Max range | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## ActiveHoursStart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursStart +``` + + + +Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. **Note**: The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 8 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ActiveHours_Title | +| Friendly Name | Turn off auto-restart for updates during active hours | +| Element Name | Start | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## AllowAutoUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoUpdate +``` + + + +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Supported operations are Get and Replace. **Important**: This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. | +| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. | +| 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | +| 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. | +| 5 | Turn off automatic updates. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Configure automatic updating | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## AllowAutoWindowsUpdateDownloadOverMeteredNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork +``` + + + +Enabling this policy will automatically download updates, even over metered data connections (charges may apply) + + + + A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. This policy is accessible through the Update setting in the user interface or Group Policy. + - - -ADMX Info: -- GP Friendly name: *Allow updates to be downloaded automatically over metered connections* -- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) - Not allowed -- 1 - Allowed + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed | +| 1 | Allowed | + -
+ +**Group policy mapping**: - -**Update/AllowMUUpdateService** +| Name | Value | +|:--|:--| +| Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork_Title | +| Friendly Name | Allow updates to be downloaded automatically over metered connections | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork | +| ADMX File Name | WindowsUpdate.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## AllowMUUpdateService - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowMUUpdateService +``` + -
- - - + Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AllowMUUpdateServiceId* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Not configured. -- 1 - Allowed. Accepts updates received through Microsoft Update. - + + > [!NOTE] -> Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:. - -``` -$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" -$MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d") -``` - - - - -
- - -**Update/AllowNonMicrosoftSignedUpdate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. - -Supported operations are Get and Replace. - -This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). This policy allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location. - - - -The following list shows the supported values: - -- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. - - - - -
- - -**Update/AllowUpdateService** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. - -Even when Windows Update is configured to receive updates from an intranet update service. It will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Update service isn't allowed. -- 1 (default) - Update service is allowed. - - - - -
- - -**Update/AutoRestartDeadlinePeriodInDays** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. - -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. - -Supported value type is integer. Default is seven days. - -Supported values range: 2-30. - -The PC must restart for certain updates to take effect. - -If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. - -If you disable or don't configure this policy, the PC will restart according to the default schedule. - -If any of the following two policies are enabled, this policy has no effect: - -1. No autorestart with signed-in users for the scheduled automatic updates installations. -2. Always automatically restart at scheduled time. - - - -ADMX Info: -- GP Friendly name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. - -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. - -Supported value type is integer. Default is 7 days. - -Supported values range: 2-30. - -The PC must restart for certain updates to take effect. - -If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. - -If you disable or don't configure this policy, the PC will restart according to the default schedule. - -If any of the following two policies are enabled, this policy has no effect: - -1. No autorestart with logged on users for the scheduled automatic updates installations. -2. Always automatically restart at scheduled time. - - - -ADMX Info: -- GP Friendly name: *Specify deadline before auto-restart for update installation* -- GP name: *AutoRestartDeadline* -- GP element: *AutoRestartDeadlineForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/AutoRestartNotificationSchedule** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT Admin to specify the period for autorestart reminder notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart reminder notifications for updates* -- GP name: *AutoRestartNotificationConfig* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, 60, 120, and 240 (minutes). - - - - -
- - -**Update/AutoRestartRequiredNotificationDismissal** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT Admin to specify the method by which the autorestart required notification is dismissed. - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart required notification for updates* -- GP name: *AutoRestartRequiredNotificationDismissal* -- GP element: *AutoRestartRequiredNotificationDismissal* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 1 (default) - Auto Dismissal. -- 2 - User Dismissal. - - - - -
- - -**Update/AutomaticMaintenanceWakeUp** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. - -> [!Note] -> If the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary. - -If you disable or don't configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. - - - -ADMX Info: -- GP Friendly name: *Automatic Maintenance WakeUp Policy* -- GP name: *WakeUpPolicy* -- GP path: *Windows Components/Maintenance Scheduler* -- GP ADMX file name: *msched.admx* - - - -Supported values: -- 0 - Disable -- 1 - Enable (Default) - - - - - - - - - -
- - -**Update/BranchReadinessLevel** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of General Availability Channel (Targeted) and General Availability Channel have been combined into one General Availability Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 isn't a supported value. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *BranchReadinessLevelId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) -- 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) -- 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted) -- 32 {0x20} - General Availability Channel. Device gets feature updates from General Availability Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the General Availability Channel and General Availability Channel (Targeted) into a single General Availability Channel with a value of 16) - - - - -
- - -**Update/ConfigureDeadlineForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineForFeatureUpdates* -- GP element: *ConfigureDeadlineForFeatureUpdates* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. - -Default value is 7. - - - - - - - - - -
- - -**Update/ConfigureDeadlineForQualityUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineForQualityUpdates* -- GP element: *ConfigureDeadlineForQualityUpdates* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. - -Default value is 7. - - - - - - - - - -
- - -**Update/ConfigureDeadlineGracePeriod** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineGracePeriod* -- GP element: *ConfigureDeadlineGracePeriod* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required quality update. - -Default value is 2. - - - - - - - - - -
- - -**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates* -- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required feature update. - -Default value is 2. - - - - - - - - - -
- - -**Update/ConfigureDeadlineNoAutoReboot** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. - -When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineNoAutoReboot* -- GP element: *ConfigureDeadlineNoAutoReboot* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values: -- 1 - Enabled -- 0 (default) - Disabled - - - - - - - - - -
- - -**Update/ConfigureFeatureUpdateUninstallPeriod** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Enable IT admin to configure feature update uninstall period. - -Values range 2 - 60 days. - -Default is 10 days. - - - - -
- - -**Update/DeferFeatureUpdatesPeriodInDays** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -Defers Feature Updates for the specified number of days. - -Supported values are 0-365 days. - -> [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *DeferFeatureUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DeferQualityUpdatesPeriodInDays** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Defers Quality Updates for the specified number of days. - -Supported values are 0-30. - - - -ADMX Info: -- GP Friendly name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *DeferQualityUpdatesPeriodId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DeferUpdatePeriod** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - -Allows IT Admins to specify update delays for up to four weeks. - -Supported values are 0-4, which refers to the number of weeks to defer updates. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -OS upgrade: -- Maximum deferral: Eight months -- Deferral increment: One month -- Update type/notes: - - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -Update: -- Maximum deferral: One month -- Deferral increment: One week -- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: - - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -Other/can't defer: - -- Maximum deferral: No deferral -- Deferral increment: No deferral -- Update type/notes: - Any update category not enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpdatePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DeferUpgradePeriod** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - -Allows IT Admins to specify other upgrade delays for up to eight months. - -Supported values are 0-8, which refers to the number of months to defer upgrades. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DetectionFrequency** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should be enabled only when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update. - - - -ADMX Info: -- GP Friendly name: *Automatic Updates detection frequency* -- GP name: *DetectionFrequency_Title* -- GP element: *DetectionFrequency_Hour2* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/DisableDualScan** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. - -For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). - -This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update." - -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP Friendly name: *Do not allow update deferral policies to cause scans against Windows Update* -- GP name: *DisableDualScan* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - Allow scan against Windows Update -- 1 - Don't allow update deferral policies to cause scans against Windows Update - - - - -
- - -**Update/DisableWUfBSafeguards** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards. - -Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. - -The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. - -IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy. - -> [!NOTE] -> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. +> Setting this policy back to 0 or Not configured doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service: > -> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. -> -> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. +> ```powershell +> $MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager" +> $MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d") +> ``` + - - -ADMX Info: -- GP Friendly name: *Disable safeguards for Feature Updates* -- GP name: *DisableWUfBSafeguards* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) - Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. -- 1 - Safeguards aren't enabled and upgrades will be deployed without blocking on safeguards. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed or not configured. | +| 1 | Allowed. Accepts updates received through Microsoft Update. | + -
+ +**Group policy mapping**: - -**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection** +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Install updates for other Microsoft products | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## AllowNonMicrosoftSignedUpdate - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate +``` + -
+ +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. Supported operations are Get and Replace. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + - - -To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. + + + -By default, certificate pinning for Windows Update client isn't enforced. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Allow user proxy to be used as a fallback if detection using system proxy fails* -- GP name: *Allow user proxy to be used as a fallback if detection using system proxy fails* -- GP path: *Windows Update\SpecifyintranetMicrosoftupdateserviceLocation* -- GP ADMX file name: *WindowsUpdate.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 (default) - Enforce certificate pinning. -- 1 - Don't enforce certificate pinning. +| Value | Description | +|:--|:--| +| 0 | Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. | +| 1 (Default) | Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer. | + - - + + + -
+ - -**Update/EngagedRestartDeadline** + +## AllowUpdateService - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowUpdateService +``` + - -
+ +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. **Note**: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Autorestart to Engaged restart (pending user schedule) to be executed automatically, within the specified period. + +**Allowed values**: -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## AutomaticMaintenanceWakeUp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp +``` + + + +This policy setting allows you to configure Automatic Maintenance wake up policy. + +The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. + +If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. + +If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WakeUp | +| Friendly Name | Automatic Maintenance WakeUp Policy | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| Registry Value Name | WakeUp | +| ADMX File Name | msched.admx | + + + + + + + + + +## AutoRestartDeadlinePeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartDeadlinePeriodInDays +``` + + + +Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date. + +The restart may happen inside active hours. + +If you disable or do not configure this policy, the PC will restart according to the default schedule. + +Enabling either of the following two policies will override the above policy: +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartDeadline_Title | +| Friendly Name | Specify deadline before auto-restart for update installation | +| Element Name | Quality Updates (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## AutoRestartDeadlinePeriodInDaysForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates +``` + + + +For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Value type is integer. Default is 7 days. Supported values range: 2-30. **Note** that the PC must restart for certain updates to take effect. If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. If you disable or do not configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installations. Always automatically restart at scheduled time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartDeadline_Title | +| Friendly Name | Specify deadline before auto-restart for update installation | +| Element Name | Feature Updates (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## AutoRestartNotificationSchedule + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartNotificationSchedule +``` + + + +Allows the IT Admin to specify the period for auto-restart reminder notifications. The default value is 15 (minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 15 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 15 (Default) | 15 Minutes | +| 30 | 30 Minutes | +| 60 | 60 Minutes | +| 120 | 120 Minutes | +| 240 | 240 Minutes | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartNotificationConfig_Title | +| Friendly Name | Configure auto-restart reminder notifications for updates | +| Element Name | Period (min) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## AutoRestartRequiredNotificationDismissal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutoRestartRequiredNotificationDismissal +``` + + + +Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds. + +The method can be set to require user action to dismiss the notification. + +If you disable or do not configure this policy, the default method will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Auto Dismissal. | +| 2 | User Dismissal. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartRequiredNotificationDismissal_Title | +| Friendly Name | Configure auto-restart required notification for updates | +| Element Name | Method | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## BranchReadinessLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel +``` + + + +Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 16 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) | +| 4 | {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) | +| 8 | {0x8} - Release Windows Insider build (added in Windows 10, version 1709) | +| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). | +| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16) | +| 64 | {0x40} - Release Preview of Quality Updates Only. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates_Title | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## ConfigureDeadlineForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForFeatureUpdates +``` + + + +Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 2 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineForFeatureUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineForFeatureUpdates | + + + + + + + + + +## ConfigureDeadlineForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForQualityUpdates +``` + + + +Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineForQualityUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineForQualityUpdates | + + + + + + + + + +## ConfigureDeadlineGracePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriod +``` + + + +Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | +| Default Value | 2 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineGracePeriod | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineGracePeriod | + + + + + + + + + +## ConfigureDeadlineGracePeriodForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1852] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriodForFeatureUpdates +``` + + + +Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineGracePeriodForFeatureUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineGracePeriodForFeatureUpdates | + + + + + + + + + +## ConfigureDeadlineNoAutoReboot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot +``` + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoReboot | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoReboot | + + + + + + + + + +## ConfigureDeadlineNoAutoRebootForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates +``` + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | + + + + + + + + + +## ConfigureDeadlineNoAutoRebootForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates +``` + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | + + + + + + + + + +## ConfigureFeatureUpdateUninstallPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod +``` + + + +Enable enterprises/IT admin to configure feature update uninstall period + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-60]` | +| Default Value | 10 | + + + + + + + + + +## DeferFeatureUpdatesPeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays +``` + + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days. **Important**: The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates_Title | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Element Name | How many days after a Feature Update is released would you like to defer the update before it is offered to the device? | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## DeferQualityUpdatesPeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays +``` + + + +Defers Quality Updates for the specified number of days. Supported values are 0-30. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates_Title | +| Friendly Name | Select when Quality Updates are received | +| Element Name | After a quality update is released, defer receiving it for this many days | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## DeferUpdatePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod +``` + + + +Note. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:Update/RequireDeferUpgrade must be set to 1System/AllowTelemetry must be set to 1 or higherIf the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. OS upgrade:Maximum deferral: 8 monthsDeferral increment: 1 monthUpdate type/notes:Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5Update:Maximum deferral: 1 monthDeferral increment: 1 weekUpdate type/notes:If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0Other/cannot defer:Maximum deferral: No deferralDeferral increment: No deferralUpdate type/notes:Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpdatePeriodId | + + + + + + + + + +## DeferUpgradePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod +``` + + + +**Note**: Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-8]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + + + + + + + + + +## DetectionFrequency + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DetectionFrequency +``` + + + +Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + + +> [!NOTE]> +> There is a random variant of 0-4 hours applied to the scan frequency, which cannot be configured. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-22]` | +| Default Value | 22 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectionFrequency_Title | +| Friendly Name | Automatic Updates detection frequency | +| Element Name | interval (hours) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## DisableDualScan + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DisableDualScan +``` + + + +Enable this policy to not allow update deferral policies to cause scans against Windows Update. + +If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled. +Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect. + + + + > [!NOTE] -> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule aren't set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. - -Supporting value type is integer. - -Default is 14. - -Supported value range: 2 - 30. - -If no deadline is specified or deadline is set to 0, the restart won't be automatically executed, and will remain Engaged restart (for example, pending user scheduling). - -If you disable or don't configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. - - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadline* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartDeadlineForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period. - -Supported value type is integer. - -Default is 14. - -Supported value range: 2-30. - -If no deadline is specified or deadline is set to 0, the restart won't be automatically executed and will remain Engaged restart (for example, pending user scheduling). - -If you disable or don't configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. - - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartDeadlineForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartSnoozeSchedule** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days. - -Supported value type is integer. - -Default is three days. - -Supported value range: 1-3. - -If you disable or don't configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. - - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartSnoozeScheduleForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days. - -Supported value type is integer. - -Default is three days. - -Supported value range: 1-3. - -If you disable or don't configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. - - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartTransitionSchedule** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Supported value type is integer. - -Default value is 7 days. - -Supported value range: 2 - 30. - -If you disable or don't configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. - - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionSchedule* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/EngagedRestartTransitionScheduleForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Supported value type is integer. - -Default value is seven days. - -Supported value range: 2-30. - -If you disable or don't configure this policy, the default behaviors will be used. - -If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. -2. Always automatically restart at scheduled time. -3. Specify deadline before autorestart for update installation. - - - -ADMX Info: -- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates* -- GP name: *EngagedRestartTransitionSchedule* -- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ExcludeWUDriversInQualityUpdate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -Allows IT Admins to exclude Windows Update (WU) drivers during updates. - - - -ADMX Info: -- GP Friendly name: *Do not include drivers with Windows Updates* -- GP name: *ExcludeWUDriversInQualityUpdate* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Allow Windows Update drivers. -- 1 - Exclude Windows Update drivers. - - - - -
- - -**Update/FillEmptyContentUrls** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). - +> For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | allow scan against Windows Update | +| 1 | do not allow update deferral policies to cause scans against Windows Update | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDualScan_Title | +| Friendly Name | Do not allow update deferral policies to cause scans against Windows Update | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | DisableDualScan | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## DisableWUfBSafeguards + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [17763.1490] and later
:heavy_check_mark: Unknown [18362.1110] and later
:heavy_check_mark: Unknown [18363.1110] and later
:heavy_check_mark: Unknown [19041.546] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. | +| 1 | Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. | + + + + + + + + + +## DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18818] and later
:heavy_check_mark: Windows 10, version 1607 [10.0.14393.4169] and later
:heavy_check_mark: Windows 10, version 1703 [10.0.15063.2108] and later
:heavy_check_mark: Windows 10, version 1709 [10.0.16299.2166] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1967] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.1697] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1316] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363.1316] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.746] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.746] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection +``` + + + +Do not enforce TLS certificate pinning for Windows Update client for detecting updates. + + + + > [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server. +> To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. + - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUFillEmptyContentUrls* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) - Disabled. -- 1 - Enabled. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
+ +**Group policy mapping**: - -**Update/IgnoreMOAppDownloadLimit** +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Do not enforce TLS certificate pinning for Windows Update client for detecting updates. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## EngagedRestartDeadline - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartDeadline +``` + -
+ +For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. **Note**: If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + - - -Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + + + -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 14 | + -- 0 (default) - Don't ignore MO download limit for apps and their updates. -- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates. + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule_Title | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## EngagedRestartDeadlineForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartDeadlineForFeatureUpdates +``` + + + +For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-30]` | +| Default Value | 14 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule_Title | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## EngagedRestartSnoozeSchedule + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartSnoozeSchedule +``` + + + +For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-3]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule_Title | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Snooze (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## EngagedRestartSnoozeScheduleForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartSnoozeScheduleForFeatureUpdates +``` + + + +For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-3]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule_Title | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Snooze (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## EngagedRestartTransitionSchedule + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartTransitionSchedule +``` + + + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. + +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. + +If you disable or do not configure this policy, the PC will restart following the default schedule. + +Enabling any of the following policies will override the above policy: +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time +3. Specify deadline before auto-restart for update installation + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule_Title | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Transition (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## EngagedRestartTransitionScheduleForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/EngagedRestartTransitionScheduleForFeatureUpdates +``` + + + +For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Value type is integer. Default value is 7 days. Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EngagedRestartTransitionSchedule_Title | +| Friendly Name | Specify Engaged restart transition and notification schedule for updates | +| Element Name | Transition (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## ExcludeWUDriversInQualityUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ExcludeWUDriversInQualityUpdate +``` + + + +Enable this policy to not include drivers with Windows quality updates. + +If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Windows Update drivers. | +| 1 | Exclude Windows Update drivers. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExcludeWUDriversInQualityUpdate_Title | +| Friendly Name | Do not include drivers with Windows Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | ExcludeWUDriversInQualityUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## FillEmptyContentUrls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/FillEmptyContentUrls +``` + + + +Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). **Note**: This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Download files with no Url in the metadata if alternate download server is set. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## IgnoreMOAppDownloadLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOAppDownloadLimit +``` + + + +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators. + + + + To validate this policy: -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in [TShell](/windows-hardware/manufacture/desktop/factoryos/connect-using-tshell): + ```TShell - exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' + exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' ``` + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Update/IgnoreMOUpdateDownloadLimit** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not ignore MO download limit for apps and their updates. | +| 1 | Ignore MO download limit (allow unlimited downloading) for apps and their updates. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IgnoreMOUpdateDownloadLimit -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOUpdateDownloadLimit +``` + - - -Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators. + -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - -The following list shows the supported values: - -- 0 (default) - Don't ignore MO download limit for OS updates. -- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates. - - - + + To validate this policy: -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: + ```TShell - exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' + exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' ``` + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Update/ManagePreviewBuilds** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not ignore MO download limit for OS updates. | +| 1 | Ignore MO download limit (allow unlimited downloading) for OS updates. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ManagePreviewBuilds -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds +``` + - - -Used to manage Windows 10 Insider Preview builds. + +Used to manage Windows 10 Insider Preview builds. Value type is integer. + -Supported value type is integer. + + + - - -ADMX Info: -- GP Friendly name: *Manage preview builds* -- GP name: *ManagePreviewBuilds* -- GP element: *ManagePreviewBuildsId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + -- 0 - Disable Preview builds. -- 1 - Disable Preview builds once the next release is public. -- 2 - Enable Preview builds. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Disable Preview builds | +| 1 | Disable Preview builds once the next release is public | +| 2 | Enable Preview builds | +| 3 (Default) | Preview builds is left to user selection | + -
+ +**Group policy mapping**: - -**Update/NoUpdateNotificationDuringActiveHours** +| Name | Value | +|:--|:--| +| Name | ManagePreviewBuilds_Title | +| Friendly Name | Manage preview builds | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## NoUpdateNotificationsDuringActiveHours - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/NoUpdateNotificationsDuringActiveHours +``` + -
+ +When enabled, notifications will only be disabled during active hours. Takes effect only if Update/UpdateNotificationLevel is configured to 1 or 2. To ensure that the device stays secure, a notification will still be shown if this option is selected once “Specify deadlines for automatic updates and restarts” deadline has been reached if configured, regardless of active hours. + - - -This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. - -Supported value type is a boolean. - -0 (Default) This configuration will provide the default behavior (notifications may display during active hours) -1: This setting will prevent notifications from displaying during active hours. - - - -ADMX Info: -- GP Friendly name: *Display options for update notifications* -- GP name: *NoUpdateNotificationDuringActiveHours* -- GP element: *NoUpdateNotificationDuringActiveHours* -- GP path: *Windows Components\WindowsUpdate\Manage end user experience* -- GP ADMX file name: *WindowsUpdate.admx* - - - -
- - - -**Update/PauseDeferrals** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - -Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. - -If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *PauseDeferralsId* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Deferrals aren't paused. -- 1 - Deferrals are paused. - - - - -
- - -**Update/PauseFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -Allows IT Admins to pause feature updates for up to 35 days. We recommend that you use the *Update/PauseFeatureUpdatesStartTime* policy, if you're running Windows 10, version 1703 or later. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Feature Updates aren't paused. -- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. - - - - -
- - -**Update/PauseFeatureUpdatesStartTime** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date. - -- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28). -- Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP Friendly name: *Select when Preview Builds and Feature Updates are received* -- GP name: *DeferFeatureUpdates* -- GP element: *PauseFeatureUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/PauseQualityUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows IT Admins to pause quality updates. For those running Windows 10, version 1703 or later, we recommend that you use *Update/PauseQualityUpdatesStartTime* instead. - - - -ADMX Info: -- GP Friendly name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Quality Updates aren't paused. -- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -
- - -**Update/PauseQualityUpdatesStartTime** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. - -- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28). -- Supported operations are Add, Get, Delete, and Replace. - - - -ADMX Info: -- GP Friendly name: *Select when Quality Updates are received* -- GP name: *DeferQualityUpdates* -- GP element: *PauseQualityUpdatesStartId* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/PhoneUpdateRestrictions** - - -This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead. - - - - -
- - -**Update/ProductVersion** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product. - -If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information). - - - -ADMX Info: -- GP Friendly name: *Select the target Feature Update version* -- GP name: *TargetReleaseVersion* -- GP element: *ProductVersion* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". - - - - - - - - -By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device, either: +> This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. If no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NoUpdateNotificationsDuringActiveHours | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | NoUpdateNotificationsDuringActiveHours | + + + + + + + + + +## PauseDeferrals + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseDeferrals +``` + + + +**Note**: Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Deferrals are not paused. | +| 1 | Deferrals are paused. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | PauseDeferralsId | + + + + + + + + + +## PauseFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdates +``` + + + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days. + + + + +> [!NOTE] +> We recommend that you use the Update/PauseFeatureUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Feature Updates are not paused. | +| 1 | Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates_Title | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## PauseFeatureUpdatesStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdatesStartTime +``` + + + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates_Title | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Element Name | Pause Preview Builds or Feature Updates starting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## PauseQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates +``` + + + +Allows IT Admins to pause Quality Updates. + + + + +> [!NOTE] +> We recommend that you use the Update/PauseQualityUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Quality Updates are not paused. | +| 1 | Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates_Title | +| Friendly Name | Select when Quality Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## PauseQualityUpdatesStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdatesStartTime +``` + + + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. + + + + +> [!NOTE] +> When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates_Title | +| Friendly Name | Select when Quality Updates are received | +| Element Name | Pause Quality Updates starting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## PhoneUpdateRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PhoneUpdateRestrictions +``` + + + +This policy is deprecated. Use Update/RequireUpdateApproval instead. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4]` | +| Default Value | 4 | + + + + + + + + + +## ProductVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ProductVersion +``` + + + +Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows release information. + + + + +Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device: 1. The applicable Windows license was purchased through volume licensing, or +2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms found here: . -2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). - -
- - -**Update/RequireDeferUpgrade** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. +> If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. + -Allows the IT admin to set a device to General Availability Channel train. + +**Description framework properties**: - - -ADMX Info: -- GP name: *DeferUpgrade* -- GP element: *DeferUpgradePeriodId* -- GP ADMX file name: *WindowsUpdate.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 (default) - User gets upgrades from General Availability Channel (Targeted). -- 1 - User gets upgrades from General Availability Channel. +| Name | Value | +|:--|:--| +| Name | ProductVersion | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat > DeferUpdateCat | +| Element Name | ProductVersionId | + - - + + + -
+ - -**Update/RequireUpdateApproval** + +## RequireDeferUpgrade - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade +``` + - -
+ +**Note**: Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User gets upgrades from Semi-Annual Channel (Targeted). | +| 1 | User gets upgrades from Semi-Annual Channel. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + + + + + + + + + +## RequireUpdateApproval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval +``` + + + +**Note**: If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not configured. The device installs all applicable updates. | +| 1 | The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. | + + + + + + + + + +## ScheduledInstallDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallDay +``` + + + +Enables the IT admin to schedule the day of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. + + + + > [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + -Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved. + +**Description framework properties**: -Supported operations are Get and Replace. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 - Not configured. The device installs all applicable updates. -- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. +| Value | Description | +|:--|:--| +| 0 (Default) | Every day | +| 1 | Sunday | +| 2 | Monday | +| 3 | Tuesday | +| 4 | Wednesday | +| 5 | Thursday | +| 6 | Friday | +| 7 | Saturday | + - - + +**Group policy mapping**: -
+| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Scheduled install day | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + - -**Update/ScheduleImminentRestartWarning** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ScheduledInstallEveryWeek - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallEveryWeek +``` + -> [!div class = "checklist"] -> * Device + +Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every week + -
- - - -Allows the IT Admin to specify the period for autorestart imminent warning notifications. - -The default value is 15 (minutes). - - - -ADMX Info: -- GP Friendly name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarn* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported values are 15, 30, or 60 (minutes). - - - - -
- - -**Update/ScheduleRestartWarning** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + -Allows the IT Admin to specify the period for autorestart warning reminder notifications. + +**Description framework properties**: -The default value is 4 (hours). +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -ADMX Info: -- GP Friendly name: *Configure auto-restart warning notifications schedule for updates* -- GP name: *RestartWarnRemind* -- GP element: *RestartWarnRemind* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + +**Allowed values**: - - -Supported values are 2, 4, 8, 12, or 24 (hours). +| Value | Description | +|:--|:--| +| 0 | no update in the schedule | +| 1 (Default) | update is scheduled every week | + - - + +**Group policy mapping**: -
+| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Every week | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + - -**Update/ScheduledInstallDay** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ScheduledInstallFirstWeek - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFirstWeek +``` + -> [!div class = "checklist"] -> * Device + +Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every first week of the month + -
- - - + + > [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + -Enables the IT admin to schedule the day of the update installation. + +**Description framework properties**: -Supported data type is an integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Supported operations are Add, Delete, Get, and Replace. + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchDay* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | no update in the schedule | +| 1 | update is scheduled every first week of the month | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 (default) - Every day -- 1 - Sunday -- 2 - Monday -- 3 - Tuesday -- 4 - Wednesday -- 5 - Thursday -- 6 - Friday -- 7 - Saturday +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | First week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + - - + + + -
+ - -**Update/ScheduledInstallEveryWeek** + +## ScheduledInstallFourthWeek - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFourthWeek +``` + - -
+ +Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every fourth week of the month + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + > [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + -Enables the IT admin to schedule the update installation on every week. + +**Description framework properties**: -Supported Value type is integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every week. + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | no update in the schedule | +| 1 | update is scheduled every fourth week of the month | + - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchEveryWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Fourth week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + -
+ + + - -**Update/ScheduledInstallFirstWeek** + - -The table below shows the applicability of Windows: + +## ScheduledInstallSecondWeek -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallSecondWeek +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every second week of the month + -> [!div class = "checklist"] -> * Device - -
- - - + + > [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + -Enables the IT admin to schedule the update installation on the first week of the month. + +**Description framework properties**: -Supported value type is integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every first week of the month. + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | no update in the schedule | +| 1 | update is scheduled every second week of the month | + - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchFirstWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Second week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + -
+ + + - -**Update/ScheduledInstallFourthWeek** + - -The table below shows the applicability of Windows: + +## ScheduledInstallThirdWeek -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallThirdWeek +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every third week of the month + -> [!div class = "checklist"] -> * Device - -
- - - + + > [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + -Enables the IT admin to schedule the update installation on the fourth week of the month. + +**Description framework properties**: -Supported value type is integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every fourth week of the month. + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | no update in the schedule | +| 1 | update is scheduled every third week of the month | + - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallFourthWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Third week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + -
+ + + - -**Update/ScheduledInstallSecondWeek** + - -The table below shows the applicability of Windows: + +## ScheduledInstallTime -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Note**: This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + -> [!div class = "checklist"] -> * Device - -
- - - + + > [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on the second week of the month. - -Supported value type is integer. - -Supported values: - -- 0 - no update in the schedule. -- 1 - update is scheduled every second week of the month. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallSecondWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ScheduledInstallThirdWeek** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the update installation on the third week of the month. - -Supported value type is integer. - -Supported values: -- 0 - no update in the schedule. -- 1 - update is scheduled every third week of the month. - - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *ScheduledInstallThirdWeek* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/ScheduledInstallTime** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy will only take effect if Update/AllowAutoUpdate has been configured to option 3 or 4 for scheduled installation. - -Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation. - -The supported data type is an integer. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - - - -ADMX Info: -- GP Friendly name: *Configure Automatic Updates* -- GP name: *AutoUpdateCfg* -- GP element: *AutoUpdateSchTime* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/SetAutoRestartNotificationDisable** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the IT Admin to disable autorestart notifications for update installations. - - - -ADMX Info: -- GP Friendly name: *Turn off auto-restart notifications for update installations* -- GP name: *AutoRestartNotificationDisable* -- GP element: *AutoRestartNotificationSchd* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Enabled -- 1 - Disabled - - - - -
- - -**Update/SetDisablePauseUXAccess** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user can't access the "Pause updates" feature. - -Supported value type is integer. - -Default is 0. - -Supported values 0, 1. - - - -ADMX Info: -- GP name: *SetDisablePauseUXAccess* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/SetDisableUXWUAccess** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. - -Supported value type is integer. - -Default is 0. - -Supported values 0, 1. - - - -ADMX Info: -- GP name: *SetDisableUXWUAccess* -- GP ADMX file name: *WindowsUpdate.admx* - - - - -
- - -**Update/SetEDURestart** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. - -When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period, after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. - - - -ADMX Info: -- GP Friendly name: *Update Power Policy for Cart Restarts* -- GP name: *SetEDURestart* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 - not configured -- 1 - configured - - - - -
- - -**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeatureUpdates -- SetPolicyDrivenUpdateSourceForQualityUpdates -- SetPolicyDrivenUpdateSourceForOtherUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForDriver* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Drivers from Windows Update. -- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS). - - - - -
- - -**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForQualityUpdates -- SetPolicyDrivenUpdateSourceForDriverUpdates -- SetPolicyDrivenUpdateSourceForOtherUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForFeature* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update. -- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS). - - - - -
- - -**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeatureUpdates -- SetPolicyDrivenUpdateSourceForQualityUpdates -- SetPolicyDrivenUpdateSourceForDriverUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForOther* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Other updates from Windows Update. -- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS). - - - - -
- - -**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. - -If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeatureUpdates -- SetPolicyDrivenUpdateSourceForDriverUpdates -- SetPolicyDrivenUpdateSourceForOtherUpdates - ->[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. - - - -ADMX Info: -- GP Friendly name: *Specify source service for specific classes of Windows Updates* -- GP name: *SetPolicyDrivenUpdateSourceForQuality* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update. -- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS). - - - - -
- - -**Update/SetProxyBehaviorForUpdateDetection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. +> +> - This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. +> - There is a window of approximately 30 minutes to allow for higher success rates of installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Scheduled install time | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## ScheduleImminentRestartWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduleImminentRestartWarning +``` + + + +Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 15 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 15 (Default) | 15 Minutes | +| 30 | 30 Minutes | +| 60 | 60 Minutes | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestartWarningSchd_Title | +| Friendly Name | Configure auto-restart warning notifications schedule for updates | +| Element Name | Warning (mins) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## ScheduleRestartWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduleRestartWarning +``` + + + +Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed. + +Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user. + +You can specify the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work. + +If you disable or do not configure this policy, the default notification behaviors will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 4 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | 2 Hours | +| 4 (Default) | 4 Hours | +| 8 | 8 Hours | +| 12 | 12 Hours | +| 24 | 24 Hours | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestartWarningSchd_Title | +| Friendly Name | Configure auto-restart warning notifications schedule for updates | +| Element Name | Reminder (hours) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetAutoRestartNotificationDisable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable +``` + + + +Allows the IT Admin to disable auto-restart notifications for update installations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enabled | +| 1 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartNotificationDisable_Title | +| Friendly Name | Turn off auto-restart notifications for update installations | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetDisablePauseUXAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetDisablePauseUXAccess +``` + + + +This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user cannot access the Pause updates feature. Value type is integer. Default is 0. Supported values 0, 1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetDisablePauseUXAccess | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | + + + + + + + + + +## SetDisableUXWUAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetDisableUXWUAccess +``` + + + +This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. Value type is integer. Default is 0. Supported values 0, 1. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetDisableUXWUAccess | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | + + + + + + + + + +## SetEDURestart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetEDURestart +``` + + + +Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | not configured | +| 1 | configured | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetEDURestart_Title | +| Friendly Name | Update Power Policy for Cart Restarts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetEDURestart | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetPolicyDrivenUpdateSourceForDriverUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForDriverUpdates +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Driver Updates from Windows Update | +| 1 (Default) | Detect, download and deploy Driver Updates from Windows Server Update Services (WSUS) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetPolicyDrivenUpdateSourceForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Feature Updates from Windows Update | +| 1 (Default) | Detect, download and deploy Feature Updates from Windows Server Update Services (WSUS) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetPolicyDrivenUpdateSourceForOtherUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForOtherUpdates +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy other Updates from Windows Update | +| 1 (Default) | Detect, download and deploy other Updates from Windows Server Update Services (WSUS) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetPolicyDrivenUpdateSourceForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForQualityUpdates +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Quality Updates from Windows Update | +| 1 (Default) | Detect, download and deploy Quality Updates from Windows Server Update Services (WSUS) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## SetProxyBehaviorForUpdateDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18696] and later
:heavy_check_mark: Windows 10, version 1607 [10.0.14393.3930] and later
:heavy_check_mark: Windows 10, version 1703 [10.0.15063.2500] and later
:heavy_check_mark: Windows 10, version 1709 [10.0.16299.2107] and later
:heavy_check_mark: Windows 10, version 1803 [10.0.17134.1726] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.1457] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1082] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363.1082] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.508] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetProxyBehaviorForUpdateDetection +``` + + + +Select the proxy behavior for Windows Update client for detecting updates + + + + +By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. - - -ADMX Info: -- GP Friendly name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service* -- GP name: *Select the proxy behavior* -- GP element: *Select the proxy behavior* -- GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- 0 (default) - Allow system proxy only for HTTP scans. -- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. - > [!NOTE] > Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Update/TargetReleaseVersion** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Only use system proxy for detecting updates (default) | +| 1 | Allow user proxy to be used as a fallback if detection using system proxy fails | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
+| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Select the proxy behavior for Windows Update client for detecting updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ +## TargetReleaseVersion - - -Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information/). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1488] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363.836] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - - -ADMX Info: -- GP Friendly name: *Select the target Feature Update version* -- GP name: *TargetReleaseVersion* -- GP element: *TargetReleaseVersionInfo* -- GP path: *Windows Components/Windows Update/Windows Update for Business* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supported value type is a string containing Windows 10 version number. For example, 1809, 1903. - - - - - - - - - -
- - -**Update/UpdateNotificationLevel** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. - -Options: - -- 0 (default) - Use the default Windows Update notifications. -- 1 - Turn off all notifications, excluding restart warnings. -- 2 - Turn off all notifications, including restart warnings. - -> [!IMPORTANT] -> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. - - - -ADMX Info: -- GP Friendly name: *Display options for update notifications* -- GP name: *UpdateNotificationLevel* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - - - - - - -
- - -**Update/UpdateServiceUrl** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy isn't supported in IoT Mobile. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. This setting is useful for on-premises MDMs that need to update devices that can't connect to the Internet. - -Supported operations are Get and Replace. - - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUURL_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* - - - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - - - -Example - -```xml - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion ``` + - - + +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows 10 release information. + -
+ + + - -**Update/UpdateServiceUrlAlternate** + +**Description framework properties**: - -The table below shows the applicability of Windows: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
+| Name | Value | +|:--|:--| +| Name | TargetReleaseVersion_Title | +| Friendly Name | Select the target Feature Update version | +| Element Name | Target Version for Feature Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ +## UpdateNotificationLevel - - -Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel +``` + -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +0 (default) – Use the default Windows Update notifications +1 – Turn off all notifications, excluding restart warnings +2 – Turn off all notifications, including restart warnings -Supported value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. -> [!NOTE] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. -> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs. +Important: if you choose not to get update notifications and also define other Group policy so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. - - -ADMX Info: -- GP Friendly name: *Specify intranet Microsoft update service location* -- GP name: *CorpWuURL* -- GP element: *CorpWUContentHost_Name* -- GP path: *Windows Components/Windows Update* -- GP ADMX file name: *WindowsUpdate.admx* +If you select “Apply only during active hours” in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting “Turn off auto-restart for updates during active hours” or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once “Specify deadlines for automatic updates and restarts” deadline has been reached if configured, regardless of active hours. + - - -
+ + + - + +**Description framework properties**: -## Related topics +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Use the default Windows Update notifications | +| 1 | Turn off all notifications, excluding restart warnings | +| 2 | Turn off all notifications, including restart warnings | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UpdateNotificationLevel_Title | +| Friendly Name | Display options for update notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetUpdateNotificationLevel | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## UpdateServiceUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl +``` + + + +**Important**: Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | CorpWSUS | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Set the intranet update service for detecting updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +## UpdateServiceUrlAlternate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrlAlternate +``` + + + +Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. **Note**: If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Set the alternate download server | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From d9a3e34206b9720bc85478eb7253be37426de486 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 7 Dec 2022 12:55:52 -0500 Subject: [PATCH 006/152] Add more CSPs --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 +- ...in-policy-csp-supported-by-group-policy.md | 5 +- .../policy-configuration-service-provider.md | 34 +- .../mdm/policy-csp-smartscreen.md | 331 +- .../mdm/policy-csp-system.md | 3342 ++++++++++------- .../mdm/policy-csp-troubleshooting.md | 164 +- .../mdm/policy-csp-update.md | 191 +- ...olicy-csp-windowsdefendersecuritycenter.md | 2614 +++++++------ .../mdm/policy-csp-windowsinkworkspace.md | 230 +- .../mdm/policy-csp-windowspowershell.md | 161 +- .../mdm/policy-csp-windowssandbox.md | 658 ++-- .../mdm/policy-csp-wirelessdisplay.md | 1047 +++--- windows/client-management/mdm/toc.yml | 4 +- 13 files changed, 4956 insertions(+), 3829 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 87e3ab8e39..e4f4d3a06c 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/30/2022 +ms.date: 12/07/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2927,6 +2927,7 @@ This article lists the ADMX-backed policies in Policy CSP. - [ConfigureRpcListenerPolicy](policy-csp-printers.md) - [ConfigureRpcConnectionPolicy](policy-csp-printers.md) - [ConfigureRpcTcpPort](policy-csp-printers.md) +- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md) - [ConfigureIppPageCountsPolicy](policy-csp-printers.md) - [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) @@ -2987,6 +2988,7 @@ This article lists the ADMX-backed policies in Policy CSP. ## SettingsSync - [DisableAccessibilitySettingSync](policy-csp-settingssync.md) +- [DisableLanguageSettingSync](policy-csp-settingssync.md) ## Storage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 98bd07aa66..6c10428c97 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/30/2022 +ms.date: 12/07/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -317,12 +317,14 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md) - [DOCacheHost](policy-csp-deliveryoptimization.md) - [DOCacheHostSource](policy-csp-deliveryoptimization.md) +- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md) - [DOGroupIdSource](policy-csp-deliveryoptimization.md) - [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md) - [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md) - [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md) - [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md) - [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md) +- [DOVpnKeywords](policy-csp-deliveryoptimization.md) ## DeviceGuard @@ -877,6 +879,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md) +- [CaptureThreatWindow](policy-csp-webthreatdefense.md) ## Wifi diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 283417da87..03c3eb3bb2 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/22/2022 +ms.date: 12/07/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -94,6 +94,7 @@ The following example shows the Policy configuration service provider in tree fo + Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. @@ -132,7 +133,8 @@ Node for grouping all policies configured by one source. The configuration sourc -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -171,7 +173,8 @@ The area group that can be configured by a single technology for a single provid -Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -218,6 +221,7 @@ The following list shows some tips to help you when configuring policies: + The root node for grouping different configuration operations. @@ -256,6 +260,7 @@ The root node for grouping different configuration operations. + Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}. @@ -298,6 +303,7 @@ Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported + Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. @@ -337,6 +343,7 @@ Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX f + Setting Type of Win32 App. Policy Or Preference @@ -376,6 +383,7 @@ Setting Type of Win32 App. Policy Or Preference + Unique ID of ADMX file @@ -415,6 +423,7 @@ Unique ID of ADMX file + Properties of Win32 App ADMX Ingestion @@ -453,6 +462,7 @@ Properties of Win32 App ADMX Ingestion + Setting Type of Win32 App. Policy Or Preference @@ -492,6 +502,7 @@ Setting Type of Win32 App. Policy Or Preference + Unique ID of ADMX file @@ -531,7 +542,8 @@ Unique ID of ADMX file -Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device. + +Version of ADMX file. This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device. @@ -569,6 +581,7 @@ Version of ADMX file. This can be set by the server to keep a record of the ver + Groups the evaluated policies from all providers that can be configured. @@ -607,6 +620,7 @@ Groups the evaluated policies from all providers that can be configured. + The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -646,6 +660,7 @@ The area group that can be configured by a single technology independent of the + Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -685,6 +700,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f + Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. @@ -723,7 +739,8 @@ Node for grouping all policies configured by one source. The configuration sourc -The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. + +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -770,7 +787,8 @@ The following list shows some tips to help you when configuring policies: -Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. + +Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -809,6 +827,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs + Groups the evaluated policies from all providers that can be configured. @@ -847,6 +866,7 @@ Groups the evaluated policies from all providers that can be configured. + The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured. @@ -886,6 +906,7 @@ The area group that can be configured by a single technology independent of the + Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure. @@ -1073,7 +1094,6 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [Browser](policy-csp-browser.md) - [Camera](policy-csp-camera.md) - [Cellular](policy-csp-cellular.md) -- [CloudDesktop](policy-csp-clouddesktop.md) - [CloudPC](policy-csp-cloudpc.md) - [Connectivity](policy-csp-connectivity.md) - [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index d736b16a60..6d510df4ba 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,188 +1,251 @@ --- -title: Policy CSP - SmartScreen -description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store. +title: SmartScreen Policy CSP +description: Learn more about the SmartScreen Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - SmartScreen + + + -
+ +## EnableAppInstallControl - -## SmartScreen policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
-
- SmartScreen/EnableAppInstallControl -
-
- SmartScreen/EnableSmartScreenInShell -
-
- SmartScreen/PreventOverrideForFilesInShell -
-
+ +```Device +./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl +``` + + + +App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. -
+If you enable this setting, you must choose from the following behaviors: - -**SmartScreen/EnableAppInstallControl** +- Turn off app recommendations - +- Show me app recommendations -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- Warn me before installing apps from outside the Store - -
+- Allow apps from Store only - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet. + -> [!div class = "checklist"] -> * Device + + +> [!NOTE] +> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled. +> +> This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. + -
+ +**Description framework properties**: - - -Allows IT Admins to control whether users are allowed to install apps from places other than the Store. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!Note] -> This policy will block installation only while the device is online. To block offline installation too, **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** policies should also be enabled.

This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Configure App Install Control* -- GP name: *ConfigureAppInstallControl* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. | +| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. -- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. +| Name | Value | +|:--|:--| +| Name | ConfigureAppInstallControl | +| Friendly Name | Configure App Install Control | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\SmartScreen | +| Registry Value Name | ConfigureAppInstallControlEnabled | +| ADMX File Name | SmartScreen.admx | + - - + + + -


+ - -**SmartScreen/EnableSmartScreenInShell** + +## EnableSmartScreenInShell - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell +``` + - -
+ + +This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. -> [!div class = "checklist"] -> * Device +If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: -
+• Warn and prevent bypass +• Warn - - -Allows IT Admins to configure SmartScreen for Windows. +If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. - - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *ShellConfigureSmartScreen* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* +If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. - - -The following list shows the supported values: +If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. -- 0 – Turns off SmartScreen in Windows. -- 1 – Turns on SmartScreen in Windows. +If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. + - - + + + -
+ +**Description framework properties**: - -**SmartScreen/PreventOverrideForFilesInShell** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -
+ +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | ShellConfigureSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableSmartScreen | +| ADMX File Name | SmartScreen.admx | + -> [!div class = "checklist"] -> * Device + + + -
+ - - + +## PreventOverrideForFilesInShell + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell +``` + + + + Allows IT Admins to control whether users can ignore SmartScreen warnings and run malicious files. + - - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *ShellConfigureSmartScreen* -- GP element: *ShellConfigureSmartScreen_Dropdown* -- GP path: *Windows Components/Windows Defender SmartScreen/Explorer* -- GP ADMX file name: *SmartScreen.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Employees can ignore SmartScreen warnings and run malicious files. -- 1 – Employees cannot ignore SmartScreen warnings and run malicious files. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -
+ +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Do not prevent override. | +| 1 | Prevent override. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellConfigureSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Element Name | Pick one of the following settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | SmartScreen.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 939f3e2ac9..2a3fa4504c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,1615 +1,2127 @@ --- -title: Policy CSP - System -description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update. +title: System Policy CSP +description: Learn more about the System Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 08/26/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - System -
+> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## System policies + + + -
-
- System/AllowBuildPreview -
-
- System/AllowCommercialDataPipeline -
-
- System/AllowDesktopAnalyticsProcessing -
-
- System/AllowDeviceNameInDiagnosticData -
-
- System/AllowEmbeddedMode -
-
- System/AllowExperimentation -
-
- System/AllowFontProviders -
-
- System/AllowLocation -
-
- System/AllowMicrosoftManagedDesktopProcessing -
-
- System/AllowStorageCard -
-
- System/AllowTelemetry -
-
- System/AllowUpdateComplianceProcessing -
-
- System/AllowUserToResetPhone -
-
- System/AllowWUfBCloudProcessing -
-
- System/BootStartDriverInitialization -
-
- System/ConfigureMicrosoft365UploadEndpoint -
-
- System/ConfigureTelemetryOptInChangeNotification -
-
- System/ConfigureTelemetryOptInSettingsUx -
-
- System/DisableDeviceDelete -
-
- System/DisableDiagnosticDataViewer -
-
- System/DisableEnterpriseAuthProxy -
-
- System/DisableOneDriveFileSync -
-
- System/DisableSystemRestore -
-
- System/FeedbackHubAlwaysSaveDiagnosticsLocally -
-
- System/LimitDiagnosticLogCollection -
-
- System/LimitDumpCollection -
-
- System/LimitEnhancedDiagnosticDataWindowsAnalytics -
-
- System/TelemetryProxy -
-
- System/TurnOffFileHistory -
-
+ +## AllowBuildPreview + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowBuildPreview +``` + - -**System/AllowBuildPreview** + + +This policy setting determines whether users can get preview builds of Windows, by configuring controls in Settings > Update and security > Windows Insider Program. - -The table below shows the applicability of Windows: +If you enable or do not configure this policy setting, users can download and install preview builds of Windows by configuring Windows Insider Program settings. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, Windows Insider Program settings will be unavailable to users through the Settings app. - -
+This policy is only supported up to Windows 10, Version 1703. Please use 'Manage preview builds' under 'Windows Update for Business' for newer Windows 10 versions. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + - - + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. | +| 1 | Allowed. Users can make their devices available for downloading and installing preview software. | +| 2 (Default) | Not configured. Users can make their devices available for downloading and installing preview software. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowBuildPreview | +| Friendly Name | Toggle user control over Insider builds | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\PreviewBuilds | +| Registry Value Name | AllowBuildPreview | +| ADMX File Name | AllowBuildPreview.admx | + + + + + + + + + +## AllowCommercialDataPipeline + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline +``` + + + + +AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . +To enable this behavior: +1. Enable this policy setting +2. Join an Azure Active Directory account to the device + +Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting does not change the Windows diagnostic data collection level set for the device +If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing”. +See the documentation at for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. + + + + > [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. +> Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. + -This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +**Description framework properties**: -If you enable or don't configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Toggle user control over Insider builds* -- GP name: *AllowBuildPreview* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *AllowBuildPreview.admx* + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. -- 1 – Allowed. Users can make their devices available for downloading and installing preview software. -- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AllowCommercialDataPipeline | +| Friendly Name | Allow commercial data pipeline | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + -
+ + + - -**System/AllowCommercialDataPipeline** + - -The table below shows the applicability of Windows: + +## AllowDesktopAnalyticsProcessing -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowDesktopAnalyticsProcessing +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting configures an Azure Active Directory-joined device, so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). - -To enable this behavior, you must complete two steps: - - 1. Enable this policy setting. - 2. Join an Azure Active Directory account to the device. - -Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above. - -If you disable or don't configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft’s [privacy statement](https://go.microsoft.com/fwlink/?LinkId=521839) unless you have enabled policies like Allow Update Compliance Processing or Allow Desktop Analytics Processing. - -Configuring this setting doesn't change the Windows diagnostic data collection level set for the device or the operation of optional analytics processor services like Desktop Analytics and Update Compliance. - -See the documentation at [ConfigureWDD](https://aka.ms/ConfigureWDD) for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. - - - -ADMX Info: -- GP Friendly name: *Allow commercial data pipeline* -- GP name: *AllowCommercialDataPipeline* -- GP element: *AllowCommercialDataPipeline* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -The following list shows the supported values: - -- 0 (default) - Disabled. -- 1 - Enabled. - - - - - - - - - - -
- - -**System/AllowDesktopAnalyticsProcessing** - - - - -This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). - -To enable this behavior, you must complete three steps: - - 1. Enable this policy setting. - 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. - 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace. - -This setting has no effect on devices, unless they're properly enrolled in Desktop Analytics. + + +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at . +To enable this behavior: +1. Enable this policy setting +2. Join an Azure Active Directory account to the device +3. Set Allow Telemetry to value 1 - Required, or higher +4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. +This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. If you disable this policy setting, devices will not appear in Desktop Analytics. + -If you disable or don't configure this policy setting, devices won't appear in Desktop Analytics. + + + -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disabled. -- 2 – Allowed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 2 | Allowed. | + -
+ +**Group policy mapping**: - -**System/AllowDeviceNameInDiagnosticData** +| Name | Value | +|:--|:--| +| Name | AllowDesktopAnalyticsProcessing | +| Friendly Name | Allow Desktop Analytics Processing | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## AllowDeviceNameInDiagnosticData - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData +``` + -
+ + +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. - - -This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data. +If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + - - -ADMX Info: -- GP Friendly name: *Allow device name to be sent in Windows diagnostic data* -- GP name: *AllowDeviceNameInDiagnosticData* -- GP element: *AllowDeviceNameInDiagnosticData* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disabled. -- 1 – Allowed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Allowed. | + - - + +**Group policy mapping**: -
+| Name | Value | +|:--|:--| +| Name | AllowDeviceNameInDiagnosticData | +| Friendly Name | Allow device name to be sent in Windows diagnostic data | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + - -**System/AllowEmbeddedMode** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowEmbeddedMode - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowEmbeddedMode +``` + -> [!div class = "checklist"] -> * Device + + +Specifies whether set general purpose device to be in embedded mode. Most restricted value is 0. + -
+ + + - - -Specifies whether set general purpose device to be in embedded mode. + +**Description framework properties**: -Most restricted value is 0. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 (default) – Not allowed. -- 1 – Allowed. +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + - - + + + -
+ - -**System/AllowExperimentation** + +## AllowExperimentation - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowExperimentation +``` + - -
+ + +NoteThis policy is not supported in Windows 10, version 1607. This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. Most restricted value is 0. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -> [!NOTE] -> This policy isn't supported in Windows 10, version 1607. + +**Allowed values**: -This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Permits Microsoft to configure device settings only. | +| 2 | Allows Microsoft to conduct full experimentation. | + -Most restricted value is 0. + + + - - -The following list shows the supported values: + -- 0 – Disabled. -- 1 (default) – Permits Microsoft to configure device settings only. -- 2 – Allows Microsoft to conduct full experimentation. + +## AllowFontProviders - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowFontProviders +``` + - -**System/AllowFontProviders** + + +This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. - -The table below shows the applicability of Windows: +If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows doesn't connect to an online font provider and only enumerates locally installed fonts. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + + + This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value isn't set by default, so the default behavior is true (enabled). This setting is used by lower-level components for text display and fond handling and hasn't direct effect on web browsers, which may download web fonts used in web content. > [!NOTE] > Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + - - -ADMX Info: -- GP Friendly name: *Enable Font Providers* -- GP name: *EnableFontProviders* -- GP path: *Network/Fonts* -- GP ADMX file name: *GroupPolicy.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 - false - No traffic to fs.microsoft.com, and only locally installed fonts are available. -- 1 - true (default) - There may be network traffic to fs.microsoft.com, and downloadable fonts are available to apps that support them. + +**Allowed values**: - - -To verify if System/AllowFontProviders is set to true: +| Value | Description | +|:--|:--| +| 0 | Not allowed. No traffic to fs.microsoft.com and only locally installed fonts are available. | +| 1 (Default) | Allowed. There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. | + -- After a client machine is rebooted, check whether there's any network traffic from client machine to fs.microsoft.com. + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | EnableFontProviders | +| Friendly Name | Enable Font Providers | +| Location | Computer Configuration | +| Path | Network > Fonts | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableFontProviders | +| ADMX File Name | GroupPolicy.admx | + -
+ + + - -**System/AllowLocation** + - -The table below shows the applicability of Windows: + +## AllowLocation -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowLocation +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies whether to allow app access to the Location service. Most restricted value is 0. While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. For example, an app's original Location setting is Off. The administrator then sets the AllowLocation policy to 2 (Force Location On. ) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the AllowLocation policy back to 1 (User Control), the app will revert to using its original setting of Off. + -> [!div class = "checklist"] -> * Device + + + -
+ +**Description framework properties**: - - -Specifies whether to allow app access to the Location service. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -Most restricted value is 0. + +**Allowed values**: -While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. +| Value | Description | +|:--|:--| +| 0 | Force Location Off. All Location Privacy settings are toggled off and grayed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. | +| 1 (Default) | Location service is allowed. The user has control and can change Location Privacy settings on or off. | +| 2 | Force Location On. All Location Privacy settings are toggled on and grayed out. Users cannot change the settings and all consent permissions will be automatically suppressed. | + -When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +**Group policy mapping**: -For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. +| Name | Value | +|:--|:--| +| Name | DisableLocation_2 | +| Friendly Name | Turn off location | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocation | +| ADMX File Name | Sensors.admx | + - - -ADMX Info: -- GP Friendly name: *Turn off location* -- GP name: *DisableLocation_2* -- GP path: *Windows Components/Location and Sensors* -- GP ADMX file name: *Sensors.admx* + + + - - -The following list shows the supported values: + -- 0 – Force Location Off. All Location Privacy settings are toggled off and grayed out. Users can't change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and grayed out. Users can't change the settings and all consent permissions will be automatically suppressed. + +## AllowMicrosoftManagedDesktopProcessing - - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**System/AllowMicrosoftManagedDesktopProcessing** + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowMicrosoftManagedDesktopProcessing +``` + - - + + +This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows. This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See for more information. hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. + -This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data. + + + -For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data). + +**Description framework properties**: -This setting has no effect on devices, unless they're properly enrolled in Microsoft Managed Desktop. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 32 | Allowed. | + + + + + + + + + +## AllowStorageCard + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowStorageCard +``` + + + + +Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. | +| 1 (Default) | Allow a storage card. | + + + + + + + + + +## AllowTelemetry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/System/AllowTelemetry +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry +``` + + + + +By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and does not apply to any additional apps installed by your organization. + +- Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. +- Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the "Optional diagnostic data" control in the Settings app. +- Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent. + +If you disable or do not configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app. + +Note: +The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. +Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. | +| 1 (Default) | Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. | +| 3 | Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowTelemetry | +| Friendly Name | Allow Diagnostic Data | +| Location | Computer and User Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## AllowUpdateComplianceProcessing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing +``` + + + + +This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . +To enable this behavior: +1. Enable this policy setting +2. Join an Azure Active Directory account to the device +3. Set Allow Telemetry to value 1 - Required, or higher +4. Set the Configure the Commercial ID setting for your Update Compliance workspace When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. +If you disable or do not configure this policy setting, devices will not appear in Update Compliance. + -If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. + + + ->[!IMPORTANT] -> You should not disable or make changes to this policy as that will severely impact the ability of Microsoft Managed Desktop to manage the devices. + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**System/AllowStorageCard** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 16 | Enabled. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
+| Name | Value | +|:--|:--| +| Name | AllowUpdateComplianceProcessing | +| Friendly Name | Allow Update Compliance Processing | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ +## AllowUserToResetPhone - - -Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -Most restricted value is 0. + +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowUserToResetPhone +``` + - - -The following list shows the supported values: + + +Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination. Most restricted value is 0. Tip, This policy is also applicable to Windows 10 and not exclusive to phone. + -- 0 – SD card use isn't allowed, and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card. -- 1 (default) – Allow a storage card. + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -**System/AllowTelemetry** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed to reset to factory default settings. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowWUfBCloudProcessing -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing +``` + - - -Allows the device to send diagnostic and usage telemetry data, such as Watson. - -For more information about diagnostic data, including what is and what isn't collected by Windows, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). - -The following list shows the supported values for Windows 8.1: -- 0 - Not allowed. -- 1 – Allowed, except for Secondary Data Requests. -- 2 (default) – Allowed. - -In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. - -The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): - -- 0 – **Off (Security)** This value turns Windows diagnostic data off. - - > [!NOTE] - > This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. - -- 1 – **Required (Basic)** Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. - -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus extra insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. - - > [!NOTE] - > **Enhanced** is no longer an option for Windows Holographic, version 21H1. - -- 3 – **Optional (Full)** Sends the same data as a value of 2, plus extra data necessary to identify and fix problems with devices such as enhanced error logs. - -Most restrictive value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow Telemetry* -- GP name: *AllowTelemetry* -- GP element: *AllowTelemetry* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/AllowUpdateComplianceProcessing** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID policy settings, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). - -To enable this behavior, you must complete three steps: - - 1. Enable this policy setting. - 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. - 3. Set the Configure the Commercial ID setting for your Update Compliance workspace. + + +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . +To enable this behavior: +1. Enable this policy setting +2. Join an Azure Active Directory account to the device +3. Set Allow Telemetry to value 1 - Required, or higher When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. +If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features. + -If you disable or don't configure this policy setting, devices won't appear in Update Compliance. + + + - - -ADMX Info: -- GP Friendly name: *Allow Update Compliance Processing* -- GP name: *AllowUpdateComplianceProcessing* -- GP element: *AllowUpdateComplianceProcessing* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 - Disabled. -- 16 - Enabled. - - + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 8 | Enabled. | + -
+ +**Group policy mapping**: - -**System/AllowUserToResetPhone** +| Name | Value | +|:--|:--| +| Name | AllowWUfBCloudProcessing | +| Friendly Name | Allow WUfB Cloud Processing | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## BootStartDriverInitialization - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization +``` + -
- - - -Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination. - -Most restricted value is 0. - -> [!TIP] -> This policy is also applicable to Windows 10 and not exclusive to phone. - - -The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed to reset to factory default settings. - - - -
- - -**System/AllowWUfBCloudProcessing** - -
- - - - -This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). - -To enable this behavior, you must complete three steps: - - 1. Enable this policy setting. - 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. - 3. Join an Azure Active Directory account to the device. - -When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. - -If you disable or don't configure this policy setting, devices enrolled to the Windows Update for Business deployment service won't be able to take advantage of some deployment service features. - -
- - - -The following list shows the supported values: - -- 0 - Disabled. -- 8 - Enabled. - - - - -**System/BootStartDriverInitialization** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -- Good: The driver has been signed and hasn't been tampered with. -- Bad: The driver has been identified as malware. It's recommended that you don't allow known bad drivers to be initialized. -- Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver. -- Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver. +- Good: The driver has been signed and has not been tampered with. +- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. +- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. +- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. -If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize next time the computer is started. +If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. -If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown, or Bad, but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. +If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. -If your malware detection application doesn't include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. +If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. + - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + - -ADMX Info: -- GP Friendly name: *Boot-Start Driver Initialization Policy* -- GP name: *POL_DriverLoadPolicy_Name* -- GP path: *System/Early Launch Antimalware* -- GP ADMX file name: *earlylauncham.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
+ +**ADMX mapping**: - -**System/ConfigureMicrosoft365UploadEndpoint** +| Name | Value | +|:--|:--| +| Name | POL_DriverLoadPolicy_Name | +| Friendly Name | Boot-Start Driver Initialization Policy | +| Location | Computer Configuration | +| Path | System > Early Launch Antimalware | +| Registry Key Name | System\CurrentControlSet\Policies\EarlyLaunch | +| Registry Value Name | DriverLoadPolicy | +| ADMX File Name | EarlyLaunchAM.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## ConfigureMicrosoft365UploadEndpoint - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/System/ConfigureMicrosoft365UploadEndpoint +``` + -
- - - -This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. + + +This policy sets the upload endpoint for this device’s diagnostic data as part of the Desktop Analytics program. If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. - The value for this setting will be provided by Microsoft as part of the onboarding process for the program. - -Supported value type is string. - - -ADMX Info: -- GP Friendly name: *Configure Microsoft 365 Update Readiness upload endpoint* -- GP name: *ConfigureMicrosoft365UploadEndpoint* -- GP element: *ConfigureMicrosoft365UploadEndpoint* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/ConfigureTelemetryOptInChangeNotification** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting determines whether a device shows notifications about telemetry levels to people on first sign in or when changes occur in Settings.  - -- If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -- If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings. - - - -ADMX Info: -- GP Friendly name: *Configure telemetry opt-in change notifications.* -- GP name: *ConfigureTelemetryOptInChangeNotification* -- GP element: *ConfigureTelemetryOptInChangeNotification* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -The following list shows the supported values: -- 0 (default) - Enable telemetry change notifications -- 1 - Disable telemetry change notifications - - - -
- - -**System/ConfigureTelemetryOptInSettingsUx** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. - -If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. - -If you set this policy setting to "Enable Telemetry opt-in Settings" or don't configure this policy setting, people can change their own telemetry levels in Settings. - -> [!Note] -> Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's acceptable level of data disclosure. - - - -ADMX Info: -- GP Friendly name: *Configure telemetry opt-in setting user interface.* -- GP name: *ConfigureTelemetryOptInSettingsUx* -- GP element: *ConfigureTelemetryOptInSettingsUx* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -The following list shows the supported values: -- 0 (default) - Enable Telemetry opt-in Settings -- 1 - Disable Telemetry opt-in Settings - - - -
- - -**System/DisableDeviceDelete** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. - -- If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. -- If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. - - - -ADMX Info: -- GP Friendly name: *Disable deleting diagnostic data* -- GP name: *DisableDeviceDelete* -- GP element: *DisableDeviceDelete* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/DisableDiagnosticDataViewer** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. - -- If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. -- If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. - - - -ADMX Info: -- GP Friendly name: *Disable diagnostic data viewer.* -- GP name: *DisableDiagnosticDataViewer* -- GP element: *DisableDiagnosticDataViewer* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/DisableEnterpriseAuthProxy** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy, to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy, to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - -ADMX Info: -- GP Friendly name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* -- GP name: *DisableEnterpriseAuthProxy* -- GP element: *DisableEnterpriseAuthProxy* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/DisableOneDriveFileSync** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: - -* Users can't access OneDrive from the OneDrive app or file picker. -* Microsoft Store apps can't access OneDrive using the WinRT API. -* OneDrive doesn't appear in the navigation pane in File Explorer. -* OneDrive files aren't kept in sync with the cloud. -* Users can't automatically upload photos and videos from the camera roll folder. - -If you disable or don't configure this policy setting, apps and features can work with OneDrive file storage. - - - -ADMX Info: -- GP Friendly name: *Prevent the usage of OneDrive for file storage* -- GP name: *PreventOnedriveFileSync* -- GP path: *Windows Components/OneDrive* -- GP ADMX file name: *SkyDrive.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (sync enabled). -- 1 – True (sync disabled). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe isn't running in Task Manager. - - - - -
- - -**System/DisableSystemRestore** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureMicrosoft365UploadEndpoint | +| Friendly Name | Configure diagnostic data upload endpoint for Desktop Analytics | +| Element Name | Desktop Analytics Custom Upload Endpoint | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## ConfigureTelemetryOptInChangeNotification + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification +``` + + + + +This policy setting controls whether notifications are shown, following a change to diagnostic data opt-in settings, on first logon and when the changes occur in settings. + +If you set this policy setting to "Disable diagnostic data change notifications", diagnostic data opt-in change notifications will not appear. + +If you set this policy setting to "Enable diagnostic data change notifications" or don't configure this policy setting, diagnostic data opt-in change notifications appear at first logon and when the changes occur in Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable telemetry change notifications. | +| 1 | Disable telemetry change notifications. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureTelemetryOptInChangeNotification | +| Friendly Name | Configure diagnostic data opt-in change notifications | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## ConfigureTelemetryOptInSettingsUx + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx +``` + + + + +This policy setting determines whether an end user can change diagnostic data settings in the Settings app. + +If you set this policy setting to "Disable diagnostic data opt-in settings", diagnostic data settings are disabled in the Settings app. + +If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app. + +Note: +To set a limit on the amount of diagnostic data that is sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable Telemetry opt-in Settings. | +| 1 | Disable Telemetry opt-in Settings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureTelemetryOptInSettingsUx | +| Friendly Name | Configure diagnostic data opt-in settings user interface | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## DisableDeviceDelete + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableDeviceDelete +``` + + + + +This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & feedback Settings page. + +If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. + +If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not disabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDeviceDelete | +| Friendly Name | Disable deleting diagnostic data | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## DisableDiagnosticDataViewer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableDiagnosticDataViewer +``` + + + + +This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & feedback Settings page. + +If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. + +If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not disabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDiagnosticDataViewer | +| Friendly Name | Disable diagnostic data viewer | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## DisableDirectXDatabaseUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableDirectXDatabaseUpdate +``` + + + + +This group policy allows control over whether the DirectX Database Updater task will be run on the system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not disabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDirectXDatabaseUpdate | +| Path | GroupPolicy > AT > Network > DirectXDatabase | + + + + + + + + + +## DisableEnterpriseAuthProxy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableEnterpriseAuthProxy +``` + + + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableEnterpriseAuthProxy | +| Friendly Name | Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## DisableOneDriveFileSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableOneDriveFileSync +``` + + + + +This policy setting lets you prevent apps and features from working with files on OneDrive. +If you enable this policy setting: + +* Users can’t access OneDrive from the OneDrive app and file picker. +* Windows Store apps can’t access OneDrive using the WinRT API. +* OneDrive doesn’t appear in the navigation pane in File Explorer. +* OneDrive files aren’t kept in sync with the cloud. +* Users can’t automatically upload photos and videos from the camera roll folder. + +If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Sync enabled. | +| 1 | Sync disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventOnedriveFileSync | +| Friendly Name | Prevent the usage of OneDrive for file storage | +| Location | Computer Configuration | +| Path | Windows Components > OneDrive | +| Registry Key Name | Software\Policies\Microsoft\Windows\OneDrive | +| Registry Value Name | DisableFileSyncNGSC | +| ADMX File Name | SkyDrive.admx | + + + + + + + + + +## DisableOneSettingsDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableOneSettingsDownloads +``` + + + + +This policy setting controls whether Windows attempts to connect with the OneSettings service. + +If you enable this policy, Windows will not attempt to connect with the OneSettings Service. + +If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the OneSettings service to download configuration settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not disabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableOneSettingsDownloads | +| Friendly Name | Disable OneSettings Downloads | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## DisableSystemRestore + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/DisableSystemRestore +``` + + + + Allows you to disable System Restore. This policy setting allows you to turn off System Restore. -System Restore enables users, in case of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. -If you enable this policy setting, System Restore is turned off, then System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. -If you disable or don't configure this policy setting, users can perform System Restore, and configure System Restore settings through System Protection. +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP Friendly name: *Turn off System Restore* -- GP name: *SR_DisableSR* -- GP path: *System/System Restore* -- GP ADMX file name: *systemrestore.admx* - - - - -
- - -**System/FeedbackHubAlwaysSaveDiagnosticsLocally** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -When feedback in the Feedback Hub is being filed, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. - - - -The following list shows the supported values: - -- 0 (default) - False. The Feedback Hub won't always save a local copy of diagnostics that may be created when feedback is submitted. The user will have the option to do so. -- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when feedback is submitted. - - - - -
- - -**System/LimitDiagnosticLogCollection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection. - -If you disable or don't configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data. - - - -ADMX Info: -- GP Friendly name: *Limit Diagnostic Log Collection* -- GP name: *LimitDiagnosticLogCollection* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -The following list shows the supported values: - -- 0 – Disabled -- 1 – Enabled - - - - -
- - -**System/LimitDumpCollection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data. - -With this policy setting being enabled, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only. - -If you disable or don't configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data. - - - -ADMX Info: -- GP Friendly name: *Limit Dump Collection* -- GP name: *LimitDumpCollection* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -The following list shows the supported values: - -- 0 – Disabled -- 1 – Enabled - - - -
- - -**System/LimitEnhancedDiagnosticDataWindowsAnalytics** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. - -To enable this behavior, you must complete two steps: - - 1. Enable this policy setting. - - 2. Set the **AllowTelemetry** level: - - - For Windows 10 version 1809 and older: set **AllowTelemetry** to Enhanced. - - > [!NOTE] - > **Enhanced** is no longer an option for Windows Holographic, version 21H1. - - - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full). - -When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. - -Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. - -If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. - - - -ADMX Info: -- GP Friendly name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* -- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/TelemetryProxy** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there's no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data won't be transmitted and will remain on the local device. - -If you disable or don't configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - -ADMX Info: -- GP Friendly name: *Configure Connected User Experiences and Telemetry* -- GP name: *TelemetryProxy* -- GP element: *TelemetryProxyName* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/TurnOffFileHistory** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SR_DisableSR | +| Friendly Name | Turn off System Restore | +| Location | Computer Configuration | +| Path | System > System Restore | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SystemRestore | +| Registry Value Name | DisableSR | +| ADMX File Name | SystemRestore.admx | + + + + + + + + + +## EnableOneSettingsAuditing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/EnableOneSettingsAuditing +``` + + + + +This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog. + +If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel. + +If you disable or don't configure this policy setting, Windows will not record attempts to connect with the OneSettings service to the EventLog. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableOneSettingsAuditing | +| Friendly Name | Enable OneSettings Auditing | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## FeedbackHubAlwaysSaveDiagnosticsLocally + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/FeedbackHubAlwaysSaveDiagnosticsLocally +``` + + + + +Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. | +| 1 | True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. | + + + + + + + + + +## HideUnsupportedHardwareNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/HideUnsupportedHardwareNotifications +``` + + + + +This policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version. + +If you enable this policy setting, these messages will never appear on desktop or in the Settings app. + +If you disable or do not configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that does not meet the minimum system requirements for this OS version. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideUnsupportedHardwareNotifications | +| Friendly Name | Hide messages when Windows system requirements are not met | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideUnsupportedHardwareNotifications | +| ADMX File Name | ControlPanel.admx | + + + + + + + + + +## LimitDiagnosticLogCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection +``` + + + + +This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. + +By enabling this policy setting, diagnostic logs will not be collected. + +If you disable or do not configure this policy setting, we may occasionally collect diagnostic logs if the device has been configured to send optional diagnostic data. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LimitDiagnosticLogCollection | +| Friendly Name | Limit Diagnostic Log Collection | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## LimitDumpCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection +``` + + + + +This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data. + +By enabling this setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps. + +If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LimitDumpCollection | +| Friendly Name | Limit Dump Collection | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## LimitEnhancedDiagnosticDataWindowsAnalytics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics +``` + + + + +This policy setting, in combination with the "Allow Diagnostic Data" policy setting, enables organizations to send the minimum data required by Desktop Analytics. + +To enable the behavior described above, complete the following steps: +1. Enable this policy setting +2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data" +3. Enable the "Limit Dump Collection" policy +4. Enable the "Limit Diagnostic Log Collection" policy + +When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at . + +If you disable or do not configure this policy setting, diagnostic data collection is determined by the "Allow Diagnostic Data" policy setting or by the end user from the Settings app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LimitEnhancedDiagnosticDataWindowsAnalytics | +| Friendly Name | Limit optional diagnostic data for Desktop Analytics | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## TelemetryProxy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/TelemetryProxy +``` + + + + +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is ``:``. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | TelemetryProxy | +| Friendly Name | Configure Connected User Experiences and Telemetry | +| Element Name | Proxy Server Name | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + + + + + + + + + +## TurnOffFileHistory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/System/TurnOffFileHistory +``` + + + + This policy setting allows you to turn off File History. -If you enable this policy setting, File History can't be activated to create regular, automatic backups. +If you enable this policy setting, File History cannot be activated to create regular, automatic backups. -If you disable or don't configure this policy setting, File History can be activated to create regular, automatic backups. +If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. + - - -ADMX Info: -- GP Friendly name: *Turn off File History* -- GP name: *DisableFileHistory* -- GP path: *Windows Components/File History* -- GP ADMX file name: *FileHistory.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- false (default) - allow File History -- true - turn off File History - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - -
+| Value | Description | +|:--|:--| +| 0 (Default) | Allow file history. | +| 1 | Turn off file history. | + - + +**Group policy mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DisableFileHistory | +| Friendly Name | Turn off File History | +| Location | Computer Configuration | +| Path | Windows Components > File History | +| Registry Key Name | Software\Policies\Microsoft\Windows\FileHistory | +| Registry Value Name | Disabled | +| ADMX File Name | FileHistory.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index 22fbd1c4fc..ce26e2a58d 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,103 +1,119 @@ --- -title: Policy CSP - Troubleshooting -description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains. +title: Troubleshooting Policy CSP +description: Learn more about the Troubleshooting Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.topic: reference --- + + + # Policy CSP - Troubleshooting -
+ + + - -## Troubleshooting policies + +## AllowRecommendations -
-
- Troubleshooting/AllowRecommendations -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Troubleshooting/AllowRecommendations +``` + -
+ + +This policy setting configures how troubleshooting for known problems can be applied on the device and lets administrators configure how it's applied to their domains/IT environments. - -**Troubleshooting/AllowRecommendations** +Not configuring this policy setting will allow the user to configure how troubleshooting is applied. - -The table below shows the applicability of Windows: +Enabling this policy allows you to configure how troubleshooting is applied on the user's device. You can select from one of the following values: +0 = Do not allow users, system features, or Microsoft to apply troubleshooting. +1 = Only automatically apply troubleshooting for critical problems by system features and Microsoft. +2 = Automatically apply troubleshooting for critical problems by system features and Microsoft. Notify users when troubleshooting for other problems is available and allow users to choose to apply or ignore. +3 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Notify users when troubleshooting has solved a problem. +4 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. +5 = Allow the user to choose their own troubleshooting settings. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +After setting this policy, you can use the following instructions to check devices in your domain for available troubleshooting from Microsoft: +1. Create a bat script with the following contents: +rem The following batch script triggers Recommended Troubleshooting +schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" - -
+2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. +3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7). +4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox. +5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1. +6. Configure the task to deploy to your domain. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -This policy setting allows IT admins to configure, how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments. + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Troubleshooting: Allow users to access recommended troubleshooting for known problems* -- GP name: *TroubleshootingAllowRecommendations* -- GP path: *Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* +| Value | Description | +|:--|:--| +| 0 | Off - Do not allow users, system features, or Microsoft to apply troubleshooting. | +| 1 (Default) | Critical - Automatically apply troubleshooting for critical problems detected by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. | +| 2 | Prompt - Automatically apply troubleshooting for critical problems detected by system features and Microsoft. Prompt users when troubleshooting for other problems is available and allow the user to choose to apply or ignore. | +| 3 | Notify - Automatically apply troubleshooting for critical and other problems detected by system features and Microsoft. Notify users when troubleshooting has solved a problem. | +| 4 | Silent - Automatically apply troubleshooting for critical and other problems detected by system features and Microsoft. Do not notify users when troubleshooting has solved a problem. | +| 5 | Configurable - Allow the user to choose their own troubleshooting settings. | + - - -This setting is a numeric policy setting with merge algorithm (lowest value is the most secure) that uses the most restrictive settings for complex manageability scenarios. + +**Group policy mapping**: -Supported values: -- 0 (default) - Turn off this feature. -- 1 - Turn off this feature but still apply critical troubleshooting. -- 2 - Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -- 3 - Run recommended troubleshooting automatically and notify the user after it ran successfully. -- 4 - Run recommended troubleshooting automatically without notifying the user. -- 5 - Allow the user to choose their own recommended troubleshooting settings. +| Name | Value | +|:--|:--| +| Name | TroubleshootingAllowRecommendations | +| Friendly Name | Troubleshooting: Allow users to access recommended troubleshooting for known problems | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | Software\Policies\Microsoft\Windows\Troubleshooting\AllowRecommendations | +| Registry Value Name | TroubleshootingAllowRecommendations | +| ADMX File Name | MSDT.admx | + -By default, this policy isn't configured and the SKU based defaults are used for managed devices. Current policy values for SKUs are as follows: + + + -|SKU|Unmanaged Default|Managed Default| -|--- |--- |--- | -|Home|Prompt (OOBE)|Off| -|Pro|Prompt (OOBE)|Off| -|Education|On (auto)|Off| -|Enterprise|Off|Off| -|Government|Off|Off| + - - + + + - - + - - -
+## Related articles - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index f189fb67c0..557daee705 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/30/2022 +ms.date: 12/07/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,6 +36,7 @@ ms.topic: reference + Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. **Note**: The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM). @@ -59,7 +60,7 @@ Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range o | Name | Value | |:--|:--| -| Name | ActiveHours_Title | +| Name | ActiveHours | | Friendly Name | Turn off auto-restart for updates during active hours | | Element Name | End | | Location | Computer Configuration | @@ -90,6 +91,7 @@ Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range o + Enable this policy to specify the maximum number of hours from the start time that users can set their active hours. The max active hours range can be set between 8 and 18 hours. @@ -117,7 +119,7 @@ If you disable or do not configure this policy, the default max active hours ran | Name | Value | |:--|:--| -| Name | ActiveHoursMaxRange_Title | +| Name | ActiveHoursMaxRange | | Friendly Name | Specify active hours range for auto-restarts | | Element Name | Max range | | Location | Computer Configuration | @@ -148,6 +150,7 @@ If you disable or do not configure this policy, the default max active hours ran + Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. **Note**: The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM). @@ -171,7 +174,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of | Name | Value | |:--|:--| -| Name | ActiveHours_Title | +| Name | ActiveHours | | Friendly Name | Turn off auto-restart for updates during active hours | | Element Name | Start | | Location | Computer Configuration | @@ -202,6 +205,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of + Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Supported operations are Get and Replace. **Important**: This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). @@ -268,6 +272,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and + Enabling this policy will automatically download updates, even over metered data connections (charges may apply) @@ -302,7 +307,7 @@ This policy is accessible through the Update setting in the user interface or Gr | Name | Value | |:--|:--| -| Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork_Title | +| Name | AllowAutoWindowsUpdateDownloadOverMeteredNetwork | | Friendly Name | Allow updates to be downloaded automatically over metered connections | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage end user experience | @@ -333,6 +338,7 @@ This policy is accessible through the Update setting in the user interface or Gr + Allows the IT admin to manage whether to scan for app updates from Microsoft Update. @@ -402,6 +408,7 @@ Allows the IT admin to manage whether to scan for app updates from Microsoft Upd + Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. Supported operations are Get and Replace. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. @@ -450,6 +457,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b + Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. **Note**: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. @@ -511,6 +519,7 @@ Specifies whether the device could use Microsoft Update, Windows Server Update S + This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. @@ -548,7 +557,7 @@ If you disable or do not configure this policy setting, the wake setting as spec | Name | Value | |:--|:--| -| Name | WakeUp | +| Name | WakeUpPolicy | | Friendly Name | Automatic Maintenance WakeUp Policy | | Location | Computer Configuration | | Path | Windows Components > Maintenance Scheduler | @@ -579,6 +588,7 @@ If you disable or do not configure this policy setting, the wake setting as spec + Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date. The restart may happen inside active hours. @@ -610,7 +620,7 @@ Enabling either of the following two policies will override the above policy: | Name | Value | |:--|:--| -| Name | AutoRestartDeadline_Title | +| Name | AutoRestartDeadline | | Friendly Name | Specify deadline before auto-restart for update installation | | Element Name | Quality Updates (days) | | Location | Computer Configuration | @@ -641,6 +651,7 @@ Enabling either of the following two policies will override the above policy: + For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Value type is integer. Default is 7 days. Supported values range: 2-30. **Note** that the PC must restart for certain updates to take effect. If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. If you disable or do not configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installations. Always automatically restart at scheduled time. @@ -664,7 +675,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic | Name | Value | |:--|:--| -| Name | AutoRestartDeadline_Title | +| Name | AutoRestartDeadline | | Friendly Name | Specify deadline before auto-restart for update installation | | Element Name | Feature Updates (days) | | Location | Computer Configuration | @@ -695,6 +706,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic + Allows the IT Admin to specify the period for auto-restart reminder notifications. The default value is 15 (minutes). @@ -729,7 +741,7 @@ Allows the IT Admin to specify the period for auto-restart reminder notification | Name | Value | |:--|:--| -| Name | AutoRestartNotificationConfig_Title | +| Name | AutoRestartNotificationConfig | | Friendly Name | Configure auto-restart reminder notifications for updates | | Element Name | Period (min) | | Location | Computer Configuration | @@ -760,6 +772,7 @@ Allows the IT Admin to specify the period for auto-restart reminder notification + Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is required to install updates, the auto-restart required notification is displayed. By default, the notification is automatically dismissed after 25 seconds. The method can be set to require user action to dismiss the notification. @@ -795,7 +808,7 @@ If you disable or do not configure this policy, the default method will be used. | Name | Value | |:--|:--| -| Name | AutoRestartRequiredNotificationDismissal_Title | +| Name | AutoRestartRequiredNotificationDismissal | | Friendly Name | Configure auto-restart required notification for updates | | Element Name | Method | | Location | Computer Configuration | @@ -826,6 +839,7 @@ If you disable or do not configure this policy, the default method will be used. + Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. @@ -861,7 +875,7 @@ Allows the IT admin to set which branch a device receives their updates from. As | Name | Value | |:--|:--| -| Name | DeferFeatureUpdates_Title | +| Name | DeferFeatureUpdates | | Friendly Name | Select when Preview Builds and Feature Updates are received | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage updates offered from Windows Update | @@ -891,6 +905,7 @@ Allows the IT admin to set which branch a device receives their updates from. As + Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. @@ -941,6 +956,7 @@ Number of days before feature updates are installed on devices automatically reg + Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. @@ -991,6 +1007,7 @@ Number of days before quality updates are installed on devices automatically reg + Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect. @@ -1041,6 +1058,7 @@ Minimum number of days from update installation until restarts occur automatical + Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect. @@ -1091,6 +1109,7 @@ Minimum number of days from update installation until restarts occur automatical + When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured. @@ -1149,6 +1168,7 @@ When enabled, devices will not automatically restart outside of active hours unt + When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. @@ -1207,6 +1227,7 @@ When enabled, devices will not automatically restart outside of active hours unt + When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. @@ -1265,6 +1286,7 @@ When enabled, devices will not automatically restart outside of active hours unt + Enable enterprises/IT admin to configure feature update uninstall period @@ -1305,7 +1327,8 @@ Enable enterprises/IT admin to configure feature update uninstall period -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days. **Important**: The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days. **Important**: The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. @@ -1328,7 +1351,7 @@ Since this policy is not blocked, you will not get a failure message when you us | Name | Value | |:--|:--| -| Name | DeferFeatureUpdates_Title | +| Name | DeferFeatureUpdates | | Friendly Name | Select when Preview Builds and Feature Updates are received | | Element Name | How many days after a Feature Update is released would you like to defer the update before it is offered to the device? | | Location | Computer Configuration | @@ -1359,6 +1382,7 @@ Since this policy is not blocked, you will not get a failure message when you us + Defers Quality Updates for the specified number of days. Supported values are 0-30. @@ -1382,7 +1406,7 @@ Defers Quality Updates for the specified number of days. Supported values are 0- | Name | Value | |:--|:--| -| Name | DeferQualityUpdates_Title | +| Name | DeferQualityUpdates | | Friendly Name | Select when Quality Updates are received | | Element Name | After a quality update is released, defer receiving it for this many days | | Location | Computer Configuration | @@ -1413,6 +1437,7 @@ Defers Quality Updates for the specified number of days. Supported values are 0- + Note. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:Update/RequireDeferUpgrade must be set to 1System/AllowTelemetry must be set to 1 or higherIf the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. OS upgrade:Maximum deferral: 8 monthsDeferral increment: 1 monthUpdate type/notes:Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5Update:Maximum deferral: 1 monthDeferral increment: 1 weekUpdate type/notes:If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0Other/cannot defer:Maximum deferral: No deferralDeferral increment: No deferralUpdate type/notes:Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B @@ -1463,7 +1488,8 @@ Note. Don't use this policy in Windows 10, version 1607 devices, instead use th -**Note**: Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + +NoteSince this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -1513,12 +1539,13 @@ Note. Don't use this policy in Windows 10, version 1607 devices, instead use th + Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. -> [!NOTE]> +> [!NOTE] > There is a random variant of 0-4 hours applied to the scan frequency, which cannot be configured. @@ -1569,6 +1596,7 @@ Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + Enable this policy to not allow update deferral policies to cause scans against Windows Update. If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled. @@ -1605,7 +1633,7 @@ Note: This policy applies only when the intranet Microsoft update service this c | Name | Value | |:--|:--| -| Name | DisableDualScan_Title | +| Name | DisableDualScan | | Friendly Name | Do not allow update deferral policies to cause scans against Windows Update | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Legacy Policies | @@ -1626,7 +1654,7 @@ Note: This policy applies only when the intranet Microsoft update service this c | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [17763.1490] and later
:heavy_check_mark: Unknown [18362.1110] and later
:heavy_check_mark: Unknown [18363.1110] and later
:heavy_check_mark: Unknown [19041.546] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later
:heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | @@ -1636,7 +1664,8 @@ Note: This policy applies only when the intranet Microsoft update service this c - + +This policy setting specifies that a Windows Update for Business device should skip safeguards. @@ -1684,6 +1713,7 @@ Note: This policy applies only when the intranet Microsoft update service this c + Do not enforce TLS certificate pinning for Windows Update client for detecting updates. @@ -1748,6 +1778,7 @@ Do not enforce TLS certificate pinning for Windows Update client for detecting u + For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. **Note**: If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1771,7 +1802,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic | Name | Value | |:--|:--| -| Name | EngagedRestartTransitionSchedule_Title | +| Name | EngagedRestartTransitionSchedule | | Friendly Name | Specify Engaged restart transition and notification schedule for updates | | Element Name | Deadline (days) | | Location | Computer Configuration | @@ -1802,6 +1833,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic + For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1825,7 +1857,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic | Name | Value | |:--|:--| -| Name | EngagedRestartTransitionSchedule_Title | +| Name | EngagedRestartTransitionSchedule | | Friendly Name | Specify Engaged restart transition and notification schedule for updates | | Element Name | Deadline (days) | | Location | Computer Configuration | @@ -1856,6 +1888,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic + For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1879,7 +1912,7 @@ For Quality Updates, this policy specifies the number of days a user can snooze | Name | Value | |:--|:--| -| Name | EngagedRestartTransitionSchedule_Title | +| Name | EngagedRestartTransitionSchedule | | Friendly Name | Specify Engaged restart transition and notification schedule for updates | | Element Name | Snooze (days) | | Location | Computer Configuration | @@ -1910,6 +1943,7 @@ For Quality Updates, this policy specifies the number of days a user can snooze + For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1933,7 +1967,7 @@ For Feature Updates, this policy specifies the number of days a user can snooze | Name | Value | |:--|:--| -| Name | EngagedRestartTransitionSchedule_Title | +| Name | EngagedRestartTransitionSchedule | | Friendly Name | Specify Engaged restart transition and notification schedule for updates | | Element Name | Snooze (days) | | Location | Computer Configuration | @@ -1964,6 +1998,7 @@ For Feature Updates, this policy specifies the number of days a user can snooze + Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. @@ -2000,7 +2035,7 @@ Enabling any of the following policies will override the above policy: | Name | Value | |:--|:--| -| Name | EngagedRestartTransitionSchedule_Title | +| Name | EngagedRestartTransitionSchedule | | Friendly Name | Specify Engaged restart transition and notification schedule for updates | | Element Name | Transition (days) | | Location | Computer Configuration | @@ -2031,6 +2066,7 @@ Enabling any of the following policies will override the above policy: + For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Value type is integer. Default value is 7 days. Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -2054,7 +2090,7 @@ For Feature Updates, this policy specifies the timing before transitioning from | Name | Value | |:--|:--| -| Name | EngagedRestartTransitionSchedule_Title | +| Name | EngagedRestartTransitionSchedule | | Friendly Name | Specify Engaged restart transition and notification schedule for updates | | Element Name | Transition (days) | | Location | Computer Configuration | @@ -2085,6 +2121,7 @@ For Feature Updates, this policy specifies the timing before transitioning from + Enable this policy to not include drivers with Windows quality updates. If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. @@ -2118,7 +2155,7 @@ If you disable or do not configure this policy, Windows Update will include upda | Name | Value | |:--|:--| -| Name | ExcludeWUDriversInQualityUpdate_Title | +| Name | ExcludeWUDriversInQualityUpdate | | Friendly Name | Do not include drivers with Windows Updates | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage updates offered from Windows Update | @@ -2149,6 +2186,7 @@ If you disable or do not configure this policy, Windows Update will include upda + Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). **Note**: This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. @@ -2211,6 +2249,7 @@ Allows Windows Update Agent to determine the download URL when it is missing fro + Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators. @@ -2267,6 +2306,7 @@ To validate this policy: + Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators. @@ -2323,6 +2363,7 @@ To validate this policy: + Used to manage Windows 10 Insider Preview builds. Value type is integer. @@ -2356,7 +2397,7 @@ Used to manage Windows 10 Insider Preview builds. Value type is integer. | Name | Value | |:--|:--| -| Name | ManagePreviewBuilds_Title | +| Name | ManagePreviewBuilds | | Friendly Name | Manage preview builds | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage updates offered from Windows Update | @@ -2386,6 +2427,7 @@ Used to manage Windows 10 Insider Preview builds. Value type is integer. + When enabled, notifications will only be disabled during active hours. Takes effect only if Update/UpdateNotificationLevel is configured to 1 or 2. To ensure that the device stays secure, a notification will still be shown if this option is selected once “Specify deadlines for automatic updates and restarts” deadline has been reached if configured, regardless of active hours. @@ -2446,7 +2488,8 @@ When enabled, notifications will only be disabled during active hours. Takes eff -**Note**: Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + +NoteDon't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -2504,7 +2547,8 @@ When enabled, notifications will only be disabled during active hours. Takes eff -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days. + +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days. @@ -2537,7 +2581,7 @@ Since this policy is not blocked, you will not get a failure message when you us | Name | Value | |:--|:--| -| Name | DeferFeatureUpdates_Title | +| Name | DeferFeatureUpdates | | Friendly Name | Select when Preview Builds and Feature Updates are received | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage updates offered from Windows Update | @@ -2567,6 +2611,7 @@ Since this policy is not blocked, you will not get a failure message when you us + Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. @@ -2588,7 +2633,7 @@ Specifies the date and time when the IT admin wants to start pausing the Feature | Name | Value | |:--|:--| -| Name | DeferFeatureUpdates_Title | +| Name | DeferFeatureUpdates | | Friendly Name | Select when Preview Builds and Feature Updates are received | | Element Name | Pause Preview Builds or Feature Updates starting | | Location | Computer Configuration | @@ -2619,6 +2664,7 @@ Specifies the date and time when the IT admin wants to start pausing the Feature + Allows IT Admins to pause Quality Updates. @@ -2652,7 +2698,7 @@ Allows IT Admins to pause Quality Updates. | Name | Value | |:--|:--| -| Name | DeferQualityUpdates_Title | +| Name | DeferQualityUpdates | | Friendly Name | Select when Quality Updates are received | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage updates offered from Windows Update | @@ -2682,6 +2728,7 @@ Allows IT Admins to pause Quality Updates. + Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. @@ -2705,7 +2752,7 @@ Specifies the date and time when the IT admin wants to start pausing the Quality | Name | Value | |:--|:--| -| Name | DeferQualityUpdates_Title | +| Name | DeferQualityUpdates | | Friendly Name | Select when Quality Updates are received | | Element Name | Pause Quality Updates starting | | Location | Computer Configuration | @@ -2736,6 +2783,7 @@ Specifies the date and time when the IT admin wants to start pausing the Quality + This policy is deprecated. Use Update/RequireUpdateApproval instead. @@ -2766,7 +2814,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | @@ -2776,6 +2824,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. + Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows release information. @@ -2831,7 +2880,8 @@ Supported value type is a string containing a Windows product. For example, "Win -**Note**: Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. + +NoteDon't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. @@ -2889,7 +2939,8 @@ Supported value type is a string containing a Windows product. For example, "Win -**Note**: If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace. + +Note If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace. @@ -2937,6 +2988,7 @@ Supported value type is a string containing a Windows product. For example, "Win + Enables the IT admin to schedule the day of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. @@ -3007,6 +3059,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty + Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every week @@ -3071,6 +3124,7 @@ Enables the IT admin to schedule the update installation on the every week. Valu + Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every first week of the month @@ -3135,6 +3189,7 @@ Enables the IT admin to schedule the update installation on the first week of th + Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every fourth week of the month @@ -3199,6 +3254,7 @@ Enables the IT admin to schedule the update installation on the fourth week of t + Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every second week of the month @@ -3263,6 +3319,7 @@ Enables the IT admin to schedule the update installation on the second week of t + Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every third week of the month @@ -3327,7 +3384,8 @@ Enables the IT admin to schedule the update installation on the third week of th -**Note**: This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + +Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. @@ -3385,6 +3443,7 @@ Enables the IT admin to schedule the update installation on the third week of th + Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). @@ -3417,7 +3476,7 @@ Allows the IT Admin to specify the period for auto-restart imminent warning noti | Name | Value | |:--|:--| -| Name | RestartWarningSchd_Title | +| Name | RestartWarnRemind | | Friendly Name | Configure auto-restart warning notifications schedule for updates | | Element Name | Warning (mins) | | Location | Computer Configuration | @@ -3448,6 +3507,7 @@ Allows the IT Admin to specify the period for auto-restart imminent warning noti + Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed. Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user. @@ -3488,7 +3548,7 @@ If you disable or do not configure this policy, the default notification behavio | Name | Value | |:--|:--| -| Name | RestartWarningSchd_Title | +| Name | RestartWarnRemind | | Friendly Name | Configure auto-restart warning notifications schedule for updates | | Element Name | Reminder (hours) | | Location | Computer Configuration | @@ -3519,6 +3579,7 @@ If you disable or do not configure this policy, the default notification behavio + Allows the IT Admin to disable auto-restart notifications for update installations. @@ -3550,7 +3611,7 @@ Allows the IT Admin to disable auto-restart notifications for update installatio | Name | Value | |:--|:--| -| Name | AutoRestartNotificationDisable_Title | +| Name | AutoRestartNotificationDisable | | Friendly Name | Turn off auto-restart notifications for update installations | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Legacy Policies | @@ -3580,7 +3641,10 @@ Allows the IT Admin to disable auto-restart notifications for update installatio -This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user cannot access the Pause updates feature. Value type is integer. Default is 0. Supported values 0, 1. + +This setting allows to remove access to "Pause updates" feature. + +Once enabled user access to pause updates is removed. @@ -3611,8 +3675,13 @@ This policy allows the IT admin to disable the Pause Updates feature. When this | Name | Value | |:--|:--| -| Name | SetDisablePauseUXAccess | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Name | DisablePauseUXAccess | +| Friendly Name | Remove access to "Pause updates" feature | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetDisablePauseUXAccess | +| ADMX File Name | WindowsUpdate.admx | @@ -3637,7 +3706,10 @@ This policy allows the IT admin to disable the Pause Updates feature. When this -This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. Value type is integer. Default is 0. Supported values 0, 1. + +This setting allows you to remove access to scan Windows Update. + +If you enable this setting user access to Windows Update scan, download and install is removed. @@ -3668,8 +3740,13 @@ This policy allows the IT admin to remove access to scan Windows Update. When th | Name | Value | |:--|:--| -| Name | SetDisableUXWUAccess | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Name | DisableUXWUAccess | +| Friendly Name | Remove access to use all Windows Update features | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetDisableUXWUAccess | +| ADMX File Name | WindowsUpdate.admx | @@ -3694,6 +3771,7 @@ This policy allows the IT admin to remove access to scan Windows Update. When th + Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time. @@ -3725,7 +3803,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po | Name | Value | |:--|:--| -| Name | SetEDURestart_Title | +| Name | SetEDURestart | | Friendly Name | Update Power Policy for Cart Restarts | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage end user experience | @@ -3756,7 +3834,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po - + @@ -3817,7 +3895,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po - + @@ -3878,7 +3956,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po - + @@ -3939,7 +4017,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po - + @@ -4000,6 +4078,7 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po + Select the proxy behavior for Windows Update client for detecting updates @@ -4068,6 +4147,7 @@ This policy setting doesn't impact those customers who have, per Microsoft recom + Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows 10 release information. @@ -4089,7 +4169,7 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp | Name | Value | |:--|:--| -| Name | TargetReleaseVersion_Title | +| Name | TargetReleaseVersion | | Friendly Name | Select the target Feature Update version | | Element Name | Target Version for Feature Updates | | Location | Computer Configuration | @@ -4120,6 +4200,7 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp + 0 (default) – Use the default Windows Update notifications 1 – Turn off all notifications, excluding restart warnings 2 – Turn off all notifications, including restart warnings @@ -4160,7 +4241,7 @@ If you select “Apply only during active hours” in conjunction with Option 1 | Name | Value | |:--|:--| -| Name | UpdateNotificationLevel_Title | +| Name | UpdateNotificationLevel | | Friendly Name | Display options for update notifications | | Location | Computer Configuration | | Path | Windows Components > Windows Update > Manage end user experience | @@ -4191,7 +4272,8 @@ If you select “Apply only during active hours” in conjunction with Option 1 -**Important**: Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace. + +ImportantStarting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace. @@ -4244,6 +4326,7 @@ If you select “Apply only during active hours” in conjunction with Option 1 + Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. **Note**: If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 106c5f63e4..9aace46fee 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,1254 +1,1554 @@ --- -title: Policy CSP - WindowsDefenderSecurityCenter -description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. +title: WindowsDefenderSecurityCenter Policy CSP +description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsDefenderSecurityCenter -
+ + + - + +## CompanyName -## WindowsDefenderSecurityCenter policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
-
- WindowsDefenderSecurityCenter/CompanyName -
-
- WindowsDefenderSecurityCenter/DisableAccountProtectionUI -
-
- WindowsDefenderSecurityCenter/DisableAppBrowserUI -
-
- WindowsDefenderSecurityCenter/DisableClearTpmButton -
-
- WindowsDefenderSecurityCenter/DisableDeviceSecurityUI -
-
- WindowsDefenderSecurityCenter/DisableEnhancedNotifications -
-
- WindowsDefenderSecurityCenter/DisableFamilyUI -
-
- WindowsDefenderSecurityCenter/DisableHealthUI -
-
- WindowsDefenderSecurityCenter/DisableNetworkUI -
-
- WindowsDefenderSecurityCenter/DisableNotifications -
-
- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning -
-
- WindowsDefenderSecurityCenter/DisableVirusUI -
-
- WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride -
-
- WindowsDefenderSecurityCenter/Email -
-
- WindowsDefenderSecurityCenter/EnableCustomizedToasts -
-
- WindowsDefenderSecurityCenter/EnableInAppCustomization -
-
- WindowsDefenderSecurityCenter/HideRansomwareDataRecovery -
-
- WindowsDefenderSecurityCenter/HideSecureBoot -
-
- WindowsDefenderSecurityCenter/HideTPMTroubleshooting -
-
- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl -
-
- WindowsDefenderSecurityCenter/Phone -
-
- WindowsDefenderSecurityCenter/URL -
-
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/CompanyName +``` + -
+ + +The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. + - -**WindowsDefenderSecurityCenter/CompanyName** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
+ +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_CompanyName | +| Friendly Name | Specify contact company name | +| Element Name | Company name | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + -> [!div class = "checklist"] -> * Device + + + -
+ - - -The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display the contact options. + +## DisableAccountProtectionUI -- Supported value type is string. -- Supported operations are Add, Get, Replace and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableAccountProtectionUI +``` + -ADMX Info: -- GP Friendly name: *Specify contact company name* -- GP name: *EnterpriseCustomization_CompanyName* -- GP element: *Presentation_EnterpriseCustomization_CompanyName* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + +Hide the Account protection area in Windows Security. - - +Enabled: +The Account protection area will be hidden. -
+Disabled: +The Account protection area will be shown. - -**WindowsDefenderSecurityCenter/DisableAccountProtectionUI** +Not configured: +Same as Disabled. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the Account protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the Account protection area in Windows Defender Security Center. | + -
+ +**Group policy mapping**: - - -Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. +| Name | Value | +|:--|:--| +| Name | AccountProtection_UILockdown | +| Friendly Name | Hide the Account protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Account protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - - -ADMX Info: -- GP Friendly name: *Hide the Account protection area* -- GP name: *AccountProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Account protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + - - -Valid values: + -- 0 - (Disable) The users can see the display of the Account protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the Account protection area in Windows Defender Security Center. + +## DisableAppBrowserUI - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableAppBrowserUI +``` + - -**WindowsDefenderSecurityCenter/DisableAppBrowserUI** + + +Hide the App and browser protection area in Windows Security. - -The table below shows the applicability of Windows: +Enabled: +The App and browser protection area will be hidden. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Disabled: +The App and browser protection area will be shown. - -
+Not configured: +Same as Disabled. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. + +**Allowed values**: -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the app and browser protection area in Windows Defender Security Center. | + - - -ADMX Info: -- GP Friendly name: *Hide the App and browser protection area* -- GP name: *AppBrowserProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +**Group policy mapping**: - - -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AppBrowserProtection_UILockdown | +| Friendly Name | Hide the App and browser protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > App and browser protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + -- 0 - (Disable) The users can see the display of the app and browser protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the app and browser protection area in Windows Defender Security Center. + + + - - + -
+ +## DisableClearTpmButton - -**WindowsDefenderSecurityCenter/DisableClearTpmButton** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableClearTpmButton +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + Disable the Clear TPM button in Windows Security. -- Enabled: The Clear TPM button will be unavailable for use. -- Disabled: The Clear TPM button will be available for use on supported systems. -- Not configured: Same as Disabled. - -Supported values: - -- 0 - Disabled (default) -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Disable the Clear TPM button* -- GP name: *DeviceSecurity_DisableClearTpmButton* -- GP path: *Windows Components/Windows Security/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - - - - - - - - - - - -
- - -**WindowsDefenderSecurityCenter/DisableDeviceSecurityUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - - - -ADMX Info: -- GP Friendly name: *Hide the Device security area* -- GP name: *DeviceSecurity_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable) The users can see the display of the Device security area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the Device security area in Windows Defender Security Center. - - - - -
- - -**WindowsDefenderSecurityCenter/DisableEnhancedNotifications** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy if you want Windows Defender Security Center to only display notifications that are considered critical. If you disable or don't configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users. - -> [!NOTE] -> If Suppress notification is enabled then users won't see critical or non-critical messages. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide non-critical notifications* -- GP name: *Notifications_DisableEnhancedNotifications* -- GP path: *Windows Components/Windows Defender Security Center/Notifications* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Windows Defender Security Center will display critical and non-critical notifications to users. -- 1 - (Enable) Windows Defender Security Center only display notifications that are considered critical on clients. - - - - -
- - -**WindowsDefenderSecurityCenter/DisableFamilyUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Family options area* -- GP name: *FamilyOptions_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Family options* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the family options area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the family options area in Windows Defender Security Center. - - - - -
- - -**WindowsDefenderSecurityCenter/DisableHealthUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Device performance and health area* -- GP name: *DevicePerformanceHealth_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Device performance and health* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the device performance and health area in Windows Defender Security Center. - - - - -
- - -**WindowsDefenderSecurityCenter/DisableNetworkUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Firewall and network protection area* -- GP name: *FirewallNetworkProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the firewall and network protection area in Windows Defender Security Center. - - - - -
- - -**WindowsDefenderSecurityCenter/DisableNotifications** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or don't configure this setting, Windows Defender Security Center notifications will display on devices. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide all notifications* -- GP name: *Notifications_DisableNotifications* -- GP path: *Windows Components/Windows Defender Security Center/Notifications* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of Windows Defender Security Center notifications. -- 1 - (Enable) The users can't see the display of Windows Defender Security Center notifications. - - - - -
- - -**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - +Enabled: +The Clear TPM button will be unavailable for use. + +Disabled: +The Clear TPM button will be available for use. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled or not configured) The security processor troubleshooting page shows a button that initiates the process to clear the security processor (TPM). | +| 1 | (Enabled) The security processor troubleshooting page will not show a button to initiate the process to clear the security processor (TPM) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_DisableClearTpmButton | +| Friendly Name | Disable the Clear TPM button | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | DisableClearTpmButton | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableDeviceSecurityUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableDeviceSecurityUI +``` + + + + +Hide the Device security area in Windows Security. + +Enabled: +The Device security area will be hidden. + +Disabled: +The Device security area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the Device security area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the Device security area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_UILockdown | +| Friendly Name | Hide the Device security area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableEnhancedNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableEnhancedNotifications +``` + + + + +Only show critical notifications from Windows Security. + +If the Suppress all notifications GP setting has been enabled, this setting will have no effect. + +Enabled: +Local users will only see critical notifications from Windows Security. They will not see other types of notifications, such as regular PC or device health information. + +Disabled: +Local users will see all types of notifications from Windows Security. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) Windows Defender Security Center will display critical and non-critical notifications to users.. | +| 1 | (Enable) Windows Defender Security Center only display notifications which are considered critical on clients. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Notifications_DisableEnhancedNotifications | +| Friendly Name | Hide non-critical notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | +| Registry Value Name | DisableEnhancedNotifications | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableFamilyUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableFamilyUI +``` + + + + +Hide the Family options area in Windows Security. + +Enabled: +The Family options area will be hidden. + +Disabled: +The Family options area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the family options area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the family options area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | FamilyOptions_UILockdown | +| Friendly Name | Hide the Family options area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Family options | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableHealthUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableHealthUI +``` + + + + +Hide the Device performance and health area in Windows Security. + +Enabled: +The Device performance and health area will be hidden. + +Disabled: +The Device performance and health area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the device performance and health area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the device performance and health area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DevicePerformanceHealth_UILockdown | +| Friendly Name | Hide the Device performance and health area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device performance and health | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableNetworkUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableNetworkUI +``` + + + + +Hide the Firewall and network protection area in Windows Security. + +Enabled: +The Firewall and network protection area will be hidden. + +Disabled: +The Firewall and network protection area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the firewall and network protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the firewall and network protection area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | FirewallNetworkProtection_UILockdown | +| Friendly Name | Hide the Firewall and network protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Firewall and network protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableNotifications +``` + + + + +Hide notifications from Windows Security. + +Enabled: +Local users will not see notifications from Windows Security. + +Disabled: +Local users can see notifications from Windows Security. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of Windows Defender Security Center notifications. | +| 1 | (Enable) The users cannot see the display of Windows Defender Security Center notifications. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Notifications_DisableNotifications | +| Friendly Name | Hide all notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications | +| Registry Value Name | DisableNotifications | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableTpmFirmwareUpdateWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning +``` + + + + Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. -- Enabled: Users won't be shown a recommendation to update their TPM Firmware. -- Disabled: Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. -- Not configured: Same as Disabled. - -Supported values: - -- 0 - Disabled (default) -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Hide the TPM Firmware Update recommendation.* -- GP name: *DeviceSecurity_DisableTpmFirmwareUpdateWarning* -- GP path: *Windows Components/Windows Security/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - - - - - - - - - - - -
- - -**WindowsDefenderSecurityCenter/DisableVirusUI** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Hide the Virus and threat protection area* -- GP name: *VirusThreatProtection_UILockdown* -- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center. -- 1 - (Enable) The users can't see the display of the virus and threat protection area in Windows Defender Security Center. - - - - -
- - -**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or don't configure this setting, local users can make changes in the exploit protection settings area. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Prevent users from modifying settings* -- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride* -- GP path: *Windows Components/Windows Defender Security Center/App and browser protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Local users are allowed to make changes in the exploit protection settings area. -- 1 - (Enable) Local users can't make changes in the exploit protection settings area. - - - - -
- - -**WindowsDefenderSecurityCenter/Email** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. - -- Supported value type is string. -- Supported operations are Add, Get, Replace and Delete. - - - -ADMX Info: -- GP Friendly name: *Specify contact email address or Email ID* -- GP name: *EnterpriseCustomization_Email* -- GP element: *Presentation_EnterpriseCustomization_Email* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - - -
- - -**WindowsDefenderSecurityCenter/EnableCustomizedToasts** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Enable this policy to display your company name and contact options in the notifications. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. - -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP Friendly name: *Configure customized notifications* -- GP name: *EnterpriseCustomization_EnableCustomizedToasts* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Notifications contain a default notification text. -- 1 - (Enable) Notifications contain the company name and contact options. - - - - -
- - -**WindowsDefenderSecurityCenter/EnableInAppCustomization** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center won't display the contact card fly out notification. - -- Support value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -ADMX Info: -- GP Friendly name: *Configure customized contact information* -- GP name: *EnterpriseCustomization_EnableInAppCustomization* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -The following list shows the supported values: - -- 0 - (Disable) Don't display the company name and contact options in the card fly out notification. -- 1 - (Enable) Display the company name and contact options in the card fly out notification. - - - - -
- - -**WindowsDefenderSecurityCenter/HideRansomwareDataRecovery** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. - - - -ADMX Info: -- GP Friendly name: *Hide the Ransomware data recovery area* -- GP name: *VirusThreatProtection_HideRansomwareRecovery* -- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable or not configured) The Ransomware data recovery area will be visible. -- 1 - (Enable) The Ransomware data recovery area is hidden. - - - - -
- - -**WindowsDefenderSecurityCenter/HideSecureBoot** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy to hide the Secure boot area in the Windows Defender Security Center. - - - -ADMX Info: -- GP Friendly name: *Hide the Secure boot area* -- GP name: *DeviceSecurity_HideSecureBoot* -- GP path: *Windows Components/Windows Defender Security Center/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable or not configured) The Secure boot area is displayed. -- 1 - (Enable) The Secure boot area is hidden. - - - - -
- - -**WindowsDefenderSecurityCenter/HideTPMTroubleshooting** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Use this policy to hide the Security processor (TPM) troubleshooting area in the Windows Defender Security Center. - - - -ADMX Info: -- GP Friendly name: *Hide the Security processor (TPM) troubleshooter page* -- GP name: *DeviceSecurity_HideTPMTroubleshooting* -- GP path: *Windows Components/Windows Defender Security Center/Device security* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* - - - -Valid values: - -- 0 - (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed. -- 1 - (Enable) The Security processor (TPM) troubleshooting area is hidden. - - - - -
- - -**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - +Enabled: +Users will not be shown a recommendation to update their TPM Firmware. + +Disabled: +Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or Not configured) A warning will be displayed if the firmware of the security processor (TPM) should be updated for TPMs that have a vulnerability. | +| 1 | (Enabled) No warning will be displayed if the firmware of the security processor (TPM) should be updated. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_DisableTpmFirmwareUpdateWarning | +| Friendly Name | Hide the TPM Firmware Update recommendation. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | DisableTpmFirmwareUpdateWarning | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisableVirusUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisableVirusUI +``` + + + + +Hide the Virus and threat protection area in Windows Security. + +Enabled: +The Virus and threat protection area will be hidden. + +Disabled: +The Virus and threat protection area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) The users can see the display of the virus and threat protection area in Windows Defender Security Center. | +| 1 | (Enable) The users cannot see the display of the virus and threat protection area in Windows Defender Security Center. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirusThreatProtection_UILockdown | +| Friendly Name | Hide the Virus and threat protection area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Virus and threat protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## DisallowExploitProtectionOverride + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride +``` + + + + +Prevent users from making changes to the Exploit protection settings area in Windows Security. + +Enabled: +Local users can not make changes in the Exploit protection settings area. + +Disabled: +Local users are allowed to make changes in the Exploit protection settings area. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) Local users are allowed to make changes in the exploit protection settings area. | +| 1 | (Enable) Local users cannot make changes in the exploit protection settings area. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppBrowserProtection_DisallowExploitProtectionOverride | +| Friendly Name | Prevent users from modifying settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > App and browser protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection | +| Registry Value Name | DisallowExploitProtectionOverride | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## Email + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/Email +``` + + + + +The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_Email | +| Friendly Name | Specify contact email address or Email ID | +| Element Name | Email address or email ID | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## EnableCustomizedToasts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/EnableCustomizedToasts +``` + + + + +Display specified contact information to local users in Windows Security notifications. + +Enabled: +Your company contact information will be displayed in notifications that come from Windows Security. + +After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: +-Specify contact phone number or Skype ID +-Specify contact email number or email ID +-Specify contact website +Please note that in some cases we will be limiting the contact options that are displayed based on the notification space available. + +Disabled: +No contact information will be shown on notifications. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | notification text. | +| 1 | (Enable) Notifications contain the company name and contact options. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_EnableCustomizedToasts | +| Friendly Name | Configure customized notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| Registry Value Name | EnableForToasts | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## EnableInAppCustomization + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/EnableInAppCustomization +``` + + + + +Display specified contact information to local users in a contact card flyout menu in Windows Security + +Enabled: +Your company contact information will be displayed in a flyout menu in Windows Security. + +After setting this to Enabled, you must configure the Specify contact company name GP setting and at least one of the following GP settings: +-Specify contact phone number or Skype ID +-Specify contact email number or email ID +-Specify contact website + +Disabled: +No contact information will be shown in Windows Security. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable) Do not display the company name and contact options in the card fly out notification. | +| 1 | (Enable) Display the company name and contact options in the card fly out notification. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_EnableInAppCustomization | +| Friendly Name | Configure customized contact information | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| Registry Value Name | EnableInApp | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideRansomwareDataRecovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideRansomwareDataRecovery +``` + + + + +Hide the Ransomware data recovery area in Windows Security. + +Enabled: +The Ransomware data recovery area will be hidden. + +Disabled: +The Ransomware data recovery area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or not configured) The Ransomware data recovery area will be visible. | +| 1 | (Enable) The Ransomware data recovery area is hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirusThreatProtection_HideRansomwareRecovery | +| Friendly Name | Hide the Ransomware data recovery area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Virus and threat protection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection | +| Registry Value Name | HideRansomwareRecovery | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideSecureBoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideSecureBoot +``` + + + + +Hide the Secure boot area in Windows Security. + +Enabled: +The Secure boot area will be hidden. + +Disabled: +The Secure boot area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or not configured) The Secure boot area is displayed. | +| 1 | (Enable) The Secure boot area is hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_HideSecureBoot | +| Friendly Name | Hide the Secure boot area | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | HideSecureBoot | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideTPMTroubleshooting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideTPMTroubleshooting +``` + + + + +Hide the Security processor (TPM) troubleshooting area in Windows Security. + +Enabled: +The Security processor (TPM) troubleshooting area will be hidden. + +Disabled: +The Security processor (TPM) troubleshooting area will be shown. + +Not configured: +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disable or not configured) The Security processor (TPM) troubleshooting area is displayed. | +| 1 | (Enable) The Security processor (TPM) troubleshooting area is hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceSecurity_HideTPMTroubleshooting | +| Friendly Name | Hide the Security processor (TPM) troubleshooter page | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Device security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security | +| Registry Value Name | HideTPMTroubleshooting | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + + + + + + + + + +## HideWindowsSecurityNotificationAreaControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl +``` + + + + This policy setting hides the Windows Security notification area control. The user needs to either sign out and sign in or reboot the computer for this setting to take effect. -- Enabled: Windows Security notification area control will be hidden. -- Disabled: Windows Security notification area control will be shown. -- Not configured: Same as Disabled. +Enabled: +Windows Security notification area control will be hidden. -Supported values: +Disabled: +Windows Security notification area control will be shown. -- 0 - Disabled (default) -- 1 - Enabled +Not configured: +Same as Disabled. + - - -ADMX Info: -- GP Friendly name: *Hide Windows Security Systray* -- GP name: *Systray_HideSystray* -- GP path: *Windows Components/Windows Security/Systray* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | | +| 1 | Enabled | + -
+ +**Group policy mapping**: - -**WindowsDefenderSecurityCenter/Phone** +| Name | Value | +|:--|:--| +| Name | Systray_HideSystray | +| Friendly Name | Hide Windows Security Systray | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Systray | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray | +| Registry Value Name | HideSystray | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## Phone - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/Phone +``` + -
+ + +The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace, and Delete. + - - -The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. + + + -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Specify contact phone number or Skype ID* -- GP name: *EnterpriseCustomization_Phone* -- GP element: *Presentation_EnterpriseCustomization_Phone* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +**Group policy mapping**: -
+| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_Phone | +| Friendly Name | Specify contact phone number or Skype ID | +| Element Name | Phone number or Skype ID | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - -**WindowsDefenderSecurityCenter/URL** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## URL - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsDefenderSecurityCenter/URL +``` + -> [!div class = "checklist"] -> * Device + + +The help portal URL this is displayed to users.  The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. + -
+ + + - - -The help portal URL that is displayed to users. The default browser is used to initiate this action. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device won't display contact options. + +**Description framework properties**: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -ADMX Info: -- GP Friendly name: *Specify contact website* -- GP name: *EnterpriseCustomization_URL* -- GP element: *Presentation_EnterpriseCustomization_URL* -- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization* -- GP ADMX file name: *WindowsDefenderSecurityCenter.admx* + +**Group policy mapping**: - - -
+| Name | Value | +|:--|:--| +| Name | EnterpriseCustomization_URL | +| Friendly Name | Specify contact website | +| Element Name | IT or support website | +| Location | Computer Configuration | +| Path | Windows Components > Windows Security > Enterprise Customization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization | +| ADMX File Name | WindowsDefenderSecurityCenter.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 403b33ba76..3d1e96e1ef 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,138 +1,158 @@ --- -title: Policy CSP - WindowsInkWorkspace -description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace. +title: WindowsInkWorkspace Policy CSP +description: Learn more about the WindowsInkWorkspace Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsInkWorkspace -
+ + + - -## WindowsInkWorkspace policies + +## AllowSuggestedAppsInWindowsInkWorkspace -
-
- WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace -
-
- WindowsInkWorkspace/AllowWindowsInkWorkspace -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace +``` + - -**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + + +Allow suggested apps in Windows Ink Workspace + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
+ +**Group policy mapping**: - - -Show recommended app suggestions in the ink workspace. +| Name | Value | +|:--|:--| +| Name | AllowSuggestedAppsInWindowsInkWorkspace | +| Friendly Name | Allow suggested apps in Windows Ink Workspace | +| Location | Computer Configuration | +| Path | Windows Components > Windows Ink Workspace | +| Registry Key Name | Software\Policies\Microsoft\WindowsInkWorkspace | +| Registry Value Name | AllowSuggestedAppsInWindowsInkWorkspace | +| ADMX File Name | WindowsInkWorkspace.admx | + - - -ADMX Info: -- GP Friendly name: *Allow suggested apps in Windows Ink Workspace* -- GP name: *AllowSuggestedAppsInWindowsInkWorkspace* -- GP path: *Windows Components/Windows Ink Workspace* -- GP ADMX file name: *WindowsInkWorkspace.admx* + + + - - -The following list shows the supported values: + -- 0 - app suggestions are not allowed. -- 1 (default) -allow app suggestions. + +## AllowWindowsInkWorkspace - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace +``` + - -**WindowsInkWorkspace/AllowWindowsInkWorkspace** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + Specifies whether to allow the user to access the ink workspace. + - - -ADMX Info: -- GP Friendly name: *Allow Windows Ink Workspace* -- GP name: *AllowWindowsInkWorkspace* -- GP element: *AllowWindowsInkWorkspaceDropdown* -- GP path: *Windows Components/Windows Ink Workspace* -- GP ADMX file name: *WindowsInkWorkspace.admx* + + + - - -Supported value type is int. The following list shows the supported values: + +**Description framework properties**: -- 0 - access to ink workspace is disabled. The feature is turned off. -- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. -- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + - - -
+ +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | access to ink workspace is disabled. The feature is turned off. | +| 1 | ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. | +| 2 (Default) | ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. | + -## Related topics + +**Group policy mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | AllowWindowsInkWorkspace | +| Friendly Name | Allow Windows Ink Workspace | +| Element Name | Choose one of the following actions | +| Location | Computer Configuration | +| Path | Windows Components > Windows Ink Workspace | +| Registry Key Name | Software\Policies\Microsoft\WindowsInkWorkspace | +| ADMX File Name | WindowsInkWorkspace.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 259cea10dc..8de42485a9 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,92 +1,103 @@ --- -title: Policy CSP - WindowsPowerShell -description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. +title: WindowsPowerShell Policy CSP +description: Learn more about the WindowsPowerShell Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsPowerShell -
- - -## WindowsPowerShell policies - -
-
- WindowsPowerShell/TurnOnPowerShellScriptBlockLogging -
-
- - -
- - -**WindowsPowerShell/TurnOnPowerShellScriptBlockLogging** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - -This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. - -If you disable this policy setting, logging of PowerShell script input is disabled. - -If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. - -> [!NOTE] -> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. - - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -ADMX Info: -- GP Friendly name: *Turn on PowerShell Script Block Logging* -- GP name: *EnableScriptBlockLogging* -- GP path: *Windows Components/Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + - - -
+ +## TurnOnPowerShellScriptBlockLogging - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -## Related topics + +```User +./User/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging +``` -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging +``` + + + + +This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, +Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. + +If you disable this policy setting, logging of PowerShell script input is disabled. + +If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script +starts or stops. Enabling Invocation Logging generates a high volume of event logs. + +Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableScriptBlockLogging | +| Friendly Name | Turn on PowerShell Script Block Logging | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | +| Registry Value Name | EnableScriptBlockLogging | +| ADMX File Name | PowerShellExecutionPolicy.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index c6271913c6..aa8978ec78 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,465 +1,417 @@ --- -title: Policy CSP - WindowsSandbox -description: Policy CSP - WindowsSandbox +title: WindowsSandbox Policy CSP +description: Learn more about the WindowsSandbox Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/14/2020 +ms.topic: reference --- + + + # Policy CSP - WindowsSandbox + + + -
+ +## AllowAudioInput - -## WindowsSandbox policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
-
- WindowsSandbox/AllowAudioInput -
-
- WindowsSandbox/AllowClipboardRedirection -
-
- WindowsSandbox/AllowNetworking -
-
- WindowsSandbox/AllowPrinterRedirection -
-
- WindowsSandbox/AllowVGPU -
-
- WindowsSandbox/AllowVideoInput -
-
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowAudioInput +``` + -
+ + +This policy setting enables or disables audio input to the Sandbox. - -**WindowsSandbox/AllowAudioInput** +If you enable this policy setting, Windows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting. -Available in the latest Windows 10 insider preview build. +If you disable this policy setting, Windows Sandbox will not be able to receive audio input from the user. Applications using a microphone may not function properly with this setting. - -The table below shows the applicability of Windows: +If you do not configure this policy setting, audio input will be enabled. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows the IT admin to enable or disable audio input to the Sandbox. - -> [!NOTE] -> There may be security implications of exposing host audio input to the container. - -If this policy isn't configured, end-users get the default behavior (audio input enabled). - -If audio input is disabled, a user won't be able to enable audio input from their own configuration file. - -If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure. +Note that there may be security implications of exposing host audio input to the container. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow audio input in Windows Sandbox* -- GP name: *AllowAudioInput* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 - Disabled -- 1 (default) - Enabled +| Name | Value | +|:--|:--| +| Name | AllowAudioInput | +| Friendly Name | Allow audio input in Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowAudioInput | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + - - + +## AllowClipboardRedirection -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowClipboardRedirection +``` + - -**WindowsSandbox/AllowClipboardRedirection** + + +This policy setting enables or disables clipboard sharing with the sandbox. -Available in the latest Windows 10 insider preview build. +If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted. - -The table below shows the applicability of Windows: +If you disable this policy setting, copy and paste in and out of Sandbox will be restricted. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox. - -If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled). - -If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file. - -If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure. +If you do not configure this policy setting, clipboard sharing will be enabled. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow clipboard sharing with Windows Sandbox* -- GP name: *AllowClipboardRedirection* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 - Disabled -- 1 (default) - Enabled +| Name | Value | +|:--|:--| +| Name | AllowClipboardRedirection | +| Friendly Name | Allow clipboard sharing with Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowClipboardRedirection | +| ADMX File Name | WindowsSandbox.admx | + + + + - - + - - + +## AllowNetworking - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowNetworking +``` + - -**WindowsSandbox/AllowNetworking** + + +This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. -Available in the latest Windows 10 insider preview build. +If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtual NIC. - -The table below shows the applicability of Windows: +If you disable this policy setting, networking is disabled in Windows Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy setting, networking will be enabled. - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network. - -If this policy isn't configured, end-users get the default behavior (networking enabled). - -If networking is disabled, a user won't be able to enable networking from their own configuration file. - -If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure. +Note that enabling networking can expose untrusted applications to the internal network. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow networking in Windows Sandbox* -- GP name: *AllowNetworking* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: -- 0 - Disabled -- 1 (default) - Enabled + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AllowNetworking | +| Friendly Name | Allow networking in Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowNetworking | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + -
+ +## AllowPrinterRedirection - -**WindowsSandbox/AllowPrinterRedirection** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Available in the latest Windows 10 insider preview build. + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowPrinterRedirection +``` + - -The table below shows the applicability of Windows: + + +This policy setting enables or disables printer sharing from the host into the Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable this policy setting, host printers will be shared into Windows Sandbox. - -
+If you disable this policy setting, Windows Sandbox will not be able to view printers from the host. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. - -If this policy isn't configured, end-users get the default behavior (printer sharing disabled). - -If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file. - -If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure. +If you do not configure this policy setting, printer redirection will be disabled. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow printer sharing with Windows Sandbox* -- GP name: *AllowPrinterRedirection* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 - Disabled -- 1 (default) - Enabled +| Name | Value | +|:--|:--| +| Name | AllowPrinterRedirection | +| Friendly Name | Allow printer sharing with Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowPrinterRedirection | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + - - + +## AllowVGPU -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**WindowsSandbox/AllowVGPU** + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVGPU +``` + -Available in the latest Windows 10 insider preview build. + + +This policy setting is to enable or disable the virtualized GPU. - -The table below shows the applicability of Windows: +If you enable this policy setting, vGPU will be supported in the Windows Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, Windows Sandbox will use software rendering, which can be slower than virtualized GPU. - -
+If you do not configure this policy setting, vGPU will be enabled. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox. - -> [!NOTE] -> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox. - -If this policy isn't configured, end-users get the default behavior (vGPU is disabled). - -If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file. - -If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure. +Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: + +**Description framework properties**: -- GP Friendly name: *Allow vGPU sharing for Windows Sandbox* -- GP name: *AllowVGPU* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + - - -The following are the supported values: + +**Group policy mapping**: -- 0 (default) - Disabled -- 1 - Enabled +| Name | Value | +|:--|:--| +| Name | AllowVGPU | +| Friendly Name | Allow vGPU sharing for Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowVGPU | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + - - + +## AllowVideoInput -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**WindowsSandbox/AllowVideoInput** + +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVideoInput +``` + -Available in the latest Windows 10 insider preview build. + + +This policy setting enables or disables video input to the Sandbox. - -The table below shows the applicability of Windows: +If you enable this policy setting, video input is enabled in Windows Sandbox. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, video input is disabled in Windows Sandbox. Applications using video input may not function properly in Windows Sandbox. - -
+If you do not configure this policy setting, video input will be disabled. Applications that use video input may not function properly in Windows Sandbox. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows the IT admin to enable or disable video input to the Sandbox. - -> [!NOTE] -> There may be security implications of exposing host video input to the container. - -If this policy isn't configured, users get the default behavior (video input disabled). - -If video input is disabled, users won't be able to enable video input from their own configuration file. - -If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure. +Note that there may be security implications of exposing host video input to the container. + + + > [!NOTE] > You must restart Windows Sandbox for any changes to this policy setting to take effect. + - - -ADMX Info: -- GP Friendly name: *Allow video input in Windows Sandbox* -- GP name: *AllowVideoInput* -- GP path: *Windows Components/Windows Sandbox* -- GP ADMX file name: *WindowsSandbox.admx* + +**Description framework properties**: - - -The following are the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + -- 0 (default) - Disabled -- 1 - Enabled + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | AllowVideoInput | +| Friendly Name | Allow video input in Windows Sandbox | +| Location | Computer Configuration | +| Path | Windows Components > Windows Sandbox | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox | +| Registry Value Name | AllowVideoInput | +| ADMX File Name | WindowsSandbox.admx | + - - + + + - - + -
+ + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 854f98de60..7e12e9fd78 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,468 +1,613 @@ --- -title: Policy CSP - WirelessDisplay -description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. +title: WirelessDisplay Policy CSP +description: Learn more about the WirelessDisplay Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WirelessDisplay -
- - -## WirelessDisplay policies - -
-
- WirelessDisplay/AllowMdnsAdvertisement -
-
- WirelessDisplay/AllowMdnsDiscovery -
-
- WirelessDisplay/AllowMovementDetectionOnInfrastructure -
-
- WirelessDisplay/AllowProjectionFromPC -
-
- WirelessDisplay/AllowProjectionFromPCOverInfrastructure -
-
- WirelessDisplay/AllowProjectionToPC -
-
- WirelessDisplay/AllowProjectionToPCOverInfrastructure -
-
- WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver -
-
- WirelessDisplay/RequirePinForPairing -
-
- - -
- - -**WirelessDisplay/AllowMdnsAdvertisement** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
+ + + + + +## AllowMdnsAdvertisement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowMdnsAdvertisement +``` + + + + +This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowMdnsDiscovery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowMdnsDiscovery +``` + + + + +This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowMovementDetectionOnInfrastructure + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowMovementDetectionOnInfrastructure +``` + + + + +This policy setting allows you to disable the infrastructure movement detection feature. If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowPCReceiverToBeTCPServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowPCReceiverToBeTCPServer +``` + + + + +This policy setting allows a PC acting as a Wireless Display receiver to be a TCP server for the TCP session carrying the projection stream to the receiver. If you set it to 0, your PC receiver will start the outbound connection as a TCP client. If you set it to 1, your PC may receive the incoming projection as a TCP server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowPCSenderToBeTCPClient + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowPCSenderToBeTCPClient +``` + + + + +This policy setting allows a PC acting as a Wireless Display sender to be a TCP client for the TCP session carrying the projection stream to the receiver. If you set it to 0, your PC will only participate in an outgoing projection as a TCP server. If you set it to 1, your PC may start an outgoing projection as a TCP client. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowProjectionFromPC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionFromPC +``` + + + + +This policy allows you to turn off projection from a PC. If you set it to 0, your PC cannot discover or project to other devices. If you set it to 1, your PC can discover and project to other devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Your PC cannot discover or project to other devices. | +| 1 (Default) | Your PC can discover and project to other devices. | + -> [!div class = "checklist"] -> * Device + + + + + -
+ +## AllowProjectionFromPCOverInfrastructure + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionFromPCOverInfrastructure +``` + + + + +This policy allows you to turn off projection from a PC over infrastructure. If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. If you set it to 1, your PC can discover and project to other devices over infrastructure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. | +| 1 (Default) | Your PC can discover and project to other devices over infrastructure. | + + + + + + + + + +## AllowProjectionToPC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionToPC +``` + + + + +This policy setting allows you to turn off projection to a PC. + + + +If you turn it on, your PC isn't discoverable and can't be projected to except if the user manually launches the Wireless Display app. + + + +If you turn it off or don't configure it, your PC is discoverable and can be projected to above lock screen only. The user has an option to turn it always on or off except for manual launch, too. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Projection to PC is not allowed. Always off and the user cannot enable it. | +| 1 (Default) | Projection to PC is allowed. Enabled only above the lock screen. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowProjectionToPC | +| Friendly Name | Don't allow this PC to be projected to | +| Location | Computer Configuration | +| Path | Windows Components > Connect | +| Registry Key Name | Software\Policies\Microsoft\Windows\Connect | +| Registry Value Name | AllowProjectionToPC | +| ADMX File Name | WirelessDisplay.admx | + + + + + + + + + +## AllowProjectionToPCOverInfrastructure + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowProjectionToPCOverInfrastructure +``` + + + + +This policy setting allows you to turn off projection to a PC over infrastructure. If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. + + + + + - - -This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. | +| 1 (Default) | Your PC is discoverable and other devices can project to it over infrastructure. | + -- 0 - Don't allow -- 1 - Allow + + + + + + + +## AllowUserInputFromWirelessDisplayReceiver + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver +``` + + + + +Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Wireless display input disabled. | +| 1 (Default) | Wireless display input enabled. | + + + + + + + + + +## RequirePinForPairing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WirelessDisplay/RequirePinForPairing +``` + + + + +This policy setting allows you to require a pin for pairing. + +If you set this to 'Never', a pin isn't required for pairing. + +If you set this to 'First Time', the pairing ceremony for new devices will always require a PIN. + +If you set this to 'Always', all pairings will require PIN. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | PIN is not required. | +| 1 | Pairing ceremony for new devices will always require a PIN | +| 2 | All pairings will require PIN | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RequirePinForPairing | +| Friendly Name | Require pin for pairing | +| Location | Computer Configuration | +| Path | Windows Components > Connect | +| Registry Key Name | Software\Policies\Microsoft\Windows\Connect | +| Registry Value Name | RequirePinForPairing | +| ADMX File Name | WirelessDisplay.admx | + + + + + + + - - + + + -
+ + +## Related articles - -**WirelessDisplay/AllowMdnsDiscovery** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. - - - -The following list shows the supported values: - -- 0 - Doesn't allow -- 1 - Allow - - - - -
- - -**WirelessDisplay/AllowMovementDetectionOnInfrastructure** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to disable the infrastructure movement detection feature. - -- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. - -- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. - -The default value is 1. - - - - -The following list shows the supported values: - -- 0 - Doesn't allow -- 1 (Default) - Allow - - - - -
- - -**WirelessDisplay/AllowProjectionFromPC** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy allows you to turn off projection from a PC. - - - -The following list shows the supported values: - -- 0 - your PC can't discover or project to other devices. -- 1 - your PC can discover and project to other devices - - - - -
- - -**WirelessDisplay/AllowProjectionFromPCOverInfrastructure** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy allows you to turn off projection from a PC over infrastructure. - - - -The following list shows the supported values: - -- 0 - your PC can't discover or project to other infrastructure devices, although it's possible to discover and project over WiFi Direct. -- 1 - your PC can discover and project to other devices over infrastructure. - - - - -
- - -**WirelessDisplay/AllowProjectionToPC** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow or disallow turning off the projection to a PC. - -If you set it to 0 (zero), your PC isn't discoverable and you can't project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. - -Supported value type is integer. - - - -ADMX Info: -- GP Friendly name: *Don't allow this PC to be projected to* -- GP name: *AllowProjectionToPC* -- GP path: *Windows Components/Connect* -- GP ADMX file name: *WirelessDisplay.admx* - - - -The following list shows the supported values: - -- 0 - projection to PC isn't allowed. Always off and the user can't enable it. -- 1 (default) - projection to PC is allowed. Enabled only above the lock screen. - - - - -
- - -**WirelessDisplay/AllowProjectionToPCOverInfrastructure** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to turn off projection to a PC over infrastructure. - - - -The following list shows the supported values: - -- 0 - your PC isn't discoverable and other devices can't project to it over infrastructure, although it's possible to project to it over WiFi Direct. -- 1 - your PC is discoverable and other devices can project to it over infrastructure. - - - - -
- - -**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. - - - -The following list shows the supported values: - -- 0 - Wireless display input disabled. -- 1 (default) - Wireless display input enabled. - - - - -
- - -**WirelessDisplay/RequirePinForPairing** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow or disallow requirement for a PIN for pairing. - -If you turn on this policy, the pairing ceremony for new devices will always require a PIN. If you turn off this policy or don't configure it, a PIN isn't required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. - -Supported value type is integer. - - - -ADMX Info: -- GP Friendly name: *Require pin for pairing* -- GP name: *RequirePinForPairing* -- GP path: *Windows Components/Connect* -- GP ADMX file name: *WirelessDisplay.admx* - - - -The following list shows the supported values: - -- 0 (default) - PIN isn't required. -- 1 - PIN is required. - - - -
- - - -CSP Article: - -## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index d1d4e1f569..658f2a7a2c 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -502,6 +502,8 @@ items: href: policy-csp-settings.md - name: SettingsSync href: policy-csp-settingssync.md + - name: SmartScreen + href: policy-csp-smartscreen.md - name: Speech href: policy-csp-speech.md - name: Start @@ -544,8 +546,6 @@ items: href: policy-csp-windowsconnectionmanager.md - name: WindowsDefenderSecurityCenter href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - name: WindowsInkWorkspace href: policy-csp-windowsinkworkspace.md - name: WindowsLogon From 32c502a3b5ccb4c8d7c602d4ad75b562b7139f66 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 7 Dec 2022 13:47:39 -0500 Subject: [PATCH 007/152] Add WindowsConnectionManager CSP --- .../policy-csp-windowsconnectionmanager.md | 150 +++++++++--------- 1 file changed, 79 insertions(+), 71 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 803dc874b5..93a5f796b3 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,98 +1,106 @@ --- -title: Policy CSP - WindowsConnectionManager -description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain-based network and a non-domain-based network simultaneously. +title: WindowsConnectionManager Policy CSP +description: Learn more about the WindowsConnectionManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WindowsConnectionManager -
+> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## WindowsConnectionManager policies + + + -
-
- WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork -
-
+ +## ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork +``` + - -**WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. + + +This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: -Automatic connection attempts: +Automatic connection attempts +- When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. +- When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked. -- When the computer is already connected to a domain-based network, all automatic connection attempts to non-domain networks are blocked. -- When the computer is already connected to a non-domain-based network, automatic connection attempts to domain-based networks are blocked. +Manual connection attempts +- When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. +- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. -Manual connection attempts: +If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. + -- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing network connection is disconnected and the manual connection is allowed. -- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing Ethernet connection is maintained and the manual connection attempt is blocked. + + + -If this policy setting isn't configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Prohibit connection to non-domain networks when connected to domain authenticated network* -- GP name: *WCM_BlockNonDomain* -- GP path: *Network/Windows Connection Manager* -- GP ADMX file name: *WCM.admx* +**ADMX mapping**: - - -
+| Name | Value | +|:--|:--| +| Name | WCM_BlockNonDomain | +| Friendly Name | Prohibit connection to non-domain networks when connected to domain authenticated network | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fBlockNonDomain | +| ADMX File Name | WCM.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From e6506ccd235a111bdcb1db51c668e59f1e60c86d Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 8 Dec 2022 12:24:59 -0500 Subject: [PATCH 008/152] Add more CSPs --- .../mdm/policies-in-policy-csp-admx-backed.md | 3010 +---------------- ...in-policy-csp-supported-by-group-policy.md | 920 +---- .../policy-configuration-service-provider.md | 3 +- .../mdm/policy-csp-textinput.md | 2517 +++++++------- .../mdm/policy-csp-timelanguagesettings.md | 422 ++- ...olicy-csp-virtualizationbasedtechnology.md | 221 +- .../mdm/policy-csp-webthreatdefense.md | 578 ++-- .../client-management/mdm/policy-csp-wifi.md | 669 ++-- .../mdm/policy-csp-windowsautopilot.md | 112 +- windows/client-management/mdm/toc.yml | 2 +- 10 files changed, 2485 insertions(+), 5969 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e4f4d3a06c..a6b3e66295 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 12/08/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,3014 +17,6 @@ ms.topic: reference This article lists the ADMX-backed policies in Policy CSP. -## ActiveXControls - -- [ApprovedInstallationSites](policy-csp-activexcontrols.md) - -## ADMX_ActiveXInstallService - -- [AxISURLZonePolicies](policy-csp-admx-activexinstallservice.md) - -## ADMX_AddRemovePrograms - -- [NoServices](policy-csp-admx-addremoveprograms.md) -- [NoAddPage](policy-csp-admx-addremoveprograms.md) -- [NoWindowsSetupPage](policy-csp-admx-addremoveprograms.md) -- [NoRemovePage](policy-csp-admx-addremoveprograms.md) -- [NoAddFromCDorFloppy](policy-csp-admx-addremoveprograms.md) -- [NoAddFromInternet](policy-csp-admx-addremoveprograms.md) -- [NoAddFromNetwork](policy-csp-admx-addremoveprograms.md) -- [NoChooseProgramsPage](policy-csp-admx-addremoveprograms.md) -- [NoAddRemovePrograms](policy-csp-admx-addremoveprograms.md) -- [NoSupportInfo](policy-csp-admx-addremoveprograms.md) -- [DefaultCategory](policy-csp-admx-addremoveprograms.md) - -## ADMX_AdmPwd - -- [POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](policy-csp-admx-admpwd.md) -- [POL_AdmPwd_Enabled](policy-csp-admx-admpwd.md) -- [POL_AdmPwd_AdminName](policy-csp-admx-admpwd.md) -- [POL_AdmPwd](policy-csp-admx-admpwd.md) - -## ADMX_AppCompat - -- [AppCompatTurnOffProgramCompatibilityAssistant_1](policy-csp-admx-appcompat.md) -- [AppCompatPrevent16BitMach](policy-csp-admx-appcompat.md) -- [AppCompatRemoveProgramCompatPropPage](policy-csp-admx-appcompat.md) -- [AppCompatTurnOffEngine](policy-csp-admx-appcompat.md) -- [AppCompatTurnOffApplicationImpactTelemetry](policy-csp-admx-appcompat.md) -- [AppCompatTurnOffProgramInventory](policy-csp-admx-appcompat.md) -- [AppCompatTurnOffProgramCompatibilityAssistant_2](policy-csp-admx-appcompat.md) -- [AppCompatTurnOffUserActionRecord](policy-csp-admx-appcompat.md) -- [AppCompatTurnOffSwitchBack](policy-csp-admx-appcompat.md) - -## ADMX_AppxPackageManager - -- [AllowDeploymentInSpecialProfiles](policy-csp-admx-appxpackagemanager.md) - -## ADMX_AppXRuntime - -- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) -- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) -- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) -- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) -- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md) -- [AppxRuntimeApplicationContentUriRules](policy-csp-admx-appxruntime.md) - -## ADMX_AttachmentManager - -- [AM_SetFileRiskLevel](policy-csp-admx-attachmentmanager.md) -- [AM_SetHighRiskInclusion](policy-csp-admx-attachmentmanager.md) -- [AM_SetLowRiskInclusion](policy-csp-admx-attachmentmanager.md) -- [AM_SetModRiskInclusion](policy-csp-admx-attachmentmanager.md) -- [AM_EstimateFileHandlerRisk](policy-csp-admx-attachmentmanager.md) - -## ADMX_AuditSettings - -- [IncludeCmdLine](policy-csp-admx-auditsettings.md) - -## ADMX_Bits - -- [BITS_EnablePeercaching](policy-csp-admx-bits.md) -- [BITS_DisableBranchCache](policy-csp-admx-bits.md) -- [BITS_DisablePeercachingClient](policy-csp-admx-bits.md) -- [BITS_DisablePeercachingServer](policy-csp-admx-bits.md) -- [BITS_MaxContentAge](policy-csp-admx-bits.md) -- [BITS_MaxCacheSize](policy-csp-admx-bits.md) -- [BITS_MaxDownloadTime](policy-csp-admx-bits.md) -- [BITS_MaxBandwidthServedForPeers](policy-csp-admx-bits.md) -- [BITS_MaxJobsPerUser](policy-csp-admx-bits.md) -- [BITS_MaxJobsPerMachine](policy-csp-admx-bits.md) -- [BITS_MaxFilesPerJob](policy-csp-admx-bits.md) -- [BITS_MaxRangesPerFile](policy-csp-admx-bits.md) -- [BITS_MaxBandwidthV2_Maintenance](policy-csp-admx-bits.md) -- [BITS_MaxBandwidthV2_Work](policy-csp-admx-bits.md) - -## ADMX_CipherSuiteOrder - -- [SSLCurveOrder](policy-csp-admx-ciphersuiteorder.md) -- [SSLCipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) - -## ADMX_COM - -- [AppMgmt_COM_SearchForCLSID_1](policy-csp-admx-com.md) -- [AppMgmt_COM_SearchForCLSID_2](policy-csp-admx-com.md) - -## ADMX_ControlPanel - -- [ForceClassicControlPanel](policy-csp-admx-controlpanel.md) -- [DisallowCpls](policy-csp-admx-controlpanel.md) -- [NoControlPanel](policy-csp-admx-controlpanel.md) -- [RestrictCpls](policy-csp-admx-controlpanel.md) - -## ADMX_ControlPanelDisplay - -- [CPL_Display_Disable](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Display_HideSettings](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_EnableScreenSaver](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_SetVisualStyle](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_SetScreenSaver](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_ScreenSaverIsSecure](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoColorAppearanceUI](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_DisableColorSchemeChoice](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoDesktopBackgroundUI](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoDesktopIconsUI](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoMousePointersUI](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoScreenSaverUI](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoSoundSchemeUI](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_DisableThemeChange](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_DisableVisualStyle](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_LockFontSize](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_ScreenSaverTimeOut](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoLockScreen](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md) -- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md) - -## ADMX_Cpls - -- [UseDefaultTile](policy-csp-admx-cpls.md) - -## ADMX_CredentialProviders - -- [AllowDomainDelayLock](policy-csp-admx-credentialproviders.md) -- [DefaultCredentialProvider](policy-csp-admx-credentialproviders.md) -- [ExcludedCredentialProviders](policy-csp-admx-credentialproviders.md) - -## ADMX_CredSsp - -- [AllowDefaultCredentials](policy-csp-admx-credssp.md) -- [AllowDefCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) -- [AllowFreshCredentials](policy-csp-admx-credssp.md) -- [AllowFreshCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) -- [AllowSavedCredentials](policy-csp-admx-credssp.md) -- [AllowSavedCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) -- [DenyDefaultCredentials](policy-csp-admx-credssp.md) -- [DenyFreshCredentials](policy-csp-admx-credssp.md) -- [DenySavedCredentials](policy-csp-admx-credssp.md) -- [AllowEncryptionOracle](policy-csp-admx-credssp.md) -- [RestrictedRemoteAdministration](policy-csp-admx-credssp.md) - -## ADMX_CredUI - -- [NoLocalPasswordResetQuestions](policy-csp-admx-credui.md) -- [EnableSecureCredentialPrompting](policy-csp-admx-credui.md) - -## ADMX_CtrlAltDel - -- [DisableChangePassword](policy-csp-admx-ctrlaltdel.md) -- [DisableLockComputer](policy-csp-admx-ctrlaltdel.md) -- [NoLogoff](policy-csp-admx-ctrlaltdel.md) -- [DisableTaskMgr](policy-csp-admx-ctrlaltdel.md) - -## ADMX_DataCollection - -- [CommercialIdPolicy](policy-csp-admx-datacollection.md) - -## ADMX_DCOM - -- [DCOMActivationSecurityCheckAllowLocalList](policy-csp-admx-dcom.md) -- [DCOMActivationSecurityCheckExemptionList](policy-csp-admx-dcom.md) - -## ADMX_Desktop - -- [AD_EnableFilter](policy-csp-admx-desktop.md) -- [AD_HideDirectoryFolder](policy-csp-admx-desktop.md) -- [AD_QueryLimit](policy-csp-admx-desktop.md) -- [sz_AdminComponents_Title](policy-csp-admx-desktop.md) -- [sz_DWP_NoHTMLPaper](policy-csp-admx-desktop.md) -- [Wallpaper](policy-csp-admx-desktop.md) -- [NoActiveDesktop](policy-csp-admx-desktop.md) -- [sz_ATC_NoComponents](policy-csp-admx-desktop.md) -- [ForceActiveDesktopOn](policy-csp-admx-desktop.md) -- [sz_ATC_DisableAdd](policy-csp-admx-desktop.md) -- [NoActiveDesktopChanges](policy-csp-admx-desktop.md) -- [sz_ATC_DisableClose](policy-csp-admx-desktop.md) -- [sz_ATC_DisableDel](policy-csp-admx-desktop.md) -- [sz_ATC_DisableEdit](policy-csp-admx-desktop.md) -- [NoRecentDocsNetHood](policy-csp-admx-desktop.md) -- [NoSaveSettings](policy-csp-admx-desktop.md) -- [NoDesktop](policy-csp-admx-desktop.md) -- [NoInternetIcon](policy-csp-admx-desktop.md) -- [NoNetHood](policy-csp-admx-desktop.md) -- [sz_DB_DragDropClose](policy-csp-admx-desktop.md) -- [sz_DB_Moving](policy-csp-admx-desktop.md) -- [NoMyComputerIcon](policy-csp-admx-desktop.md) -- [NoMyDocumentsIcon](policy-csp-admx-desktop.md) -- [NoPropertiesMyComputer](policy-csp-admx-desktop.md) -- [NoPropertiesMyDocuments](policy-csp-admx-desktop.md) -- [NoRecycleBinProperties](policy-csp-admx-desktop.md) -- [NoRecycleBinIcon](policy-csp-admx-desktop.md) -- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md) -- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md) -- [NoDesktop](policy-csp-admx-desktop.md) - -## ADMX_DeviceCompat - -- [DeviceFlags](policy-csp-admx-devicecompat.md) -- [DriverShims](policy-csp-admx-devicecompat.md) - -## ADMX_DeviceGuard - -- [ConfigCIPolicy](policy-csp-admx-deviceguard.md) - -## ADMX_DeviceInstallation - -- [DeviceInstall_InstallTimeout](policy-csp-admx-deviceinstallation.md) -- [DeviceInstall_AllowAdminInstall](policy-csp-admx-deviceinstallation.md) -- [DeviceInstall_DeniedPolicy_SimpleText](policy-csp-admx-deviceinstallation.md) -- [DeviceInstall_DeniedPolicy_DetailText](policy-csp-admx-deviceinstallation.md) -- [DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md) -- [DeviceInstall_Policy_RebootTime](policy-csp-admx-deviceinstallation.md) -- [DeviceInstall_SystemRestore](policy-csp-admx-deviceinstallation.md) -- [DriverInstall_Classes_AllowUser](policy-csp-admx-deviceinstallation.md) - -## ADMX_DeviceSetup - -- [DriverSearchPlaces_SearchOrderConfiguration](policy-csp-admx-devicesetup.md) -- [DeviceInstall_BalloonTips](policy-csp-admx-devicesetup.md) - -## ADMX_DFS - -- [DFSDiscoverDC](policy-csp-admx-dfs.md) - -## ADMX_DigitalLocker - -- [Digitalx_DiableApplication_TitleText_1](policy-csp-admx-digitallocker.md) -- [Digitalx_DiableApplication_TitleText_2](policy-csp-admx-digitallocker.md) - -## ADMX_DiskDiagnostic - -- [DfdAlertPolicy](policy-csp-admx-diskdiagnostic.md) -- [WdiScenarioExecutionPolicy](policy-csp-admx-diskdiagnostic.md) - -## ADMX_DiskNVCache - -- [BootResumePolicy](policy-csp-admx-disknvcache.md) -- [CachePowerModePolicy](policy-csp-admx-disknvcache.md) -- [FeatureOffPolicy](policy-csp-admx-disknvcache.md) -- [SolidStatePolicy](policy-csp-admx-disknvcache.md) - -## ADMX_DiskQuota - -- [DQ_RemovableMedia](policy-csp-admx-diskquota.md) -- [DQ_Enable](policy-csp-admx-diskquota.md) -- [DQ_Enforce](policy-csp-admx-diskquota.md) -- [DQ_LogEventOverLimit](policy-csp-admx-diskquota.md) -- [DQ_LogEventOverThreshold](policy-csp-admx-diskquota.md) -- [DQ_Limit](policy-csp-admx-diskquota.md) - -## ADMX_DistributedLinkTracking - -- [DLT_AllowDomainMode](policy-csp-admx-distributedlinktracking.md) - -## ADMX_DnsClient - -- [DNS_AppendToMultiLabelName](policy-csp-admx-dnsclient.md) -- [DNS_AllowFQDNNetBiosQueries](policy-csp-admx-dnsclient.md) -- [DNS_Domain](policy-csp-admx-dnsclient.md) -- [DNS_NameServer](policy-csp-admx-dnsclient.md) -- [DNS_SearchList](policy-csp-admx-dnsclient.md) -- [DNS_RegistrationEnabled](policy-csp-admx-dnsclient.md) -- [DNS_IdnMapping](policy-csp-admx-dnsclient.md) -- [DNS_PreferLocalResponsesOverLowerOrderDns](policy-csp-admx-dnsclient.md) -- [DNS_PrimaryDnsSuffix](policy-csp-admx-dnsclient.md) -- [DNS_UseDomainNameDevolution](policy-csp-admx-dnsclient.md) -- [DNS_DomainNameDevolutionLevel](policy-csp-admx-dnsclient.md) -- [DNS_RegisterAdapterName](policy-csp-admx-dnsclient.md) -- [DNS_RegisterReverseLookup](policy-csp-admx-dnsclient.md) -- [DNS_RegistrationRefreshInterval](policy-csp-admx-dnsclient.md) -- [DNS_RegistrationOverwritesInConflict](policy-csp-admx-dnsclient.md) -- [DNS_RegistrationTtl](policy-csp-admx-dnsclient.md) -- [DNS_IdnEncoding](policy-csp-admx-dnsclient.md) -- [Turn_Off_Multicast](policy-csp-admx-dnsclient.md) -- [DNS_SmartMultiHomedNameResolution](policy-csp-admx-dnsclient.md) -- [DNS_SmartProtocolReorder](policy-csp-admx-dnsclient.md) -- [DNS_UpdateSecurityLevel](policy-csp-admx-dnsclient.md) -- [DNS_UpdateTopLevelDomainZones](policy-csp-admx-dnsclient.md) - -## ADMX_DWM - -- [DwmDisallowAnimations_1](policy-csp-admx-dwm.md) -- [DwmDisallowColorizationColorChanges_1](policy-csp-admx-dwm.md) -- [DwmDefaultColorizationColor_1](policy-csp-admx-dwm.md) -- [DwmDisallowAnimations_2](policy-csp-admx-dwm.md) -- [DwmDisallowColorizationColorChanges_2](policy-csp-admx-dwm.md) -- [DwmDefaultColorizationColor_2](policy-csp-admx-dwm.md) - -## ADMX_EAIME - -- [L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](policy-csp-admx-eaime.md) -- [L_RestrictCharacterCodeRangeOfConversion](policy-csp-admx-eaime.md) -- [L_TurnOffCustomDictionary](policy-csp-admx-eaime.md) -- [L_TurnOffHistorybasedPredictiveInput](policy-csp-admx-eaime.md) -- [L_TurnOffInternetSearchIntegration](policy-csp-admx-eaime.md) -- [L_TurnOffOpenExtendedDictionary](policy-csp-admx-eaime.md) -- [L_TurnOffSavingAutoTuningDataToFile](policy-csp-admx-eaime.md) -- [L_TurnOnCloudCandidate](policy-csp-admx-eaime.md) -- [L_TurnOnCloudCandidateCHS](policy-csp-admx-eaime.md) -- [L_TurnOnLexiconUpdate](policy-csp-admx-eaime.md) -- [L_TurnOnLiveStickers](policy-csp-admx-eaime.md) -- [L_TurnOnMisconversionLoggingForMisconversionReport](policy-csp-admx-eaime.md) - -## ADMX_EncryptFilesonMove - -- [NoEncryptOnMove](policy-csp-admx-encryptfilesonmove.md) - -## ADMX_EnhancedStorage - -- [RootHubConnectedEnStorDevices](policy-csp-admx-enhancedstorage.md) -- [ApprovedEnStorDevices](policy-csp-admx-enhancedstorage.md) -- [ApprovedSilos](policy-csp-admx-enhancedstorage.md) -- [DisallowLegacyDiskDevices](policy-csp-admx-enhancedstorage.md) -- [DisablePasswordAuthentication](policy-csp-admx-enhancedstorage.md) -- [LockDeviceOnMachineLock](policy-csp-admx-enhancedstorage.md) - -## ADMX_ErrorReporting - -- [WerArchive_1](policy-csp-admx-errorreporting.md) -- [WerQueue_1](policy-csp-admx-errorreporting.md) -- [WerExlusion_1](policy-csp-admx-errorreporting.md) -- [WerAutoApproveOSDumps_1](policy-csp-admx-errorreporting.md) -- [WerDefaultConsent_1](policy-csp-admx-errorreporting.md) -- [WerConsentCustomize_1](policy-csp-admx-errorreporting.md) -- [WerConsentOverride_1](policy-csp-admx-errorreporting.md) -- [WerNoLogging_1](policy-csp-admx-errorreporting.md) -- [WerDisable_1](policy-csp-admx-errorreporting.md) -- [WerNoSecondLevelData_1](policy-csp-admx-errorreporting.md) -- [WerBypassDataThrottling_1](policy-csp-admx-errorreporting.md) -- [WerBypassPowerThrottling_1](policy-csp-admx-errorreporting.md) -- [WerBypassNetworkCostThrottling_1](policy-csp-admx-errorreporting.md) -- [WerCER](policy-csp-admx-errorreporting.md) -- [WerArchive_2](policy-csp-admx-errorreporting.md) -- [WerQueue_2](policy-csp-admx-errorreporting.md) -- [PCH_AllOrNoneDef](policy-csp-admx-errorreporting.md) -- [PCH_AllOrNoneInc](policy-csp-admx-errorreporting.md) -- [WerExlusion_2](policy-csp-admx-errorreporting.md) -- [PCH_AllOrNoneEx](policy-csp-admx-errorreporting.md) -- [PCH_ReportOperatingSystemFaults](policy-csp-admx-errorreporting.md) -- [WerAutoApproveOSDumps_2](policy-csp-admx-errorreporting.md) -- [PCH_ConfigureReport](policy-csp-admx-errorreporting.md) -- [WerDefaultConsent_2](policy-csp-admx-errorreporting.md) -- [WerConsentOverride_2](policy-csp-admx-errorreporting.md) -- [WerNoLogging_2](policy-csp-admx-errorreporting.md) -- [WerBypassDataThrottling_2](policy-csp-admx-errorreporting.md) -- [WerBypassPowerThrottling_2](policy-csp-admx-errorreporting.md) -- [WerBypassNetworkCostThrottling_2](policy-csp-admx-errorreporting.md) - -## ADMX_EventForwarding - -- [ForwarderResourceUsage](policy-csp-admx-eventforwarding.md) -- [SubscriptionManager](policy-csp-admx-eventforwarding.md) - -## ADMX_EventLog - -- [Channel_Log_AutoBackup_1](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_1](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_5](policy-csp-admx-eventlog.md) -- [Channel_LogFilePath_1](policy-csp-admx-eventlog.md) -- [Channel_Log_AutoBackup_2](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_2](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_6](policy-csp-admx-eventlog.md) -- [Channel_Log_Retention_2](policy-csp-admx-eventlog.md) -- [Channel_LogFilePath_2](policy-csp-admx-eventlog.md) -- [Channel_Log_AutoBackup_3](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_3](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_7](policy-csp-admx-eventlog.md) -- [Channel_Log_Retention_3](policy-csp-admx-eventlog.md) -- [Channel_LogFilePath_3](policy-csp-admx-eventlog.md) -- [Channel_LogMaxSize_3](policy-csp-admx-eventlog.md) -- [Channel_LogEnabled](policy-csp-admx-eventlog.md) -- [Channel_Log_AutoBackup_4](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_4](policy-csp-admx-eventlog.md) -- [Channel_Log_FileLogAccess_8](policy-csp-admx-eventlog.md) -- [Channel_Log_Retention_4](policy-csp-admx-eventlog.md) -- [Channel_LogFilePath_4](policy-csp-admx-eventlog.md) - -## ADMX_EventLogging - -- [EnableProtectedEventLogging](policy-csp-admx-eventlogging.md) - -## ADMX_EventViewer - -- [EventViewer_RedirectionProgram](policy-csp-admx-eventviewer.md) -- [EventViewer_RedirectionProgramCommandLineParameters](policy-csp-admx-eventviewer.md) -- [EventViewer_RedirectionURL](policy-csp-admx-eventviewer.md) - -## ADMX_Explorer - -- [AlwaysShowClassicMenu](policy-csp-admx-explorer.md) -- [PreventItemCreationInUsersFilesFolder](policy-csp-admx-explorer.md) -- [TurnOffSPIAnimations](policy-csp-admx-explorer.md) -- [DisableRoamedProfileInit](policy-csp-admx-explorer.md) -- [AdminInfoUrl](policy-csp-admx-explorer.md) - -## ADMX_ExternalBoot - -- [PortableOperatingSystem_Hibernate](policy-csp-admx-externalboot.md) -- [PortableOperatingSystem_Sleep](policy-csp-admx-externalboot.md) -- [PortableOperatingSystem_Launcher](policy-csp-admx-externalboot.md) - -## ADMX_FileRecovery - -- [WdiScenarioExecutionPolicy](policy-csp-admx-filerecovery.md) - -## ADMX_FileRevocation - -- [DelegatedPackageFamilyNames](policy-csp-admx-filerevocation.md) - -## ADMX_FileServerVSSProvider - -- [Pol_EncryptProtocol](policy-csp-admx-fileservervssprovider.md) - -## ADMX_FileSys - -- [DisableDeleteNotification](policy-csp-admx-filesys.md) -- [LongPathsEnabled](policy-csp-admx-filesys.md) -- [DisableCompression](policy-csp-admx-filesys.md) -- [DisableEncryption](policy-csp-admx-filesys.md) -- [TxfDeprecatedFunctionality](policy-csp-admx-filesys.md) -- [EnablePagefileEncryption](policy-csp-admx-filesys.md) -- [ShortNameCreationSettings](policy-csp-admx-filesys.md) -- [SymlinkEvaluation](policy-csp-admx-filesys.md) - -## ADMX_FolderRedirection - -- [DisableFRAdminPin](policy-csp-admx-folderredirection.md) -- [DisableFRAdminPinByFolder](policy-csp-admx-folderredirection.md) -- [FolderRedirectionEnableCacheRename](policy-csp-admx-folderredirection.md) -- [PrimaryComputer_FR_1](policy-csp-admx-folderredirection.md) -- [LocalizeXPRelativePaths_1](policy-csp-admx-folderredirection.md) -- [PrimaryComputer_FR_2](policy-csp-admx-folderredirection.md) -- [LocalizeXPRelativePaths_2](policy-csp-admx-folderredirection.md) - -## ADMX_FramePanes - -- [NoReadingPane](policy-csp-admx-framepanes.md) -- [NoPreviewPane](policy-csp-admx-framepanes.md) - -## ADMX_fthsvc - -- [WdiScenarioExecutionPolicy](policy-csp-admx-fthsvc.md) - -## ADMX_Globalization - -- [ImplicitDataCollectionOff_1](policy-csp-admx-globalization.md) -- [HideAdminOptions](policy-csp-admx-globalization.md) -- [HideCurrentLocation](policy-csp-admx-globalization.md) -- [HideLanguageSelection](policy-csp-admx-globalization.md) -- [HideLocaleSelectAndCustomize](policy-csp-admx-globalization.md) -- [RestrictUILangSelect](policy-csp-admx-globalization.md) -- [LockUserUILanguage](policy-csp-admx-globalization.md) -- [TurnOffAutocorrectMisspelledWords](policy-csp-admx-globalization.md) -- [TurnOffHighlightMisspelledWords](policy-csp-admx-globalization.md) -- [TurnOffInsertSpace](policy-csp-admx-globalization.md) -- [TurnOffOfferTextPredictions](policy-csp-admx-globalization.md) -- [Y2K](policy-csp-admx-globalization.md) -- [PreventGeoIdChange_1](policy-csp-admx-globalization.md) -- [CustomLocalesNoSelect_1](policy-csp-admx-globalization.md) -- [PreventUserOverrides_1](policy-csp-admx-globalization.md) -- [LocaleUserRestrict_1](policy-csp-admx-globalization.md) -- [ImplicitDataCollectionOff_2](policy-csp-admx-globalization.md) -- [LockMachineUILanguage](policy-csp-admx-globalization.md) -- [PreventGeoIdChange_2](policy-csp-admx-globalization.md) -- [BlockUserInputMethodsForSignIn](policy-csp-admx-globalization.md) -- [CustomLocalesNoSelect_2](policy-csp-admx-globalization.md) -- [PreventUserOverrides_2](policy-csp-admx-globalization.md) -- [LocaleSystemRestrict](policy-csp-admx-globalization.md) -- [LocaleUserRestrict_2](policy-csp-admx-globalization.md) - -## ADMX_GroupPolicy - -- [GPDCOptions](policy-csp-admx-grouppolicy.md) -- [GPTransferRate_1](policy-csp-admx-grouppolicy.md) -- [NewGPOLinksDisabled](policy-csp-admx-grouppolicy.md) -- [DenyRsopToInteractiveUser_1](policy-csp-admx-grouppolicy.md) -- [EnforcePoliciesOnly](policy-csp-admx-grouppolicy.md) -- [NewGPODisplayName](policy-csp-admx-grouppolicy.md) -- [GroupPolicyRefreshRateUser](policy-csp-admx-grouppolicy.md) -- [DisableAutoADMUpdate](policy-csp-admx-grouppolicy.md) -- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) -- [AllowX-ForestPolicy-and-RUP](policy-csp-admx-grouppolicy.md) -- [OnlyUseLocalAdminFiles](policy-csp-admx-grouppolicy.md) -- [SlowlinkDefaultToAsync](policy-csp-admx-grouppolicy.md) -- [SlowLinkDefaultForDirectAccess](policy-csp-admx-grouppolicy.md) -- [CSE_DiskQuota](policy-csp-admx-grouppolicy.md) -- [CSE_EFSRecovery](policy-csp-admx-grouppolicy.md) -- [CSE_FolderRedirection](policy-csp-admx-grouppolicy.md) -- [EnableLogonOptimization](policy-csp-admx-grouppolicy.md) -- [GPTransferRate_2](policy-csp-admx-grouppolicy.md) -- [CSE_IEM](policy-csp-admx-grouppolicy.md) -- [CSE_IPSecurity](policy-csp-admx-grouppolicy.md) -- [LogonScriptDelay](policy-csp-admx-grouppolicy.md) -- [CSE_Registry](policy-csp-admx-grouppolicy.md) -- [CSE_Scripts](policy-csp-admx-grouppolicy.md) -- [CSE_Security](policy-csp-admx-grouppolicy.md) -- [CSE_AppMgmt](policy-csp-admx-grouppolicy.md) -- [UserPolicyMode](policy-csp-admx-grouppolicy.md) -- [CSE_Wired](policy-csp-admx-grouppolicy.md) -- [CSE_Wireless](policy-csp-admx-grouppolicy.md) -- [EnableCDP](policy-csp-admx-grouppolicy.md) -- [DenyRsopToInteractiveUser_2](policy-csp-admx-grouppolicy.md) -- [ResetDfsClientInfoDuringRefreshPolicy](policy-csp-admx-grouppolicy.md) -- [EnableLogonOptimizationOnServerSKU](policy-csp-admx-grouppolicy.md) -- [EnableMMX](policy-csp-admx-grouppolicy.md) -- [DisableUsersFromMachGP](policy-csp-admx-grouppolicy.md) -- [GroupPolicyRefreshRate](policy-csp-admx-grouppolicy.md) -- [GroupPolicyRefreshRateDC](policy-csp-admx-grouppolicy.md) -- [SyncWaitTime](policy-csp-admx-grouppolicy.md) -- [CorpConnSyncWaitTime](policy-csp-admx-grouppolicy.md) -- [DisableBackgroundPolicy](policy-csp-admx-grouppolicy.md) -- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md) -- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md) -- [RSoPLogging](policy-csp-admx-grouppolicy.md) -- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) -- [FontMitigation](policy-csp-admx-grouppolicy.md) - -## ADMX_Help - -- [RestrictRunFromHelp](policy-csp-admx-help.md) -- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) -- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) -- [DisableHHDEP](policy-csp-admx-help.md) - -## ADMX_HelpAndSupport - -- [HPImplicitFeedback](policy-csp-admx-helpandsupport.md) -- [HPExplicitFeedback](policy-csp-admx-helpandsupport.md) -- [HPOnlineAssistance](policy-csp-admx-helpandsupport.md) -- [ActiveHelp](policy-csp-admx-helpandsupport.md) - -## ADMX_hotspotauth - -- [HotspotAuth_Enable](policy-csp-admx-hotspotauth.md) - -## ADMX_ICM - -- [ShellNoUseStoreOpenWith_1](policy-csp-admx-icm.md) -- [DisableWebPnPDownload_1](policy-csp-admx-icm.md) -- [ShellPreventWPWDownload_1](policy-csp-admx-icm.md) -- [ShellNoUseInternetOpenWith_1](policy-csp-admx-icm.md) -- [DisableHTTPPrinting_1](policy-csp-admx-icm.md) -- [ShellRemoveOrderPrints_1](policy-csp-admx-icm.md) -- [ShellRemovePublishToWeb_1](policy-csp-admx-icm.md) -- [WinMSG_NoInstrumentation_1](policy-csp-admx-icm.md) -- [InternetManagement_RestrictCommunication_1](policy-csp-admx-icm.md) -- [RemoveWindowsUpdate_ICM](policy-csp-admx-icm.md) -- [ShellNoUseStoreOpenWith_2](policy-csp-admx-icm.md) -- [CertMgr_DisableAutoRootUpdates](policy-csp-admx-icm.md) -- [EventViewer_DisableLinks](policy-csp-admx-icm.md) -- [HSS_HeadlinesPolicy](policy-csp-admx-icm.md) -- [HSS_KBSearchPolicy](policy-csp-admx-icm.md) -- [NC_ExitOnISP](policy-csp-admx-icm.md) -- [ShellNoUseInternetOpenWith_2](policy-csp-admx-icm.md) -- [NC_NoRegistration](policy-csp-admx-icm.md) -- [SearchCompanion_DisableFileUpdates](policy-csp-admx-icm.md) -- [ShellRemoveOrderPrints_2](policy-csp-admx-icm.md) -- [ShellRemovePublishToWeb_2](policy-csp-admx-icm.md) -- [WinMSG_NoInstrumentation_2](policy-csp-admx-icm.md) -- [CEIPEnable](policy-csp-admx-icm.md) -- [PCH_DoNotReport](policy-csp-admx-icm.md) -- [DriverSearchPlaces_DontSearchWindowsUpdate](policy-csp-admx-icm.md) -- [InternetManagement_RestrictCommunication_2](policy-csp-admx-icm.md) - -## ADMX_IIS - -- [PreventIISInstall](policy-csp-admx-iis.md) - -## ADMX_iSCSI - -- [iSCSIGeneral_RestrictAdditionalLogins](policy-csp-admx-iscsi.md) -- [iSCSIGeneral_ChangeIQNName](policy-csp-admx-iscsi.md) -- [iSCSISecurity_ChangeCHAPSecret](policy-csp-admx-iscsi.md) -- [iSCSISecurity_RequireIPSec](policy-csp-admx-iscsi.md) -- [iSCSISecurity_RequireMutualCHAP](policy-csp-admx-iscsi.md) -- [iSCSISecurity_RequireOneWayCHAP](policy-csp-admx-iscsi.md) -- [iSCSIDiscovery_NewStaticTargets](policy-csp-admx-iscsi.md) -- [iSCSIDiscovery_ConfigureTargets](policy-csp-admx-iscsi.md) -- [iSCSIDiscovery_ConfigureiSNSServers](policy-csp-admx-iscsi.md) -- [iSCSIDiscovery_ConfigureTargetPortals](policy-csp-admx-iscsi.md) - -## ADMX_kdc - -- [CbacAndArmor](policy-csp-admx-kdc.md) -- [PKINITFreshness](policy-csp-admx-kdc.md) -- [emitlili](policy-csp-admx-kdc.md) -- [RequestCompoundId](policy-csp-admx-kdc.md) -- [ForestSearch](policy-csp-admx-kdc.md) -- [TicketSizeThreshold](policy-csp-admx-kdc.md) - -## ADMX_Kerberos - -- [AlwaysSendCompoundId](policy-csp-admx-kerberos.md) -- [HostToRealm](policy-csp-admx-kerberos.md) -- [MitRealms](policy-csp-admx-kerberos.md) -- [KdcProxyDisableServerRevocationCheck](policy-csp-admx-kerberos.md) -- [StrictTarget](policy-csp-admx-kerberos.md) -- [KdcProxyServer](policy-csp-admx-kerberos.md) -- [ServerAcceptsCompound](policy-csp-admx-kerberos.md) -- [DevicePKInitEnabled](policy-csp-admx-kerberos.md) - -## ADMX_LanmanServer - -- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanserver.md) -- [Pol_HashPublication](policy-csp-admx-lanmanserver.md) -- [Pol_HashSupportVersion](policy-csp-admx-lanmanserver.md) -- [Pol_HonorCipherSuiteOrder](policy-csp-admx-lanmanserver.md) - -## ADMX_LanmanWorkstation - -- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanworkstation.md) -- [Pol_EnableHandleCachingForCAFiles](policy-csp-admx-lanmanworkstation.md) -- [Pol_EnableOfflineFilesforCAShares](policy-csp-admx-lanmanworkstation.md) - -## ADMX_LeakDiagnostic - -- [WdiScenarioExecutionPolicy](policy-csp-admx-leakdiagnostic.md) - -## ADMX_LinkLayerTopologyDiscovery - -- [LLTD_EnableLLTDIO](policy-csp-admx-linklayertopologydiscovery.md) -- [LLTD_EnableRspndr](policy-csp-admx-linklayertopologydiscovery.md) - -## ADMX_LocationProviderAdm - -- [DisableWindowsLocationProvider_1](policy-csp-admx-locationprovideradm.md) - -## ADMX_Logon - -- [NoWelcomeTips_1](policy-csp-admx-logon.md) -- [DisableExplorerRunLegacy_1](policy-csp-admx-logon.md) -- [DisableExplorerRunOnceLegacy_1](policy-csp-admx-logon.md) -- [Run_1](policy-csp-admx-logon.md) -- [VerboseStatus](policy-csp-admx-logon.md) -- [UseOEMBackground](policy-csp-admx-logon.md) -- [SyncForegroundPolicy](policy-csp-admx-logon.md) -- [BlockUserFromShowingAccountDetailsOnSignin](policy-csp-admx-logon.md) -- [NoWelcomeTips_2](policy-csp-admx-logon.md) -- [DontEnumerateConnectedUsers](policy-csp-admx-logon.md) -- [DisableExplorerRunLegacy_2](policy-csp-admx-logon.md) -- [DisableExplorerRunOnceLegacy_2](policy-csp-admx-logon.md) -- [Run_2](policy-csp-admx-logon.md) -- [DisableAcrylicBackgroundOnLogon](policy-csp-admx-logon.md) -- [DisableStatusMessages](policy-csp-admx-logon.md) - -## ADMX_MicrosoftDefenderAntivirus - -- [ServiceKeepAlive](policy-csp-admx-microsoftdefenderantivirus.md) -- [AllowFastServiceStartup](policy-csp-admx-microsoftdefenderantivirus.md) -- [UX_Configuration_CustomDefaultActionToastString](policy-csp-admx-microsoftdefenderantivirus.md) -- [UX_Configuration_UILockdown](policy-csp-admx-microsoftdefenderantivirus.md) -- [UX_Configuration_Notification_Suppress](policy-csp-admx-microsoftdefenderantivirus.md) -- [UX_Configuration_SuppressRebootNotification](policy-csp-admx-microsoftdefenderantivirus.md) -- [DisableLocalAdminMerge](policy-csp-admx-microsoftdefenderantivirus.md) -- [ProxyBypass](policy-csp-admx-microsoftdefenderantivirus.md) -- [ProxyPacUrl](policy-csp-admx-microsoftdefenderantivirus.md) -- [ProxyServer](policy-csp-admx-microsoftdefenderantivirus.md) -- [Exclusions_Extensions](policy-csp-admx-microsoftdefenderantivirus.md) -- [Exclusions_Paths](policy-csp-admx-microsoftdefenderantivirus.md) -- [Exclusions_Processes](policy-csp-admx-microsoftdefenderantivirus.md) -- [DisableAutoExclusions](policy-csp-admx-microsoftdefenderantivirus.md) -- [Spynet_LocalSettingOverrideSpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) -- [DisableBlockAtFirstSeen](policy-csp-admx-microsoftdefenderantivirus.md) -- [SpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) -- [ExploitGuard_ASR_Rules](policy-csp-admx-microsoftdefenderantivirus.md) -- [ExploitGuard_ASR_ASROnlyExclusions](policy-csp-admx-microsoftdefenderantivirus.md) -- [ExploitGuard_ControlledFolderAccess_AllowedApplications](policy-csp-admx-microsoftdefenderantivirus.md) -- [ExploitGuard_ControlledFolderAccess_ProtectedFolders](policy-csp-admx-microsoftdefenderantivirus.md) -- [MpEngine_EnableFileHashComputation](policy-csp-admx-microsoftdefenderantivirus.md) -- [Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](policy-csp-admx-microsoftdefenderantivirus.md) -- [Nis_Consumers_IPS_DisableSignatureRetirement](policy-csp-admx-microsoftdefenderantivirus.md) -- [Nis_DisableProtocolRecognition](policy-csp-admx-microsoftdefenderantivirus.md) -- [Quarantine_LocalSettingOverridePurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) -- [Quarantine_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) -- [RandomizeScheduleTaskTimes](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_IOAVMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_DisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_DisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) -- [DisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_DisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_DisableScanOnRealtimeEnable](policy-csp-admx-microsoftdefenderantivirus.md) -- [RealtimeProtection_DisableRawWriteNotification](policy-csp-admx-microsoftdefenderantivirus.md) -- [Remediation_LocalSettingOverrideScan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) -- [Remediation_Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) -- [Remediation_Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_CriticalFailureTimeout](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_NonCriticalTimeout](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_RecentlyCleanedTimeout](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_AdditionalActionTimeout](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_DisablegenericrePorts](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_WppTracingComponents](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_WppTracingLevel](policy-csp-admx-microsoftdefenderantivirus.md) -- [Reporting_DisableEnhancedNotifications](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_AllowPause](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_LocalSettingOverrideAvgCPULoadFactor](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_LocalSettingOverrideScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_LocalSettingOverrideScheduleQuickScantime](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_LocalSettingOverrideScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_LocalSettingOverrideScanParameters](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_LowCpuPriority](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableRestorePoint](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_MissedScheduledScanCountBeforeCatchup](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableScanningMappedNetworkDrivesForFullScan](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableArchiveScanning](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableScanningNetworkFiles](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisablePackedExeScanning](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableRemovableDriveScanning](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_QuickScanInterval](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_ArchiveMaxDepth](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_ArchiveMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_ScanOnlyIfIdle](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableEmailScanning](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableHeuristics](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) -- [Scan_DisableReparsePointScanning](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_SignatureDisableNotification](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_RealtimeSignatureDelivery](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_ForceUpdateFromMU](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_DisableScheduledSignatureUpdateonBattery](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_UpdateOnStartup](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_DefinitionUpdateFileSharesSources](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_SharedSignaturesLocation](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_SignatureUpdateCatchupInterval](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_ASSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_AVSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_FallbackOrder](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_DisableUpdateOnStartupWithoutEngine](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) -- [SignatureUpdate_DisableScanOnUpdate](policy-csp-admx-microsoftdefenderantivirus.md) -- [Threats_ThreatIdDefaultAction](policy-csp-admx-microsoftdefenderantivirus.md) -- [DisableAntiSpywareDefender](policy-csp-admx-microsoftdefenderantivirus.md) -- [DisableRoutinelyTakingAction](policy-csp-admx-microsoftdefenderantivirus.md) - -## ADMX_MMC - -- [MMC_Restrict_Author](policy-csp-admx-mmc.md) -- [MMC_Restrict_To_Permitted_Snapins](policy-csp-admx-mmc.md) -- [MMC_ActiveXControl](policy-csp-admx-mmc.md) -- [MMC_ExtendView](policy-csp-admx-mmc.md) -- [MMC_LinkToWeb](policy-csp-admx-mmc.md) - -## ADMX_MMCSnapins - -- [MMC_Net_Framework](policy-csp-admx-mmcsnapins.md) -- [MMC_ActiveDirDomTrusts](policy-csp-admx-mmcsnapins.md) -- [MMC_ActiveDirSitesServices](policy-csp-admx-mmcsnapins.md) -- [MMC_ActiveDirUsersComp](policy-csp-admx-mmcsnapins.md) -- [MMC_ADSI](policy-csp-admx-mmcsnapins.md) -- [MMC_CertsTemplate](policy-csp-admx-mmcsnapins.md) -- [MMC_Certs](policy-csp-admx-mmcsnapins.md) -- [MMC_CertAuth](policy-csp-admx-mmcsnapins.md) -- [MMC_ComponentServices](policy-csp-admx-mmcsnapins.md) -- [MMC_ComputerManagement](policy-csp-admx-mmcsnapins.md) -- [MMC_DeviceManager_2](policy-csp-admx-mmcsnapins.md) -- [MMC_DiskDefrag](policy-csp-admx-mmcsnapins.md) -- [MMC_DiskMgmt](policy-csp-admx-mmcsnapins.md) -- [MMC_DFS](policy-csp-admx-mmcsnapins.md) -- [MMC_EnterprisePKI](policy-csp-admx-mmcsnapins.md) -- [MMC_EventViewer_3](policy-csp-admx-mmcsnapins.md) -- [MMC_EventViewer_4](policy-csp-admx-mmcsnapins.md) -- [MMC_AppleTalkRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_AuthMan](policy-csp-admx-mmcsnapins.md) -- [MMC_CertAuthPolSet](policy-csp-admx-mmcsnapins.md) -- [MMC_ConnectionSharingNAT](policy-csp-admx-mmcsnapins.md) -- [MMC_DCOMCFG](policy-csp-admx-mmcsnapins.md) -- [MMC_DeviceManager_1](policy-csp-admx-mmcsnapins.md) -- [MMC_DHCPRelayMgmt](policy-csp-admx-mmcsnapins.md) -- [MMC_EventViewer_1](policy-csp-admx-mmcsnapins.md) -- [MMC_EventViewer_2](policy-csp-admx-mmcsnapins.md) -- [MMC_IASLogging](policy-csp-admx-mmcsnapins.md) -- [MMC_IGMPRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_IPRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_IPXRIPRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_IPXRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_IPXSAPRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_LogicalMappedDrives](policy-csp-admx-mmcsnapins.md) -- [MMC_OSPFRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_PublicKey](policy-csp-admx-mmcsnapins.md) -- [MMC_RAS_DialinUser](policy-csp-admx-mmcsnapins.md) -- [MMC_RemoteAccess](policy-csp-admx-mmcsnapins.md) -- [MMC_RemStore](policy-csp-admx-mmcsnapins.md) -- [MMC_RIPRouting](policy-csp-admx-mmcsnapins.md) -- [MMC_Routing](policy-csp-admx-mmcsnapins.md) -- [MMC_SendConsoleMessage](policy-csp-admx-mmcsnapins.md) -- [MMC_ServiceDependencies](policy-csp-admx-mmcsnapins.md) -- [MMC_SharedFolders_Ext](policy-csp-admx-mmcsnapins.md) -- [MMC_SMTPProtocol](policy-csp-admx-mmcsnapins.md) -- [MMC_SNMP](policy-csp-admx-mmcsnapins.md) -- [MMC_SysProp](policy-csp-admx-mmcsnapins.md) -- [MMC_FailoverClusters](policy-csp-admx-mmcsnapins.md) -- [MMC_FAXService](policy-csp-admx-mmcsnapins.md) -- [MMC_FrontPageExt](policy-csp-admx-mmcsnapins.md) -- [MMC_GroupPolicyManagementSnapIn](policy-csp-admx-mmcsnapins.md) -- [MMC_GroupPolicySnapIn](policy-csp-admx-mmcsnapins.md) -- [MMC_ADMComputers_1](policy-csp-admx-mmcsnapins.md) -- [MMC_ADMUsers_1](policy-csp-admx-mmcsnapins.md) -- [MMC_FolderRedirection_1](policy-csp-admx-mmcsnapins.md) -- [MMC_IEMaintenance_1](policy-csp-admx-mmcsnapins.md) -- [MMC_IPSecManage_GP](policy-csp-admx-mmcsnapins.md) -- [MMC_NapSnap_GP](policy-csp-admx-mmcsnapins.md) -- [MMC_RIS](policy-csp-admx-mmcsnapins.md) -- [MMC_ScriptsUser_1](policy-csp-admx-mmcsnapins.md) -- [MMC_ScriptsMachine_1](policy-csp-admx-mmcsnapins.md) -- [MMC_SecuritySettings_1](policy-csp-admx-mmcsnapins.md) -- [MMC_SoftwareInstalationComputers_1](policy-csp-admx-mmcsnapins.md) -- [MMC_SoftwareInstallationUsers_1](policy-csp-admx-mmcsnapins.md) -- [MMC_WindowsFirewall_GP](policy-csp-admx-mmcsnapins.md) -- [MMC_WiredNetworkPolicy](policy-csp-admx-mmcsnapins.md) -- [MMC_WirelessNetworkPolicy](policy-csp-admx-mmcsnapins.md) -- [MMC_GroupPolicyTab](policy-csp-admx-mmcsnapins.md) -- [MMC_ResultantSetOfPolicySnapIn](policy-csp-admx-mmcsnapins.md) -- [MMC_ADMComputers_2](policy-csp-admx-mmcsnapins.md) -- [MMC_ADMUsers_2](policy-csp-admx-mmcsnapins.md) -- [MMC_FolderRedirection_2](policy-csp-admx-mmcsnapins.md) -- [MMC_IEMaintenance_2](policy-csp-admx-mmcsnapins.md) -- [MMC_ScriptsUser_2](policy-csp-admx-mmcsnapins.md) -- [MMC_ScriptsMachine_2](policy-csp-admx-mmcsnapins.md) -- [MMC_SecuritySettings_2](policy-csp-admx-mmcsnapins.md) -- [MMC_SoftwareInstalationComputers_2](policy-csp-admx-mmcsnapins.md) -- [MMC_SoftwareInstallationUsers_2](policy-csp-admx-mmcsnapins.md) -- [MMC_HRA](policy-csp-admx-mmcsnapins.md) -- [MMC_IndexingService](policy-csp-admx-mmcsnapins.md) -- [MMC_IAS](policy-csp-admx-mmcsnapins.md) -- [MMC_IIS](policy-csp-admx-mmcsnapins.md) -- [MMC_IpSecMonitor](policy-csp-admx-mmcsnapins.md) -- [MMC_IpSecManage](policy-csp-admx-mmcsnapins.md) -- [MMC_LocalUsersGroups](policy-csp-admx-mmcsnapins.md) -- [MMC_NapSnap](policy-csp-admx-mmcsnapins.md) -- [MMC_NPSUI](policy-csp-admx-mmcsnapins.md) -- [MMC_OCSP](policy-csp-admx-mmcsnapins.md) -- [MMC_PerfLogsAlerts](policy-csp-admx-mmcsnapins.md) -- [MMC_QoSAdmission](policy-csp-admx-mmcsnapins.md) -- [MMC_TerminalServices](policy-csp-admx-mmcsnapins.md) -- [MMC_RemoteDesktop](policy-csp-admx-mmcsnapins.md) -- [MMC_RSM](policy-csp-admx-mmcsnapins.md) -- [MMC_RRA](policy-csp-admx-mmcsnapins.md) -- [MMC_SCA](policy-csp-admx-mmcsnapins.md) -- [MMC_SecurityTemplates](policy-csp-admx-mmcsnapins.md) -- [MMC_ServerManager](policy-csp-admx-mmcsnapins.md) -- [MMC_Services](policy-csp-admx-mmcsnapins.md) -- [MMC_SharedFolders](policy-csp-admx-mmcsnapins.md) -- [MMC_SysInfo](policy-csp-admx-mmcsnapins.md) -- [MMC_Telephony](policy-csp-admx-mmcsnapins.md) -- [MMC_TPMManagement](policy-csp-admx-mmcsnapins.md) -- [MMC_WindowsFirewall](policy-csp-admx-mmcsnapins.md) -- [MMC_WirelessMon](policy-csp-admx-mmcsnapins.md) -- [MMC_WMI](policy-csp-admx-mmcsnapins.md) - -## ADMX_MobilePCMobilityCenter - -- [MobilityCenterEnable_1](policy-csp-admx-mobilepcmobilitycenter.md) -- [MobilityCenterEnable_2](policy-csp-admx-mobilepcmobilitycenter.md) - -## ADMX_MobilePCPresentationSettings - -- [PresentationSettingsEnable_1](policy-csp-admx-mobilepcpresentationsettings.md) -- [PresentationSettingsEnable_2](policy-csp-admx-mobilepcpresentationsettings.md) - -## ADMX_MSAPolicy - -- [MicrosoftAccount_DisableUserAuth](policy-csp-admx-msapolicy.md) - -## ADMX_msched - -- [ActivationBoundaryPolicy](policy-csp-admx-msched.md) -- [RandomDelayPolicy](policy-csp-admx-msched.md) - -## ADMX_MSDT - -- [WdiScenarioExecutionPolicy](policy-csp-admx-msdt.md) -- [MsdtToolDownloadPolicy](policy-csp-admx-msdt.md) -- [MsdtSupportProvider](policy-csp-admx-msdt.md) - -## ADMX_MSI - -- [DisableMedia](policy-csp-admx-msi.md) -- [DisableRollback_1](policy-csp-admx-msi.md) -- [SearchOrder](policy-csp-admx-msi.md) -- [AllowLockdownBrowse](policy-csp-admx-msi.md) -- [AllowLockdownPatch](policy-csp-admx-msi.md) -- [AllowLockdownMedia](policy-csp-admx-msi.md) -- [MSI_MaxPatchCacheSize](policy-csp-admx-msi.md) -- [MSI_EnforceUpgradeComponentRules](policy-csp-admx-msi.md) -- [MsiDisableEmbeddedUI](policy-csp-admx-msi.md) -- [SafeForScripting](policy-csp-admx-msi.md) -- [DisablePatch](policy-csp-admx-msi.md) -- [DisableFlyweightPatching](policy-csp-admx-msi.md) -- [MSI_DisableLUAPatching](policy-csp-admx-msi.md) -- [MSI_DisablePatchUninstall](policy-csp-admx-msi.md) -- [DisableRollback_2](policy-csp-admx-msi.md) -- [DisableAutomaticApplicationShutdown](policy-csp-admx-msi.md) -- [MSI_DisableUserInstalls](policy-csp-admx-msi.md) -- [DisableBrowse](policy-csp-admx-msi.md) -- [TransformsSecure](policy-csp-admx-msi.md) -- [MSILogging](policy-csp-admx-msi.md) -- [MSI_DisableSRCheckPoints](policy-csp-admx-msi.md) -- [DisableLoggingFromPackage](policy-csp-admx-msi.md) -- [DisableSharedComponent](policy-csp-admx-msi.md) -- [DisableMSI](policy-csp-admx-msi.md) - -## ADMX_MsiFileRecovery - -- [WdiScenarioExecutionPolicy](policy-csp-admx-msifilerecovery.md) - -## ADMX_MSS-legacy - -- [Pol_MSS_AutoAdminLogon](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_AutoReboot](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_AutoShareServer](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_AutoShareWks](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_DisableSavePassword](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_EnableDeadGWDetect](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_HideFromBrowseList](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_KeepAliveTime](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_NoDefaultExempt](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_NtfsDisable8dot3NameCreation](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_PerformRouterDiscovery](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_SafeDllSearchMode](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_ScreenSaverGracePeriod](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_SynAttackProtect](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_TcpMaxConnectResponseRetransmissions](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_TcpMaxDataRetransmissionsIPv6](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_TcpMaxDataRetransmissions](policy-csp-admx-mss-legacy.md) -- [Pol_MSS_WarningLevel](policy-csp-admx-mss-legacy.md) - -## ADMX_nca - -- [CorporateResources](policy-csp-admx-nca.md) -- [CustomCommands](policy-csp-admx-nca.md) -- [PassiveMode](policy-csp-admx-nca.md) -- [FriendlyName](policy-csp-admx-nca.md) -- [DTEs](policy-csp-admx-nca.md) -- [LocalNamesOn](policy-csp-admx-nca.md) -- [SupportEmail](policy-csp-admx-nca.md) -- [ShowUI](policy-csp-admx-nca.md) - -## ADMX_NCSI - -- [NCSI_CorpDnsProbeContent](policy-csp-admx-ncsi.md) -- [NCSI_CorpDnsProbeHost](policy-csp-admx-ncsi.md) -- [NCSI_CorpSitePrefixes](policy-csp-admx-ncsi.md) -- [NCSI_CorpWebProbeUrl](policy-csp-admx-ncsi.md) -- [NCSI_DomainLocationDeterminationUrl](policy-csp-admx-ncsi.md) -- [NCSI_GlobalDns](policy-csp-admx-ncsi.md) -- [NCSI_PassivePolling](policy-csp-admx-ncsi.md) - -## ADMX_Netlogon - -- [Netlogon_AllowNT4Crypto](policy-csp-admx-netlogon.md) -- [Netlogon_AvoidPdcOnWan](policy-csp-admx-netlogon.md) -- [Netlogon_IgnoreIncomingMailslotMessages](policy-csp-admx-netlogon.md) -- [Netlogon_AvoidFallbackNetbiosDiscovery](policy-csp-admx-netlogon.md) -- [Netlogon_ForceRediscoveryInterval](policy-csp-admx-netlogon.md) -- [Netlogon_AddressTypeReturned](policy-csp-admx-netlogon.md) -- [Netlogon_LdapSrvPriority](policy-csp-admx-netlogon.md) -- [Netlogon_DnsTtl](policy-csp-admx-netlogon.md) -- [Netlogon_LdapSrvWeight](policy-csp-admx-netlogon.md) -- [Netlogon_AddressLookupOnPingBehavior](policy-csp-admx-netlogon.md) -- [Netlogon_DnsAvoidRegisterRecords](policy-csp-admx-netlogon.md) -- [Netlogon_UseDynamicDns](policy-csp-admx-netlogon.md) -- [Netlogon_DnsRefreshInterval](policy-csp-admx-netlogon.md) -- [Netlogon_NdncSiteCoverage](policy-csp-admx-netlogon.md) -- [Netlogon_SiteCoverage](policy-csp-admx-netlogon.md) -- [Netlogon_GcSiteCoverage](policy-csp-admx-netlogon.md) -- [Netlogon_TryNextClosestSite](policy-csp-admx-netlogon.md) -- [Netlogon_AutoSiteCoverage](policy-csp-admx-netlogon.md) -- [Netlogon_AllowDnsSuffixSearch](policy-csp-admx-netlogon.md) -- [Netlogon_AllowSingleLabelDnsDomain](policy-csp-admx-netlogon.md) -- [Netlogon_DnsSrvRecordUseLowerCaseHostNames](policy-csp-admx-netlogon.md) -- [Netlogon_NetlogonShareCompatibilityMode](policy-csp-admx-netlogon.md) -- [Netlogon_ScavengeInterval](policy-csp-admx-netlogon.md) -- [Netlogon_SysvolShareCompatibilityMode](policy-csp-admx-netlogon.md) -- [Netlogon_ExpectedDialupDelay](policy-csp-admx-netlogon.md) -- [Netlogon_DebugFlag](policy-csp-admx-netlogon.md) -- [Netlogon_MaximumLogFileSize](policy-csp-admx-netlogon.md) -- [Netlogon_NegativeCachePeriod](policy-csp-admx-netlogon.md) -- [Netlogon_NonBackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) -- [Netlogon_SiteName](policy-csp-admx-netlogon.md) -- [Netlogon_BackgroundRetryQuitTime](policy-csp-admx-netlogon.md) -- [Netlogon_BackgroundRetryInitialPeriod](policy-csp-admx-netlogon.md) -- [Netlogon_BackgroundRetryMaximumPeriod](policy-csp-admx-netlogon.md) -- [Netlogon_BackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) -- [Netlogon_PingUrgencyMode](policy-csp-admx-netlogon.md) - -## ADMX_NetworkConnections - -- [NC_RasAllUserProperties](policy-csp-admx-networkconnections.md) -- [NC_DeleteAllUserConnection](policy-csp-admx-networkconnections.md) -- [NC_LanConnect](policy-csp-admx-networkconnections.md) -- [NC_RenameAllUserRasConnection](policy-csp-admx-networkconnections.md) -- [NC_RenameLanConnection](policy-csp-admx-networkconnections.md) -- [NC_RenameConnection](policy-csp-admx-networkconnections.md) -- [NC_EnableAdminProhibits](policy-csp-admx-networkconnections.md) -- [NC_LanProperties](policy-csp-admx-networkconnections.md) -- [NC_LanChangeProperties](policy-csp-admx-networkconnections.md) -- [NC_RasChangeProperties](policy-csp-admx-networkconnections.md) -- [NC_AdvancedSettings](policy-csp-admx-networkconnections.md) -- [NC_NewConnectionWizard](policy-csp-admx-networkconnections.md) -- [NC_DialupPrefs](policy-csp-admx-networkconnections.md) -- [NC_AddRemoveComponents](policy-csp-admx-networkconnections.md) -- [NC_RasMyProperties](policy-csp-admx-networkconnections.md) -- [NC_RasConnect](policy-csp-admx-networkconnections.md) -- [NC_DeleteConnection](policy-csp-admx-networkconnections.md) -- [NC_ChangeBindState](policy-csp-admx-networkconnections.md) -- [NC_RenameMyRasConnection](policy-csp-admx-networkconnections.md) -- [NC_AllowAdvancedTCPIPConfig](policy-csp-admx-networkconnections.md) -- [NC_Statistics](policy-csp-admx-networkconnections.md) -- [NC_IpStateChecking](policy-csp-admx-networkconnections.md) -- [NC_DoNotShowLocalOnlyIcon](policy-csp-admx-networkconnections.md) -- [NC_PersonalFirewallConfig](policy-csp-admx-networkconnections.md) -- [NC_ShowSharedAccessUI](policy-csp-admx-networkconnections.md) -- [NC_StdDomainUserSetLocation](policy-csp-admx-networkconnections.md) -- [NC_ForceTunneling](policy-csp-admx-networkconnections.md) - -## ADMX_OfflineFiles - -- [Pol_GoOfflineAction_1](policy-csp-admx-offlinefiles.md) -- [Pol_EventLoggingLevel_1](policy-csp-admx-offlinefiles.md) -- [Pol_ReminderInitTimeout_1](policy-csp-admx-offlinefiles.md) -- [Pol_CustomGoOfflineActions_1](policy-csp-admx-offlinefiles.md) -- [Pol_NoCacheViewer_1](policy-csp-admx-offlinefiles.md) -- [Pol_NoConfigCache_1](policy-csp-admx-offlinefiles.md) -- [Pol_ReminderFreq_1](policy-csp-admx-offlinefiles.md) -- [Pol_ReminderTimeout_1](policy-csp-admx-offlinefiles.md) -- [Pol_NoMakeAvailableOffline_1](policy-csp-admx-offlinefiles.md) -- [Pol_NoPinFiles_1](policy-csp-admx-offlinefiles.md) -- [Pol_WorkOfflineDisabled_1](policy-csp-admx-offlinefiles.md) -- [Pol_AssignedOfflineFiles_1](policy-csp-admx-offlinefiles.md) -- [Pol_SyncAtLogoff_1](policy-csp-admx-offlinefiles.md) -- [Pol_SyncAtLogon_1](policy-csp-admx-offlinefiles.md) -- [Pol_SyncAtSuspend_1](policy-csp-admx-offlinefiles.md) -- [Pol_NoReminders_1](policy-csp-admx-offlinefiles.md) -- [Pol_GoOfflineAction_2](policy-csp-admx-offlinefiles.md) -- [Pol_Enabled](policy-csp-admx-offlinefiles.md) -- [Pol_PurgeAtLogoff](policy-csp-admx-offlinefiles.md) -- [Pol_BackgroundSyncSettings](policy-csp-admx-offlinefiles.md) -- [Pol_SlowLinkSpeed](policy-csp-admx-offlinefiles.md) -- [Pol_SlowLinkSettings](policy-csp-admx-offlinefiles.md) -- [Pol_DefCacheSize](policy-csp-admx-offlinefiles.md) -- [Pol_ExclusionListSettings](policy-csp-admx-offlinefiles.md) -- [Pol_SyncOnCostedNetwork](policy-csp-admx-offlinefiles.md) -- [Pol_OnlineCachingSettings](policy-csp-admx-offlinefiles.md) -- [Pol_EncryptOfflineFiles](policy-csp-admx-offlinefiles.md) -- [Pol_EventLoggingLevel_2](policy-csp-admx-offlinefiles.md) -- [Pol_ExtExclusionList](policy-csp-admx-offlinefiles.md) -- [Pol_ReminderInitTimeout_2](policy-csp-admx-offlinefiles.md) -- [Pol_CacheSize](policy-csp-admx-offlinefiles.md) -- [Pol_CustomGoOfflineActions_2](policy-csp-admx-offlinefiles.md) -- [Pol_NoCacheViewer_2](policy-csp-admx-offlinefiles.md) -- [Pol_NoConfigCache_2](policy-csp-admx-offlinefiles.md) -- [Pol_ReminderFreq_2](policy-csp-admx-offlinefiles.md) -- [Pol_ReminderTimeout_2](policy-csp-admx-offlinefiles.md) -- [Pol_NoMakeAvailableOffline_2](policy-csp-admx-offlinefiles.md) -- [Pol_NoPinFiles_2](policy-csp-admx-offlinefiles.md) -- [Pol_WorkOfflineDisabled_2](policy-csp-admx-offlinefiles.md) -- [Pol_AssignedOfflineFiles_2](policy-csp-admx-offlinefiles.md) -- [Pol_AlwaysPinSubFolders](policy-csp-admx-offlinefiles.md) -- [Pol_SyncAtLogoff_2](policy-csp-admx-offlinefiles.md) -- [Pol_SyncAtLogon_2](policy-csp-admx-offlinefiles.md) -- [Pol_SyncAtSuspend_2](policy-csp-admx-offlinefiles.md) -- [Pol_NoReminders_2](policy-csp-admx-offlinefiles.md) -- [Pol_QuickAdimPin](policy-csp-admx-offlinefiles.md) - -## ADMX_pca - -- [DetectDeprecatedCOMComponentFailuresPolicy](policy-csp-admx-pca.md) -- [DetectDeprecatedComponentFailuresPolicy](policy-csp-admx-pca.md) -- [DetectInstallFailuresPolicy](policy-csp-admx-pca.md) -- [DetectUndetectedInstallersPolicy](policy-csp-admx-pca.md) -- [DetectUpdateFailuresPolicy](policy-csp-admx-pca.md) -- [DisablePcaUIPolicy](policy-csp-admx-pca.md) -- [DetectBlockedDriversPolicy](policy-csp-admx-pca.md) - -## ADMX_PeerToPeerCaching - -- [EnableWindowsBranchCache_SMB](policy-csp-admx-peertopeercaching.md) -- [SetDowngrading](policy-csp-admx-peertopeercaching.md) -- [EnableWindowsBranchCache_HostedMultipleServers](policy-csp-admx-peertopeercaching.md) -- [EnableWindowsBranchCache_HostedCacheDiscovery](policy-csp-admx-peertopeercaching.md) -- [SetDataCacheEntryMaxAge](policy-csp-admx-peertopeercaching.md) -- [EnableWindowsBranchCache_Distributed](policy-csp-admx-peertopeercaching.md) -- [EnableWindowsBranchCache_Hosted](policy-csp-admx-peertopeercaching.md) -- [SetCachePercent](policy-csp-admx-peertopeercaching.md) -- [EnableWindowsBranchCache](policy-csp-admx-peertopeercaching.md) - -## ADMX_PenTraining - -- [PenTrainingOff_1](policy-csp-admx-pentraining.md) -- [PenTrainingOff_2](policy-csp-admx-pentraining.md) - -## ADMX_PerformanceDiagnostics - -- [WdiScenarioExecutionPolicy_1](policy-csp-admx-performancediagnostics.md) -- [WdiScenarioExecutionPolicy_3](policy-csp-admx-performancediagnostics.md) -- [WdiScenarioExecutionPolicy_4](policy-csp-admx-performancediagnostics.md) -- [WdiScenarioExecutionPolicy_2](policy-csp-admx-performancediagnostics.md) - -## ADMX_Power - -- [PW_PromptPasswordOnResume](policy-csp-admx-power.md) -- [Dont_PowerOff_AfterShutdown](policy-csp-admx-power.md) -- [DCStartMenuButtonAction_2](policy-csp-admx-power.md) -- [ACStartMenuButtonAction_2](policy-csp-admx-power.md) -- [DiskDCPowerDownTimeOut_2](policy-csp-admx-power.md) -- [DiskACPowerDownTimeOut_2](policy-csp-admx-power.md) -- [DCBatteryDischargeAction0_2](policy-csp-admx-power.md) -- [DCBatteryDischargeLevel0_2](policy-csp-admx-power.md) -- [DCBatteryDischargeAction1_2](policy-csp-admx-power.md) -- [DCBatteryDischargeLevel1_2](policy-csp-admx-power.md) -- [ReserveBatteryNotificationLevel](policy-csp-admx-power.md) -- [DCBatteryDischargeLevel1UINotification_2](policy-csp-admx-power.md) -- [PowerThrottlingTurnOff](policy-csp-admx-power.md) -- [InboxActiveSchemeOverride_2](policy-csp-admx-power.md) -- [AllowSystemPowerRequestDC](policy-csp-admx-power.md) -- [AllowSystemPowerRequestAC](policy-csp-admx-power.md) -- [AllowSystemSleepWithRemoteFilesOpenDC](policy-csp-admx-power.md) -- [AllowSystemSleepWithRemoteFilesOpenAC](policy-csp-admx-power.md) -- [DCConnectivityInStandby_2](policy-csp-admx-power.md) -- [ACConnectivityInStandby_2](policy-csp-admx-power.md) -- [DCCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) -- [ACCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) -- [CustomActiveSchemeOverride_2](policy-csp-admx-power.md) -- [EnableDesktopSlideShowDC](policy-csp-admx-power.md) -- [EnableDesktopSlideShowAC](policy-csp-admx-power.md) - -## ADMX_PowerShellExecutionPolicy - -- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) -- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) - -## ADMX_PreviousVersions - -- [DisableLocalPage_1](policy-csp-admx-previousversions.md) -- [DisableRemotePage_1](policy-csp-admx-previousversions.md) -- [HideBackupEntries_1](policy-csp-admx-previousversions.md) -- [DisableLocalRestore_1](policy-csp-admx-previousversions.md) -- [DisableBackupRestore_1](policy-csp-admx-previousversions.md) -- [DisableRemoteRestore_1](policy-csp-admx-previousversions.md) -- [DisableLocalPage_2](policy-csp-admx-previousversions.md) -- [DisableRemotePage_2](policy-csp-admx-previousversions.md) -- [HideBackupEntries_2](policy-csp-admx-previousversions.md) -- [DisableLocalRestore_2](policy-csp-admx-previousversions.md) -- [DisableBackupRestore_2](policy-csp-admx-previousversions.md) -- [DisableRemoteRestore_2](policy-csp-admx-previousversions.md) - -## ADMX_Printing - -- [IntranetPrintersUrl](policy-csp-admx-printing.md) -- [DownlevelBrowse](policy-csp-admx-printing.md) -- [PrinterDirectorySearchScope](policy-csp-admx-printing.md) -- [PackagePointAndPrintOnly](policy-csp-admx-printing.md) -- [PackagePointAndPrintServerList](policy-csp-admx-printing.md) -- [NoDeletePrinter](policy-csp-admx-printing.md) -- [LegacyDefaultPrinterMode](policy-csp-admx-printing.md) -- [AllowWebPrinting](policy-csp-admx-printing.md) -- [DomainPrinters](policy-csp-admx-printing.md) -- [NonDomainPrinters](policy-csp-admx-printing.md) -- [ShowJobTitleInEventLogs](policy-csp-admx-printing.md) -- [ForceSoftwareRasterization](policy-csp-admx-printing.md) -- [EMFDespooling](policy-csp-admx-printing.md) -- [MXDWUseLegacyOutputFormatMSXPS](policy-csp-admx-printing.md) -- [PhysicalLocation](policy-csp-admx-printing.md) -- [CustomizedSupportUrl](policy-csp-admx-printing.md) -- [KMPrintersAreBlocked](policy-csp-admx-printing.md) -- [V4DriverDisallowPrinterExtension](policy-csp-admx-printing.md) -- [PrintDriverIsolationExecutionPolicy](policy-csp-admx-printing.md) -- [DoNotInstallCompatibleDriverFromWindowsUpdate](policy-csp-admx-printing.md) -- [ApplicationDriverIsolation](policy-csp-admx-printing.md) -- [PackagePointAndPrintOnly_Win7](policy-csp-admx-printing.md) -- [PrintDriverIsolationOverrideCompat](policy-csp-admx-printing.md) -- [PackagePointAndPrintServerList_Win7](policy-csp-admx-printing.md) -- [PhysicalLocationSupport](policy-csp-admx-printing.md) -- [PrinterServerThread](policy-csp-admx-printing.md) - -## ADMX_Printing2 - -- [RegisterSpoolerRemoteRpcEndPoint](policy-csp-admx-printing2.md) -- [ImmortalPrintQueue](policy-csp-admx-printing2.md) -- [AutoPublishing](policy-csp-admx-printing2.md) -- [VerifyPublishedState](policy-csp-admx-printing2.md) -- [PruningInterval](policy-csp-admx-printing2.md) -- [PruningPriority](policy-csp-admx-printing2.md) -- [PruningRetries](policy-csp-admx-printing2.md) -- [PruningRetryLog](policy-csp-admx-printing2.md) -- [PruneDownlevel](policy-csp-admx-printing2.md) - -## ADMX_Programs - -- [NoGetPrograms](policy-csp-admx-programs.md) -- [NoInstalledUpdates](policy-csp-admx-programs.md) -- [NoProgramsAndFeatures](policy-csp-admx-programs.md) -- [NoDefaultPrograms](policy-csp-admx-programs.md) -- [NoWindowsFeatures](policy-csp-admx-programs.md) -- [NoWindowsMarketplace](policy-csp-admx-programs.md) -- [NoProgramsCPL](policy-csp-admx-programs.md) - -## ADMX_PushToInstall - -- [DisablePushToInstall](policy-csp-admx-pushtoinstall.md) - -## ADMX_QOS - -- [QosServiceTypeBestEffort_C](policy-csp-admx-qos.md) -- [QosServiceTypeControlledLoad_C](policy-csp-admx-qos.md) -- [QosServiceTypeGuaranteed_C](policy-csp-admx-qos.md) -- [QosServiceTypeNetworkControl_C](policy-csp-admx-qos.md) -- [QosServiceTypeQualitative_C](policy-csp-admx-qos.md) -- [QosServiceTypeBestEffort_NC](policy-csp-admx-qos.md) -- [QosServiceTypeControlledLoad_NC](policy-csp-admx-qos.md) -- [QosServiceTypeGuaranteed_NC](policy-csp-admx-qos.md) -- [QosServiceTypeNetworkControl_NC](policy-csp-admx-qos.md) -- [QosServiceTypeQualitative_NC](policy-csp-admx-qos.md) -- [QosServiceTypeBestEffort_PV](policy-csp-admx-qos.md) -- [QosServiceTypeControlledLoad_PV](policy-csp-admx-qos.md) -- [QosServiceTypeGuaranteed_PV](policy-csp-admx-qos.md) -- [QosServiceTypeNetworkControl_PV](policy-csp-admx-qos.md) -- [QosServiceTypeNonConforming](policy-csp-admx-qos.md) -- [QosServiceTypeQualitative_PV](policy-csp-admx-qos.md) -- [QosMaxOutstandingSends](policy-csp-admx-qos.md) -- [QosNonBestEffortLimit](policy-csp-admx-qos.md) -- [QosTimerResolution](policy-csp-admx-qos.md) - -## ADMX_Radar - -- [WdiScenarioExecutionPolicy](policy-csp-admx-radar.md) - -## ADMX_Reliability - -- [ShutdownEventTrackerStateFile](policy-csp-admx-reliability.md) -- [ShutdownReason](policy-csp-admx-reliability.md) -- [EE_EnablePersistentTimeStamp](policy-csp-admx-reliability.md) -- [PCH_ReportShutdownEvents](policy-csp-admx-reliability.md) - -## ADMX_RemoteAssistance - -- [RA_EncryptedTicketOnly](policy-csp-admx-remoteassistance.md) -- [RA_Optimize_Bandwidth](policy-csp-admx-remoteassistance.md) - -## ADMX_RemovableStorage - -- [RemovableStorageClasses_DenyAll_Access_1](policy-csp-admx-removablestorage.md) -- [CDandDVD_DenyRead_Access_1](policy-csp-admx-removablestorage.md) -- [CDandDVD_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) -- [CustomClasses_DenyRead_Access_1](policy-csp-admx-removablestorage.md) -- [CustomClasses_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) -- [FloppyDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) -- [FloppyDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) -- [RemovableDisks_DenyRead_Access_1](policy-csp-admx-removablestorage.md) -- [RemovableDisks_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) -- [AccessRights_RebootTime_1](policy-csp-admx-removablestorage.md) -- [TapeDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) -- [TapeDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) -- [WPDDevices_DenyRead_Access_1](policy-csp-admx-removablestorage.md) -- [WPDDevices_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) -- [RemovableStorageClasses_DenyAll_Access_2](policy-csp-admx-removablestorage.md) -- [Removable_Remote_Allow_Access](policy-csp-admx-removablestorage.md) -- [CDandDVD_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) -- [CDandDVD_DenyRead_Access_2](policy-csp-admx-removablestorage.md) -- [CDandDVD_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) -- [CustomClasses_DenyRead_Access_2](policy-csp-admx-removablestorage.md) -- [CustomClasses_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) -- [FloppyDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) -- [FloppyDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) -- [FloppyDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) -- [RemovableDisks_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) -- [RemovableDisks_DenyRead_Access_2](policy-csp-admx-removablestorage.md) -- [AccessRights_RebootTime_2](policy-csp-admx-removablestorage.md) -- [TapeDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) -- [TapeDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) -- [TapeDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) -- [WPDDevices_DenyRead_Access_2](policy-csp-admx-removablestorage.md) -- [WPDDevices_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) - -## ADMX_RPC - -- [RpcIgnoreDelegationFailure](policy-csp-admx-rpc.md) -- [RpcStateInformation](policy-csp-admx-rpc.md) -- [RpcExtendedErrorInformation](policy-csp-admx-rpc.md) -- [RpcMinimumHttpConnectionTimeout](policy-csp-admx-rpc.md) - -## ADMX_sam - -- [SamNGCKeyROCAValidation](policy-csp-admx-sam.md) - -## ADMX_Scripts - -- [Run_Logoff_Script_Visible](policy-csp-admx-scripts.md) -- [Run_Logon_Script_Visible](policy-csp-admx-scripts.md) -- [Run_Legacy_Logon_Script_Hidden](policy-csp-admx-scripts.md) -- [Run_Logon_Script_Sync_1](policy-csp-admx-scripts.md) -- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) -- [Allow_Logon_Script_NetbiosDisabled](policy-csp-admx-scripts.md) -- [Run_Shutdown_Script_Visible](policy-csp-admx-scripts.md) -- [Run_Startup_Script_Visible](policy-csp-admx-scripts.md) -- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md) -- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md) -- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md) -- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) -- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md) - -## ADMX_sdiageng - -- [ScriptedDiagnosticsSecurityPolicy](policy-csp-admx-sdiageng.md) -- [ScriptedDiagnosticsExecutionPolicy](policy-csp-admx-sdiageng.md) -- [BetterWhenConnected](policy-csp-admx-sdiageng.md) - -## ADMX_sdiagschd - -- [ScheduledDiagnosticsExecutionPolicy](policy-csp-admx-sdiagschd.md) - -## ADMX_Securitycenter - -- [SecurityCenter_SecurityCenterInDomain](policy-csp-admx-securitycenter.md) - -## ADMX_Sensors - -- [DisableLocation_1](policy-csp-admx-sensors.md) -- [DisableLocationScripting_1](policy-csp-admx-sensors.md) -- [DisableSensors_1](policy-csp-admx-sensors.md) -- [DisableLocationScripting_2](policy-csp-admx-sensors.md) -- [DisableSensors_2](policy-csp-admx-sensors.md) - -## ADMX_ServerManager - -- [Do_not_display_Manage_Your_Server_page](policy-csp-admx-servermanager.md) -- [ServerManagerAutoRefreshRate](policy-csp-admx-servermanager.md) -- [DoNotLaunchInitialConfigurationTasks](policy-csp-admx-servermanager.md) -- [DoNotLaunchServerManager](policy-csp-admx-servermanager.md) - -## ADMX_Servicing - -- [Servicing](policy-csp-admx-servicing.md) - -## ADMX_SettingSync - -- [DisableSettingSync](policy-csp-admx-settingsync.md) -- [DisableApplicationSettingSync](policy-csp-admx-settingsync.md) -- [DisableAppSyncSettingSync](policy-csp-admx-settingsync.md) -- [DisableDesktopThemeSettingSync](policy-csp-admx-settingsync.md) -- [DisableSyncOnPaidNetwork](policy-csp-admx-settingsync.md) -- [DisableWindowsSettingSync](policy-csp-admx-settingsync.md) -- [DisableCredentialsSettingSync](policy-csp-admx-settingsync.md) -- [DisablePersonalizationSettingSync](policy-csp-admx-settingsync.md) -- [DisableStartLayoutSettingSync](policy-csp-admx-settingsync.md) - -## ADMX_SharedFolders - -- [PublishDfsRoots](policy-csp-admx-sharedfolders.md) -- [PublishSharedFolders](policy-csp-admx-sharedfolders.md) - -## ADMX_Sharing - -- [NoInplaceSharing](policy-csp-admx-sharing.md) -- [DisableHomeGroup](policy-csp-admx-sharing.md) - -## ADMX_ShellCommandPromptRegEditTools - -- [DisallowApps](policy-csp-admx-shellcommandpromptregedittools.md) -- [DisableRegedit](policy-csp-admx-shellcommandpromptregedittools.md) -- [DisableCMD](policy-csp-admx-shellcommandpromptregedittools.md) -- [RestrictApps](policy-csp-admx-shellcommandpromptregedittools.md) - -## ADMX_Smartcard - -- [AllowCertificatesWithNoEKU](policy-csp-admx-smartcard.md) -- [EnumerateECCCerts](policy-csp-admx-smartcard.md) -- [AllowIntegratedUnblock](policy-csp-admx-smartcard.md) -- [AllowSignatureOnlyKeys](policy-csp-admx-smartcard.md) -- [AllowTimeInvalidCertificates](policy-csp-admx-smartcard.md) -- [X509HintsNeeded](policy-csp-admx-smartcard.md) -- [CertPropRootCleanupString](policy-csp-admx-smartcard.md) -- [IntegratedUnblockPromptString](policy-csp-admx-smartcard.md) -- [FilterDuplicateCerts](policy-csp-admx-smartcard.md) -- [ForceReadingAllCertificates](policy-csp-admx-smartcard.md) -- [SCPnPNotification](policy-csp-admx-smartcard.md) -- [DisallowPlaintextPin](policy-csp-admx-smartcard.md) -- [ReverseSubject](policy-csp-admx-smartcard.md) -- [CertPropEnabledString](policy-csp-admx-smartcard.md) -- [CertPropRootEnabledString](policy-csp-admx-smartcard.md) -- [SCPnPEnabled](policy-csp-admx-smartcard.md) - -## ADMX_Snmp - -- [SNMP_Communities](policy-csp-admx-snmp.md) -- [SNMP_PermittedManagers](policy-csp-admx-snmp.md) -- [SNMP_Traps_Public](policy-csp-admx-snmp.md) - -## ADMX_SoundRec - -- [Soundrec_DiableApplication_TitleText_1](policy-csp-admx-soundrec.md) -- [Soundrec_DiableApplication_TitleText_2](policy-csp-admx-soundrec.md) - -## ADMX_srmfci - -- [AccessDeniedConfiguration](policy-csp-admx-srmfci.md) -- [EnableShellAccessCheck](policy-csp-admx-srmfci.md) -- [EnableManualUX](policy-csp-admx-srmfci.md) -- [CentralClassificationList](policy-csp-admx-srmfci.md) - -## ADMX_StartMenu - -- [MemCheckBoxInRunDlg](policy-csp-admx-startmenu.md) -- [ForceStartMenuLogOff](policy-csp-admx-startmenu.md) -- [AddSearchInternetLinkInStartMenu](policy-csp-admx-startmenu.md) -- [ShowRunInStartMenu](policy-csp-admx-startmenu.md) -- [PowerButtonAction](policy-csp-admx-startmenu.md) -- [ClearRecentDocsOnExit](policy-csp-admx-startmenu.md) -- [ClearRecentProgForNewUserInStartMenu](policy-csp-admx-startmenu.md) -- [ClearTilesOnExit](policy-csp-admx-startmenu.md) -- [NoToolbarsOnTaskbar](policy-csp-admx-startmenu.md) -- [NoSearchCommInStartMenu](policy-csp-admx-startmenu.md) -- [NoSearchFilesInStartMenu](policy-csp-admx-startmenu.md) -- [NoSearchInternetInStartMenu](policy-csp-admx-startmenu.md) -- [NoSearchProgramsInStartMenu](policy-csp-admx-startmenu.md) -- [NoResolveSearch](policy-csp-admx-startmenu.md) -- [NoResolveTrack](policy-csp-admx-startmenu.md) -- [NoStartPage](policy-csp-admx-startmenu.md) -- [GoToDesktopOnSignIn](policy-csp-admx-startmenu.md) -- [GreyMSIAds](policy-csp-admx-startmenu.md) -- [NoTrayItemsDisplay](policy-csp-admx-startmenu.md) -- [DesktopAppsFirstInAppsView](policy-csp-admx-startmenu.md) -- [LockTaskbar](policy-csp-admx-startmenu.md) -- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) -- [NoSetTaskbar](policy-csp-admx-startmenu.md) -- [NoTaskGrouping](policy-csp-admx-startmenu.md) -- [NoChangeStartMenu](policy-csp-admx-startmenu.md) -- [NoUninstallFromStart](policy-csp-admx-startmenu.md) -- [NoTrayContextMenu](policy-csp-admx-startmenu.md) -- [NoMoreProgramsList](policy-csp-admx-startmenu.md) -- [NoClose](policy-csp-admx-startmenu.md) -- [NoBalloonTip](policy-csp-admx-startmenu.md) -- [NoTaskBarClock](policy-csp-admx-startmenu.md) -- [NoCommonGroups](policy-csp-admx-startmenu.md) -- [NoSMConfigurePrograms](policy-csp-admx-startmenu.md) -- [NoSMMyDocuments](policy-csp-admx-startmenu.md) -- [NoStartMenuDownload](policy-csp-admx-startmenu.md) -- [NoFavoritesMenu](policy-csp-admx-startmenu.md) -- [NoGamesFolderOnStartMenu](policy-csp-admx-startmenu.md) -- [NoHelp](policy-csp-admx-startmenu.md) -- [NoStartMenuHomegroup](policy-csp-admx-startmenu.md) -- [NoWindowsUpdate](policy-csp-admx-startmenu.md) -- [StartMenuLogOff](policy-csp-admx-startmenu.md) -- [NoSMMyMusic](policy-csp-admx-startmenu.md) -- [NoNetAndDialupConnect](policy-csp-admx-startmenu.md) -- [NoSMMyNetworkPlaces](policy-csp-admx-startmenu.md) -- [NoSMMyPictures](policy-csp-admx-startmenu.md) -- [NoPinnedPrograms](policy-csp-admx-startmenu.md) -- [NoSetFolders](policy-csp-admx-startmenu.md) -- [NoRecentDocsMenu](policy-csp-admx-startmenu.md) -- [NoStartMenuRecordedTV](policy-csp-admx-startmenu.md) -- [NoRun](policy-csp-admx-startmenu.md) -- [NoSearchComputerLinkInStartMenu](policy-csp-admx-startmenu.md) -- [NoFind](policy-csp-admx-startmenu.md) -- [NoSearchEverywhereLinkInStartMenu](policy-csp-admx-startmenu.md) -- [RemoveUnDockPCButton](policy-csp-admx-startmenu.md) -- [NoUserFolderOnStartMenu](policy-csp-admx-startmenu.md) -- [NoUserNameOnStartMenu](policy-csp-admx-startmenu.md) -- [NoStartMenuSubFolders](policy-csp-admx-startmenu.md) -- [NoStartMenuVideos](policy-csp-admx-startmenu.md) -- [DisableGlobalSearchOnAppsView](policy-csp-admx-startmenu.md) -- [ShowRunAsDifferentUserInStart](policy-csp-admx-startmenu.md) -- [QuickLaunchEnabled](policy-csp-admx-startmenu.md) -- [ShowStartOnDisplayWithForegroundOnWinKey](policy-csp-admx-startmenu.md) -- [ShowAppsViewOnStart](policy-csp-admx-startmenu.md) -- [NoAutoTrayNotify](policy-csp-admx-startmenu.md) -- [Intellimenus](policy-csp-admx-startmenu.md) -- [NoInstrumentation](policy-csp-admx-startmenu.md) -- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) -- [NoSetTaskbar](policy-csp-admx-startmenu.md) -- [NoChangeStartMenu](policy-csp-admx-startmenu.md) -- [NoUninstallFromStart](policy-csp-admx-startmenu.md) -- [NoTrayContextMenu](policy-csp-admx-startmenu.md) -- [NoMoreProgramsList](policy-csp-admx-startmenu.md) -- [HidePowerOptions](policy-csp-admx-startmenu.md) -- [NoRun](policy-csp-admx-startmenu.md) - -## ADMX_SystemRestore - -- [SR_DisableConfig](policy-csp-admx-systemrestore.md) - -## ADMX_TabletPCInputPanel - -- [Prediction_1](policy-csp-admx-tabletpcinputpanel.md) -- [IPTIPTarget_1](policy-csp-admx-tabletpcinputpanel.md) -- [IPTIPTouchTarget_1](policy-csp-admx-tabletpcinputpanel.md) -- [RareChar_1](policy-csp-admx-tabletpcinputpanel.md) -- [EdgeTarget_1](policy-csp-admx-tabletpcinputpanel.md) -- [AutoComplete_1](policy-csp-admx-tabletpcinputpanel.md) -- [PasswordSecurity_1](policy-csp-admx-tabletpcinputpanel.md) -- [ScratchOut_1](policy-csp-admx-tabletpcinputpanel.md) -- [Prediction_2](policy-csp-admx-tabletpcinputpanel.md) -- [IPTIPTarget_2](policy-csp-admx-tabletpcinputpanel.md) -- [IPTIPTouchTarget_2](policy-csp-admx-tabletpcinputpanel.md) -- [RareChar_2](policy-csp-admx-tabletpcinputpanel.md) -- [EdgeTarget_2](policy-csp-admx-tabletpcinputpanel.md) -- [AutoComplete_2](policy-csp-admx-tabletpcinputpanel.md) -- [PasswordSecurity_2](policy-csp-admx-tabletpcinputpanel.md) -- [ScratchOut_2](policy-csp-admx-tabletpcinputpanel.md) - -## ADMX_TabletShell - -- [DisableInkball_1](policy-csp-admx-tabletshell.md) -- [DisableNoteWriterPrinting_1](policy-csp-admx-tabletshell.md) -- [DisableSnippingTool_1](policy-csp-admx-tabletshell.md) -- [DisableJournal_1](policy-csp-admx-tabletshell.md) -- [TurnOffFeedback_1](policy-csp-admx-tabletshell.md) -- [PreventBackEscMapping_1](policy-csp-admx-tabletshell.md) -- [PreventLaunchApp_1](policy-csp-admx-tabletshell.md) -- [PreventPressAndHold_1](policy-csp-admx-tabletshell.md) -- [TurnOffButtons_1](policy-csp-admx-tabletshell.md) -- [PreventFlicksLearningMode_1](policy-csp-admx-tabletshell.md) -- [PreventFlicks_1](policy-csp-admx-tabletshell.md) -- [DisableInkball_2](policy-csp-admx-tabletshell.md) -- [DisableNoteWriterPrinting_2](policy-csp-admx-tabletshell.md) -- [DisableSnippingTool_2](policy-csp-admx-tabletshell.md) -- [DisableJournal_2](policy-csp-admx-tabletshell.md) -- [TurnOffFeedback_2](policy-csp-admx-tabletshell.md) -- [PreventBackEscMapping_2](policy-csp-admx-tabletshell.md) -- [PreventLaunchApp_2](policy-csp-admx-tabletshell.md) -- [PreventPressAndHold_2](policy-csp-admx-tabletshell.md) -- [TurnOffButtons_2](policy-csp-admx-tabletshell.md) -- [PreventFlicksLearningMode_2](policy-csp-admx-tabletshell.md) -- [PreventFlicks_2](policy-csp-admx-tabletshell.md) - -## ADMX_Taskbar - -- [EnableLegacyBalloonNotifications](policy-csp-admx-taskbar.md) -- [NoPinningToDestinations](policy-csp-admx-taskbar.md) -- [NoPinningToTaskbar](policy-csp-admx-taskbar.md) -- [NoPinningStoreToTaskbar](policy-csp-admx-taskbar.md) -- [TaskbarNoMultimon](policy-csp-admx-taskbar.md) -- [NoRemoteDestinations](policy-csp-admx-taskbar.md) -- [TaskbarLockAll](policy-csp-admx-taskbar.md) -- [TaskbarNoAddRemoveToolbar](policy-csp-admx-taskbar.md) -- [TaskbarNoRedock](policy-csp-admx-taskbar.md) -- [TaskbarNoDragToolbar](policy-csp-admx-taskbar.md) -- [TaskbarNoResize](policy-csp-admx-taskbar.md) -- [DisableNotificationCenter](policy-csp-admx-taskbar.md) -- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) -- [HideSCAPower](policy-csp-admx-taskbar.md) -- [HideSCANetwork](policy-csp-admx-taskbar.md) -- [HideSCAHealth](policy-csp-admx-taskbar.md) -- [HideSCAVolume](policy-csp-admx-taskbar.md) -- [ShowWindowsStoreAppsOnTaskbar](policy-csp-admx-taskbar.md) -- [TaskbarNoNotification](policy-csp-admx-taskbar.md) -- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md) -- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md) -- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md) -- [DisableNotificationCenter](policy-csp-admx-taskbar.md) -- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) - -## ADMX_tcpip - -- [6to4_Router_Name](policy-csp-admx-tcpip.md) -- [6to4_Router_Name_Resolution_Interval](policy-csp-admx-tcpip.md) -- [6to4_State](policy-csp-admx-tcpip.md) -- [IPHTTPS_ClientState](policy-csp-admx-tcpip.md) -- [ISATAP_Router_Name](policy-csp-admx-tcpip.md) -- [ISATAP_State](policy-csp-admx-tcpip.md) -- [Teredo_Client_Port](policy-csp-admx-tcpip.md) -- [Teredo_Default_Qualified](policy-csp-admx-tcpip.md) -- [Teredo_Refresh_Rate](policy-csp-admx-tcpip.md) -- [Teredo_Server_Name](policy-csp-admx-tcpip.md) -- [Teredo_State](policy-csp-admx-tcpip.md) -- [IP_Stateless_Autoconfiguration_Limits_State](policy-csp-admx-tcpip.md) -- [Windows_Scaling_Heuristics_State](policy-csp-admx-tcpip.md) - -## ADMX_TerminalServer - -- [TS_GATEWAY_POLICY_ENABLE](policy-csp-admx-terminalserver.md) -- [TS_GATEWAY_POLICY_AUTH_METHOD](policy-csp-admx-terminalserver.md) -- [TS_GATEWAY_POLICY_SERVER](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_ALLOW_UNSIGNED_FILES_1](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_ALLOW_SIGNED_FILES_1](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_DISABLE_PASSWORD_SAVING_1](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](policy-csp-admx-terminalserver.md) -- [TS_RemoteControl_1](policy-csp-admx-terminalserver.md) -- [TS_EASY_PRINT_User](policy-csp-admx-terminalserver.md) -- [TS_START_PROGRAM_1](policy-csp-admx-terminalserver.md) -- [TS_Session_End_On_Limit_1](policy-csp-admx-terminalserver.md) -- [TS_SESSIONS_Idle_Limit_1](policy-csp-admx-terminalserver.md) -- [TS_SESSIONS_Limits_1](policy-csp-admx-terminalserver.md) -- [TS_SESSIONS_Disconnected_Timeout_1](policy-csp-admx-terminalserver.md) -- [TS_RADC_DefaultConnection](policy-csp-admx-terminalserver.md) -- [TS_LICENSE_SECGROUP](policy-csp-admx-terminalserver.md) -- [TS_PreventLicenseUpgrade](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_ALLOW_UNSIGNED_FILES_2](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_ALLOW_SIGNED_FILES_2](policy-csp-admx-terminalserver.md) -- [TS_SERVER_AUTH](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_DISABLE_HARDWARE_MODE](policy-csp-admx-terminalserver.md) -- [TS_PROMT_CREDS_CLIENT_COMP](policy-csp-admx-terminalserver.md) -- [TS_USB_REDIRECTION_DISABLE](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_TURN_OFF_UDP](policy-csp-admx-terminalserver.md) -- [TS_AUTO_RECONNECT](policy-csp-admx-terminalserver.md) -- [TS_KEEP_ALIVE](policy-csp-admx-terminalserver.md) -- [TS_FORCIBLE_LOGOFF](policy-csp-admx-terminalserver.md) -- [TS_MAX_CON_POLICY](policy-csp-admx-terminalserver.md) -- [TS_SINGLE_SESSION](policy-csp-admx-terminalserver.md) -- [TS_SELECT_NETWORK_DETECT](policy-csp-admx-terminalserver.md) -- [TS_SELECT_TRANSPORT](policy-csp-admx-terminalserver.md) -- [TS_RemoteControl_2](policy-csp-admx-terminalserver.md) -- [TS_RDSAppX_WaitForRegistration](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_AUDIO](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_AUDIO_CAPTURE](policy-csp-admx-terminalserver.md) -- [TS_TIME_ZONE](policy-csp-admx-terminalserver.md) -- [TS_UIA](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_CLIPBOARD](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_COM](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_LPT](policy-csp-admx-terminalserver.md) -- [TS_SMART_CARD](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_PNP](policy-csp-admx-terminalserver.md) -- [TS_CAMERA_REDIRECTION](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_AUDIO_QUALITY](policy-csp-admx-terminalserver.md) -- [TS_LICENSE_TOOLTIP](policy-csp-admx-terminalserver.md) -- [TS_LICENSING_MODE](policy-csp-admx-terminalserver.md) -- [TS_LICENSE_SERVERS](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_PRINTER](policy-csp-admx-terminalserver.md) -- [TS_CLIENT_DEFAULT_M](policy-csp-admx-terminalserver.md) -- [TS_FALLBACKPRINTDRIVERTYPE](policy-csp-admx-terminalserver.md) -- [TS_EASY_PRINT](policy-csp-admx-terminalserver.md) -- [TS_DELETE_ROAMING_USER_PROFILES](policy-csp-admx-terminalserver.md) -- [TS_USER_PROFILES](policy-csp-admx-terminalserver.md) -- [TS_USER_HOME](policy-csp-admx-terminalserver.md) -- [TS_USER_MANDATORY_PROFILES](policy-csp-admx-terminalserver.md) -- [TS_SD_ClustName](policy-csp-admx-terminalserver.md) -- [TS_SD_Loc](policy-csp-admx-terminalserver.md) -- [TS_JOIN_SESSION_DIRECTORY](policy-csp-admx-terminalserver.md) -- [TS_SD_EXPOSE_ADDRESS](policy-csp-admx-terminalserver.md) -- [TS_TURNOFF_SINGLEAPP](policy-csp-admx-terminalserver.md) -- [TS_SERVER_COMPRESSOR](policy-csp-admx-terminalserver.md) -- [TS_SERVER_AVC_HW_ENCODE_PREFERRED](policy-csp-admx-terminalserver.md) -- [TS_SERVER_IMAGE_QUALITY](policy-csp-admx-terminalserver.md) -- [TS_SERVER_PROFILE](policy-csp-admx-terminalserver.md) -- [TS_SERVER_LEGACY_RFX](policy-csp-admx-terminalserver.md) -- [TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](policy-csp-admx-terminalserver.md) -- [TS_COLORDEPTH](policy-csp-admx-terminalserver.md) -- [TS_MAXDISPLAYRES](policy-csp-admx-terminalserver.md) -- [TS_MAXMONITOR](policy-csp-admx-terminalserver.md) -- [TS_SERVER_AVC444_MODE_PREFERRED](policy-csp-admx-terminalserver.md) -- [TS_EnableVirtualGraphics](policy-csp-admx-terminalserver.md) -- [TS_SERVER_VISEXP](policy-csp-admx-terminalserver.md) -- [TS_RemoteDesktopVirtualGraphics](policy-csp-admx-terminalserver.md) -- [TS_NoDisconnectMenu](policy-csp-admx-terminalserver.md) -- [TS_NoSecurityMenu](policy-csp-admx-terminalserver.md) -- [TS_START_PROGRAM_2](policy-csp-admx-terminalserver.md) -- [TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](policy-csp-admx-terminalserver.md) -- [TS_DX_USE_FULL_HWGPU](policy-csp-admx-terminalserver.md) -- [TS_SERVER_WDDM_GRAPHICS_DRIVER](policy-csp-admx-terminalserver.md) -- [TS_TSCC_PERMISSIONS_POLICY](policy-csp-admx-terminalserver.md) -- [TS_SECURITY_LAYER_POLICY](policy-csp-admx-terminalserver.md) -- [TS_USER_AUTHENTICATION_POLICY](policy-csp-admx-terminalserver.md) -- [TS_CERTIFICATE_TEMPLATE_POLICY](policy-csp-admx-terminalserver.md) -- [TS_Session_End_On_Limit_2](policy-csp-admx-terminalserver.md) -- [TS_SESSIONS_Idle_Limit_2](policy-csp-admx-terminalserver.md) -- [TS_SESSIONS_Limits_2](policy-csp-admx-terminalserver.md) -- [TS_SESSIONS_Disconnected_Timeout_2](policy-csp-admx-terminalserver.md) -- [TS_TEMP_DELETE](policy-csp-admx-terminalserver.md) -- [TS_TEMP_PER_SESSION](policy-csp-admx-terminalserver.md) - -## ADMX_Thumbnails - -- [DisableThumbsDBOnNetworkFolders](policy-csp-admx-thumbnails.md) -- [DisableThumbnailsOnNetworkFolders](policy-csp-admx-thumbnails.md) -- [DisableThumbnails](policy-csp-admx-thumbnails.md) - -## ADMX_TouchInput - -- [TouchInputOff_1](policy-csp-admx-touchinput.md) -- [PanningEverywhereOff_1](policy-csp-admx-touchinput.md) -- [TouchInputOff_2](policy-csp-admx-touchinput.md) -- [PanningEverywhereOff_2](policy-csp-admx-touchinput.md) - -## ADMX_TPM - -- [OptIntoDSHA_Name](policy-csp-admx-tpm.md) -- [OSManagedAuth_Name](policy-csp-admx-tpm.md) -- [BlockedCommandsList_Name](policy-csp-admx-tpm.md) -- [ClearTPMIfNotReady_Name](policy-csp-admx-tpm.md) -- [UseLegacyDAP_Name](policy-csp-admx-tpm.md) -- [IgnoreDefaultList_Name](policy-csp-admx-tpm.md) -- [IgnoreLocalList_Name](policy-csp-admx-tpm.md) -- [StandardUserAuthorizationFailureIndividualThreshold_Name](policy-csp-admx-tpm.md) -- [StandardUserAuthorizationFailureDuration_Name](policy-csp-admx-tpm.md) -- [StandardUserAuthorizationFailureTotalThreshold_Name](policy-csp-admx-tpm.md) - -## ADMX_UserExperienceVirtualization - -- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) -- [Calculator](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) -- [Notepad](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) -- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) -- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) -- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) -- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) -- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) -- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) -- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) -- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) -- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) -- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) -- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) -- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) -- [Finance](policy-csp-admx-userexperiencevirtualization.md) -- [Games](policy-csp-admx-userexperiencevirtualization.md) -- [Maps](policy-csp-admx-userexperiencevirtualization.md) -- [Music](policy-csp-admx-userexperiencevirtualization.md) -- [News](policy-csp-admx-userexperiencevirtualization.md) -- [Reader](policy-csp-admx-userexperiencevirtualization.md) -- [Sports](policy-csp-admx-userexperiencevirtualization.md) -- [Travel](policy-csp-admx-userexperiencevirtualization.md) -- [Video](policy-csp-admx-userexperiencevirtualization.md) -- [Weather](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) -- [Calculator](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) -- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) -- [Notepad](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) -- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) -- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) -- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) -- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md) -- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md) -- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) -- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md) -- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md) -- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) -- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) -- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) -- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md) -- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) -- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) -- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md) -- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) -- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) -- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md) -- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) -- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) -- [Finance](policy-csp-admx-userexperiencevirtualization.md) -- [Games](policy-csp-admx-userexperiencevirtualization.md) -- [Maps](policy-csp-admx-userexperiencevirtualization.md) -- [Music](policy-csp-admx-userexperiencevirtualization.md) -- [News](policy-csp-admx-userexperiencevirtualization.md) -- [Reader](policy-csp-admx-userexperiencevirtualization.md) -- [Sports](policy-csp-admx-userexperiencevirtualization.md) -- [Travel](policy-csp-admx-userexperiencevirtualization.md) -- [Video](policy-csp-admx-userexperiencevirtualization.md) -- [Weather](policy-csp-admx-userexperiencevirtualization.md) - -## ADMX_UserProfiles - -- [LimitSize](policy-csp-admx-userprofiles.md) -- [SlowLinkTimeOut](policy-csp-admx-userprofiles.md) -- [CleanupProfiles](policy-csp-admx-userprofiles.md) -- [DontForceUnloadHive](policy-csp-admx-userprofiles.md) -- [ProfileErrorAction](policy-csp-admx-userprofiles.md) -- [LeaveAppMgmtData](policy-csp-admx-userprofiles.md) -- [USER_HOME](policy-csp-admx-userprofiles.md) -- [UserInfoAccessAction](policy-csp-admx-userprofiles.md) - -## ADMX_W32Time - -- [W32TIME_POLICY_CONFIG](policy-csp-admx-w32time.md) -- [W32TIME_POLICY_CONFIGURE_NTPCLIENT](policy-csp-admx-w32time.md) -- [W32TIME_POLICY_ENABLE_NTPCLIENT](policy-csp-admx-w32time.md) -- [W32TIME_POLICY_ENABLE_NTPSERVER](policy-csp-admx-w32time.md) - -## ADMX_WCM - -- [WCM_DisablePowerManagement](policy-csp-admx-wcm.md) -- [WCM_EnableSoftDisconnect](policy-csp-admx-wcm.md) -- [WCM_MinimizeConnections](policy-csp-admx-wcm.md) - -## ADMX_WDI - -- [WdiDpsScenarioExecutionPolicy](policy-csp-admx-wdi.md) -- [WdiDpsScenarioDataSizeLimitPolicy](policy-csp-admx-wdi.md) - -## ADMX_WinCal - -- [TurnOffWinCal_1](policy-csp-admx-wincal.md) -- [TurnOffWinCal_2](policy-csp-admx-wincal.md) - -## ADMX_WindowsColorSystem - -- [ProhibitChangingInstalledProfileList_1](policy-csp-admx-windowscolorsystem.md) -- [ProhibitChangingInstalledProfileList_2](policy-csp-admx-windowscolorsystem.md) - -## ADMX_WindowsConnectNow - -- [WCN_DisableWcnUi_1](policy-csp-admx-windowsconnectnow.md) -- [WCN_EnableRegistrar](policy-csp-admx-windowsconnectnow.md) -- [WCN_DisableWcnUi_2](policy-csp-admx-windowsconnectnow.md) - -## ADMX_WindowsExplorer - -- [EnforceShellExtensionSecurity](policy-csp-admx-windowsexplorer.md) -- [NoBackButton](policy-csp-admx-windowsexplorer.md) -- [NoPlacesBar](policy-csp-admx-windowsexplorer.md) -- [NoFileMRU](policy-csp-admx-windowsexplorer.md) -- [PlacesBar](policy-csp-admx-windowsexplorer.md) -- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) -- [DisableKnownFolders](policy-csp-admx-windowsexplorer.md) -- [ConfirmFileDelete](policy-csp-admx-windowsexplorer.md) -- [NoFolderOptions](policy-csp-admx-windowsexplorer.md) -- [NoRecycleFiles](policy-csp-admx-windowsexplorer.md) -- [NoRunAsInstallPrompt](policy-csp-admx-windowsexplorer.md) -- [LinkResolveIgnoreLinkInfo](policy-csp-admx-windowsexplorer.md) -- [NoDrives](policy-csp-admx-windowsexplorer.md) -- [NoManageMyComputerVerb](policy-csp-admx-windowsexplorer.md) -- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) -- [RecycleBinSize](policy-csp-admx-windowsexplorer.md) -- [MaxRecentDocs](policy-csp-admx-windowsexplorer.md) -- [NoWorkgroupContents](policy-csp-admx-windowsexplorer.md) -- [NoEntireNetwork](policy-csp-admx-windowsexplorer.md) -- [TryHarderPinnedOpenSearch](policy-csp-admx-windowsexplorer.md) -- [TryHarderPinnedLibrary](policy-csp-admx-windowsexplorer.md) -- [NoViewOnDrive](policy-csp-admx-windowsexplorer.md) -- [NoNetConnectDisconnect](policy-csp-admx-windowsexplorer.md) -- [NoCDBurning](policy-csp-admx-windowsexplorer.md) -- [NoDFSTab](policy-csp-admx-windowsexplorer.md) -- [NoViewContextMenu](policy-csp-admx-windowsexplorer.md) -- [NoFileMenu](policy-csp-admx-windowsexplorer.md) -- [NoHardwareTab](policy-csp-admx-windowsexplorer.md) -- [NoShellSearchButton](policy-csp-admx-windowsexplorer.md) -- [NoSecurityTab](policy-csp-admx-windowsexplorer.md) -- [NoMyComputerSharedDocuments](policy-csp-admx-windowsexplorer.md) -- [NoSearchInternetTryHarderButton](policy-csp-admx-windowsexplorer.md) -- [NoChangeKeyboardNavigationIndicators](policy-csp-admx-windowsexplorer.md) -- [NoChangeAnimation](policy-csp-admx-windowsexplorer.md) -- [PromptRunasInstallNetPath](policy-csp-admx-windowsexplorer.md) -- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) -- [NoCacheThumbNailPictures](policy-csp-admx-windowsexplorer.md) -- [DisableSearchBoxSuggestions](policy-csp-admx-windowsexplorer.md) -- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) -- [ShellProtocolProtectedModeTitle_1](policy-csp-admx-windowsexplorer.md) -- [HideContentViewModeSnippets](policy-csp-admx-windowsexplorer.md) -- [NoWindowsHotKeys](policy-csp-admx-windowsexplorer.md) -- [DisableIndexedLibraryExperience](policy-csp-admx-windowsexplorer.md) -- [ClassicShell](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) -- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md) -- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md) -- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) -- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md) -- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) -- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md) -- [ShowSleepOption](policy-csp-admx-windowsexplorer.md) -- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) -- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) -- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md) -- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) -- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) - -## ADMX_WindowsMediaDRM - -- [DisableOnline](policy-csp-admx-windowsmediadrm.md) - -## ADMX_WindowsMediaPlayer - -- [ConfigureHTTPProxySettings](policy-csp-admx-windowsmediaplayer.md) -- [ConfigureMMSProxySettings](policy-csp-admx-windowsmediaplayer.md) -- [NetworkBuffering](policy-csp-admx-windowsmediaplayer.md) -- [ConfigureRTSPProxySettings](policy-csp-admx-windowsmediaplayer.md) -- [DisableNetworkSettings](policy-csp-admx-windowsmediaplayer.md) -- [WindowsStreamingMediaProtocols](policy-csp-admx-windowsmediaplayer.md) -- [EnableScreenSaver](policy-csp-admx-windowsmediaplayer.md) -- [PolicyCodecUpdate](policy-csp-admx-windowsmediaplayer.md) -- [PreventCDDVDMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) -- [PreventMusicFileMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) -- [PreventRadioPresetsRetrieval](policy-csp-admx-windowsmediaplayer.md) -- [DoNotShowAnchor](policy-csp-admx-windowsmediaplayer.md) -- [HidePrivacyTab](policy-csp-admx-windowsmediaplayer.md) -- [HideSecurityTab](policy-csp-admx-windowsmediaplayer.md) -- [SkinLockDown](policy-csp-admx-windowsmediaplayer.md) -- [DisableSetupFirstUseConfiguration](policy-csp-admx-windowsmediaplayer.md) -- [DisableAutoUpdate](policy-csp-admx-windowsmediaplayer.md) -- [PreventWMPDeskTopShortcut](policy-csp-admx-windowsmediaplayer.md) -- [PreventLibrarySharing](policy-csp-admx-windowsmediaplayer.md) -- [PreventQuickLaunchShortcut](policy-csp-admx-windowsmediaplayer.md) -- [DontUseFrameInterpolation](policy-csp-admx-windowsmediaplayer.md) - -## ADMX_WindowsRemoteManagement - -- [DisallowKerberos_2](policy-csp-admx-windowsremotemanagement.md) -- [DisallowKerberos_1](policy-csp-admx-windowsremotemanagement.md) - -## ADMX_WindowsStore - -- [DisableOSUpgrade_1](policy-csp-admx-windowsstore.md) -- [RemoveWindowsStore_1](policy-csp-admx-windowsstore.md) -- [DisableAutoDownloadWin8](policy-csp-admx-windowsstore.md) -- [DisableOSUpgrade_2](policy-csp-admx-windowsstore.md) -- [RemoveWindowsStore_2](policy-csp-admx-windowsstore.md) - -## ADMX_WinInit - -- [Hiberboot](policy-csp-admx-wininit.md) -- [ShutdownTimeoutHungSessionsDescription](policy-csp-admx-wininit.md) -- [DisableNamedPipeShutdownPolicyDescription](policy-csp-admx-wininit.md) - -## ADMX_WinLogon - -- [CustomShell](policy-csp-admx-winlogon.md) -- [LogonHoursNotificationPolicyDescription](policy-csp-admx-winlogon.md) -- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) -- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md) -- [SoftwareSASGeneration](policy-csp-admx-winlogon.md) -- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md) -- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) - -## ADMX_Winsrv - -- [AllowBlockingAppsAtShutdown](policy-csp-admx-winsrv.md) - -## ADMX_wlansvc - -- [SetPINPreferred](policy-csp-admx-wlansvc.md) -- [SetPINEnforced](policy-csp-admx-wlansvc.md) -- [SetCost](policy-csp-admx-wlansvc.md) - -## ADMX_WordWheel - -- [CustomSearch](policy-csp-admx-wordwheel.md) - -## ADMX_WorkFoldersClient - -- [Pol_UserEnableTokenBroker](policy-csp-admx-workfoldersclient.md) -- [Pol_UserEnableWorkFolders](policy-csp-admx-workfoldersclient.md) -- [Pol_MachineEnableWorkFolders](policy-csp-admx-workfoldersclient.md) - -## ADMX_WPN - -- [QuietHoursDailyBeginMinute](policy-csp-admx-wpn.md) -- [QuietHoursDailyEndMinute](policy-csp-admx-wpn.md) -- [NoCallsDuringQuietHours](policy-csp-admx-wpn.md) -- [NoQuietHours](policy-csp-admx-wpn.md) -- [NoToastNotification](policy-csp-admx-wpn.md) -- [NoLockScreenToastNotification](policy-csp-admx-wpn.md) -- [NoToastNotification](policy-csp-admx-wpn.md) - -## AppRuntime - -- [AllowMicrosoftAccountsToBeOptional](policy-csp-appruntime.md) - -## AppVirtualization - -- [AllowAppVClient](policy-csp-appvirtualization.md) -- [ClientCoexistenceAllowMigrationmode](policy-csp-appvirtualization.md) -- [IntegrationAllowRootUser](policy-csp-appvirtualization.md) -- [IntegrationAllowRootGlobal](policy-csp-appvirtualization.md) -- [AllowRoamingFileExclusions](policy-csp-appvirtualization.md) -- [AllowRoamingRegistryExclusions](policy-csp-appvirtualization.md) -- [AllowPackageCleanup](policy-csp-appvirtualization.md) -- [AllowPublishingRefreshUX](policy-csp-appvirtualization.md) -- [PublishingAllowServer1](policy-csp-appvirtualization.md) -- [PublishingAllowServer2](policy-csp-appvirtualization.md) -- [PublishingAllowServer3](policy-csp-appvirtualization.md) -- [PublishingAllowServer4](policy-csp-appvirtualization.md) -- [PublishingAllowServer5](policy-csp-appvirtualization.md) -- [AllowReportingServer](policy-csp-appvirtualization.md) -- [AllowPackageScripts](policy-csp-appvirtualization.md) -- [StreamingAllowHighCostLaunch](policy-csp-appvirtualization.md) -- [StreamingAllowCertificateFilterForClient_SSL](policy-csp-appvirtualization.md) -- [StreamingSupportBranchCache](policy-csp-appvirtualization.md) -- [StreamingAllowLocationProvider](policy-csp-appvirtualization.md) -- [StreamingAllowPackageInstallationRoot](policy-csp-appvirtualization.md) -- [StreamingAllowPackageSourceRoot](policy-csp-appvirtualization.md) -- [StreamingAllowReestablishmentInterval](policy-csp-appvirtualization.md) -- [StreamingAllowReestablishmentRetries](policy-csp-appvirtualization.md) -- [StreamingSharedContentStoreMode](policy-csp-appvirtualization.md) -- [AllowStreamingAutoload](policy-csp-appvirtualization.md) -- [StreamingVerifyCertificateRevocationList](policy-csp-appvirtualization.md) -- [AllowDynamicVirtualization](policy-csp-appvirtualization.md) -- [VirtualComponentsAllowList](policy-csp-appvirtualization.md) - -## AttachmentManager - -- [DoNotPreserveZoneInformation](policy-csp-attachmentmanager.md) -- [HideZoneInfoMechanism](policy-csp-attachmentmanager.md) -- [NotifyAntivirusPrograms](policy-csp-attachmentmanager.md) - -## Autoplay - -- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) -- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) -- [TurnOffAutoPlay](policy-csp-autoplay.md) -- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) -- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) -- [TurnOffAutoPlay](policy-csp-autoplay.md) - -## Cellular - -- [ShowAppCellularAccessUI](policy-csp-cellular.md) - -## Connectivity - -- [HardenedUNCPaths](policy-csp-connectivity.md) -- [ProhibitInstallationAndConfigurationOfNetworkBridge](policy-csp-connectivity.md) -- [DisableDownloadingOfPrintDriversOverHTTP](policy-csp-connectivity.md) -- [DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](policy-csp-connectivity.md) -- [DiablePrintingOverHTTP](policy-csp-connectivity.md) - -## CredentialProviders - -- [BlockPicturePassword](policy-csp-credentialproviders.md) -- [AllowPINLogon](policy-csp-credentialproviders.md) - -## CredentialsDelegation - -- [RemoteHostAllowsDelegationOfNonExportableCredentials](policy-csp-credentialsdelegation.md) - -## CredentialsUI - -- [DisablePasswordReveal](policy-csp-credentialsui.md) -- [DisablePasswordReveal](policy-csp-credentialsui.md) -- [EnumerateAdministrators](policy-csp-credentialsui.md) - -## DataUsage - -- [SetCost3G](policy-csp-datausage.md) -- [SetCost4G](policy-csp-datausage.md) - -## DeliveryOptimization - -- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) -- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) - -## Desktop - -- [PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md) - -## DesktopAppInstaller - -- [EnableAppInstaller](policy-csp-desktopappinstaller.md) -- [EnableSettings](policy-csp-desktopappinstaller.md) -- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md) -- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md) -- [EnableHashOverride](policy-csp-desktopappinstaller.md) -- [EnableDefaultSource](policy-csp-desktopappinstaller.md) -- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md) -- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md) -- [EnableAdditionalSources](policy-csp-desktopappinstaller.md) -- [EnableAllowedSources](policy-csp-desktopappinstaller.md) -- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md) - -## DeviceInstallation - -- [PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) -- [PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) -- [PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) -- [PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) -- [EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md) -- [AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) -- [AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) -- [AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) -- [PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) - -## DeviceLock - -- [PreventLockScreenSlideShow](policy-csp-devicelock.md) -- [PreventEnablingLockScreenCamera](policy-csp-devicelock.md) - -## ErrorReporting - -- [DisableWindowsErrorReporting](policy-csp-errorreporting.md) -- [DisplayErrorNotification](policy-csp-errorreporting.md) -- [DoNotSendAdditionalData](policy-csp-errorreporting.md) -- [PreventCriticalErrorDisplay](policy-csp-errorreporting.md) -- [CustomizeConsentSettings](policy-csp-errorreporting.md) - -## EventLogService - -- [ControlEventLogBehavior](policy-csp-eventlogservice.md) -- [SpecifyMaximumFileSizeApplicationLog](policy-csp-eventlogservice.md) -- [SpecifyMaximumFileSizeSecurityLog](policy-csp-eventlogservice.md) -- [SpecifyMaximumFileSizeSystemLog](policy-csp-eventlogservice.md) - -## FileExplorer - -- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) -- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) - -## InternetExplorer - -- [AddSearchProvider](policy-csp-internetexplorer.md) -- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) -- [DisableProxyChange](policy-csp-internetexplorer.md) -- [DisableSearchProviderChange](policy-csp-internetexplorer.md) -- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) -- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) -- [AllowSuggestedSites](policy-csp-internetexplorer.md) -- [DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md) -- [DisableCompatView](policy-csp-internetexplorer.md) -- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) -- [DisableFirstRunWizard](policy-csp-internetexplorer.md) -- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) -- [DisableGeolocation](policy-csp-internetexplorer.md) -- [DisableHomePageChange](policy-csp-internetexplorer.md) -- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) -- [NewTabDefaultPage](policy-csp-internetexplorer.md) -- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) -- [SearchProviderList](policy-csp-internetexplorer.md) -- [AllowActiveXFiltering](policy-csp-internetexplorer.md) -- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) -- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) -- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) -- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) -- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) -- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) -- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) -- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) -- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) -- [JScriptReplacement](policy-csp-internetexplorer.md) -- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) -- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) -- [DisableEncryptionSupport](policy-csp-internetexplorer.md) -- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) -- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) -- [IncludeAllLocalSites](policy-csp-internetexplorer.md) -- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) -- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) -- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [AllowAddOnList](policy-csp-internetexplorer.md) -- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) -- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) -- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) -- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) -- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) -- [AllowOneWordEntry](policy-csp-internetexplorer.md) -- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) -- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) -- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) -- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) -- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) -- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) -- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) -- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) -- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) -- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) -- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) -- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) -- [DisableConfiguringHistory](policy-csp-internetexplorer.md) -- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) -- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) -- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) -- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) -- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) -- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) -- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) -- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) -- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) -- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) -- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) -- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) -- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) -- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) -- [DisableCrashDetection](policy-csp-internetexplorer.md) -- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) -- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) -- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) -- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) -- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) -- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) -- [AllowAutoComplete](policy-csp-internetexplorer.md) -- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) -- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) -- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) -- [DisableHTMLApplication](policy-csp-internetexplorer.md) -- [AddSearchProvider](policy-csp-internetexplorer.md) -- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) -- [DisableUpdateCheck](policy-csp-internetexplorer.md) -- [DisableProxyChange](policy-csp-internetexplorer.md) -- [DisableSearchProviderChange](policy-csp-internetexplorer.md) -- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) -- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) -- [AllowSuggestedSites](policy-csp-internetexplorer.md) -- [DisableCompatView](policy-csp-internetexplorer.md) -- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) -- [DisableFirstRunWizard](policy-csp-internetexplorer.md) -- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) -- [DisableGeolocation](policy-csp-internetexplorer.md) -- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) -- [NewTabDefaultPage](policy-csp-internetexplorer.md) -- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) -- [SearchProviderList](policy-csp-internetexplorer.md) -- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md) -- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md) -- [AllowActiveXFiltering](policy-csp-internetexplorer.md) -- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) -- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) -- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) -- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) -- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) -- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) -- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) -- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) -- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) -- [JScriptReplacement](policy-csp-internetexplorer.md) -- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) -- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) -- [DisableEncryptionSupport](policy-csp-internetexplorer.md) -- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) -- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) -- [IncludeAllLocalSites](policy-csp-internetexplorer.md) -- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) -- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) -- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) -- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) -- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) -- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) -- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) -- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) -- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) -- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) -- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) -- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) -- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) -- [AllowAddOnList](policy-csp-internetexplorer.md) -- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) -- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) -- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) -- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) -- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) -- [AllowOneWordEntry](policy-csp-internetexplorer.md) -- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) -- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) -- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) -- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) -- [AllowFallbackToSSL3](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) -- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) -- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) -- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) -- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) -- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) -- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) -- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) -- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) -- [DisableConfiguringHistory](policy-csp-internetexplorer.md) -- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) -- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) -- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) -- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) -- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) -- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) -- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) -- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) -- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) -- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) -- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) -- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) -- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) -- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) -- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) -- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md) -- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) -- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) -- [DisableCrashDetection](policy-csp-internetexplorer.md) -- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) -- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) -- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) -- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) -- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) -- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) -- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) -- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) -- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) -- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) -- [DisableHTMLApplication](policy-csp-internetexplorer.md) - -## Kerberos - -- [RequireKerberosArmoring](policy-csp-kerberos.md) -- [KerberosClientSupportsClaimsCompoundArmor](policy-csp-kerberos.md) -- [RequireStrictKDCValidation](policy-csp-kerberos.md) -- [SetMaximumContextTokenSize](policy-csp-kerberos.md) -- [AllowForestSearchOrder](policy-csp-kerberos.md) - -## LocalSecurityAuthority - -- [AllowCustomSSPsAPs](policy-csp-lsa.md) - -## MixedReality - -- [ConfigureNtpClient](policy-csp-mixedreality.md) -- [NtpClientEnabled](policy-csp-mixedreality.md) - -## MSSecurityGuide - -- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md) -- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md) -- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md) -- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md) -- [WDigestAuthentication](policy-csp-mssecurityguide.md) -- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md) - -## MSSLegacy - -- [IPv6SourceRoutingProtectionLevel](policy-csp-msslegacy.md) -- [IPSourceRoutingProtectionLevel](policy-csp-msslegacy.md) -- [AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](policy-csp-msslegacy.md) -- [AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](policy-csp-msslegacy.md) - -## Power - -- [AllowStandbyWhenSleepingPluggedIn](policy-csp-power.md) -- [RequirePasswordWhenComputerWakesOnBattery](policy-csp-power.md) -- [RequirePasswordWhenComputerWakesPluggedIn](policy-csp-power.md) -- [StandbyTimeoutPluggedIn](policy-csp-power.md) -- [StandbyTimeoutOnBattery](policy-csp-power.md) -- [HibernateTimeoutPluggedIn](policy-csp-power.md) -- [HibernateTimeoutOnBattery](policy-csp-power.md) -- [DisplayOffTimeoutPluggedIn](policy-csp-power.md) -- [DisplayOffTimeoutOnBattery](policy-csp-power.md) -- [AllowStandbyStatesWhenSleepingOnBattery](policy-csp-power.md) - -## Printers - -- [PointAndPrintRestrictions_User](policy-csp-printers.md) -- [EnableDeviceControlUser](policy-csp-printers.md) -- [ApprovedUsbPrintDevicesUser](policy-csp-printers.md) -- [PointAndPrintRestrictions](policy-csp-printers.md) -- [PublishPrinters](policy-csp-printers.md) -- [EnableDeviceControl](policy-csp-printers.md) -- [ApprovedUsbPrintDevices](policy-csp-printers.md) -- [RestrictDriverInstallationToAdministrators](policy-csp-printers.md) -- [ConfigureCopyFilesPolicy](policy-csp-printers.md) -- [ConfigureDriverValidationLevel](policy-csp-printers.md) -- [ManageDriverExclusionList](policy-csp-printers.md) -- [ConfigureRpcListenerPolicy](policy-csp-printers.md) -- [ConfigureRpcConnectionPolicy](policy-csp-printers.md) -- [ConfigureRpcTcpPort](policy-csp-printers.md) -- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md) -- [ConfigureIppPageCountsPolicy](policy-csp-printers.md) -- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) - -## RemoteAssistance - -- [UnsolicitedRemoteAssistance](policy-csp-remoteassistance.md) -- [SolicitedRemoteAssistance](policy-csp-remoteassistance.md) -- [CustomizeWarningMessages](policy-csp-remoteassistance.md) -- [SessionLogging](policy-csp-remoteassistance.md) - -## RemoteDesktopServices - -- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md) -- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md) -- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md) -- [PromptForPasswordUponConnection](policy-csp-remotedesktopservices.md) -- [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md) -- [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md) -- [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md) - -## RemoteManagement - -- [AllowBasicAuthentication_Client](policy-csp-remotemanagement.md) -- [AllowBasicAuthentication_Service](policy-csp-remotemanagement.md) -- [AllowUnencryptedTraffic_Client](policy-csp-remotemanagement.md) -- [AllowUnencryptedTraffic_Service](policy-csp-remotemanagement.md) -- [DisallowDigestAuthentication](policy-csp-remotemanagement.md) -- [DisallowStoringOfRunAsCredentials](policy-csp-remotemanagement.md) -- [AllowCredSSPAuthenticationClient](policy-csp-remotemanagement.md) -- [AllowCredSSPAuthenticationService](policy-csp-remotemanagement.md) -- [DisallowNegotiateAuthenticationClient](policy-csp-remotemanagement.md) -- [DisallowNegotiateAuthenticationService](policy-csp-remotemanagement.md) -- [TrustedHosts](policy-csp-remotemanagement.md) -- [AllowRemoteServerManagement](policy-csp-remotemanagement.md) -- [SpecifyChannelBindingTokenHardeningLevel](policy-csp-remotemanagement.md) -- [TurnOnCompatibilityHTTPListener](policy-csp-remotemanagement.md) -- [TurnOnCompatibilityHTTPSListener](policy-csp-remotemanagement.md) - -## RemoteProcedureCall - -- [RPCEndpointMapperClientAuthentication](policy-csp-remoteprocedurecall.md) -- [RestrictUnauthenticatedRPCClients](policy-csp-remoteprocedurecall.md) - -## RemoteShell - -- [AllowRemoteShellAccess](policy-csp-remoteshell.md) -- [SpecifyIdleTimeout](policy-csp-remoteshell.md) -- [MaxConcurrentUsers](policy-csp-remoteshell.md) -- [SpecifyMaxMemory](policy-csp-remoteshell.md) -- [SpecifyMaxProcesses](policy-csp-remoteshell.md) -- [SpecifyMaxRemoteShells](policy-csp-remoteshell.md) -- [SpecifyShellTimeout](policy-csp-remoteshell.md) - -## ServiceControlManager - -- [SvchostProcessMitigation](policy-csp-servicecontrolmanager.md) - -## SettingsSync - -- [DisableAccessibilitySettingSync](policy-csp-settingssync.md) -- [DisableLanguageSettingSync](policy-csp-settingssync.md) - -## Storage - -- [WPDDevicesDenyReadAccessPerUser](policy-csp-storage.md) -- [WPDDevicesDenyWriteAccessPerUser](policy-csp-storage.md) -- [EnhancedStorageDevices](policy-csp-storage.md) -- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) -- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) - -## System - -- [BootStartDriverInitialization](policy-csp-system.md) -- [DisableSystemRestore](policy-csp-system.md) - -## TenantRestrictions - -- [ConfigureTenantRestrictions](policy-csp-tenantrestrictions.md) - -## WindowsConnectionManager - -- [ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](policy-csp-windowsconnectionmanager.md) - -## WindowsLogon - -- [DontDisplayNetworkSelectionUI](policy-csp-windowslogon.md) -- [DisableLockScreenAppNotifications](policy-csp-windowslogon.md) -- [EnumerateLocalUsersOnDomainJoinedComputers](policy-csp-windowslogon.md) -- [AllowAutomaticRestartSignOn](policy-csp-windowslogon.md) -- [ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md) -- [EnableMPRNotifications](policy-csp-windowslogon.md) - -## WindowsPowerShell - -- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) -- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) - ## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 6c10428c97..dfa2574c13 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 12/08/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,924 +17,6 @@ ms.topic: reference This article lists the policies in Policy CSP that have a group policy mapping. -## AboveLock - -- [AllowCortanaAboveLock](policy-csp-abovelock.md) - -## Accounts - -- [RestrictToEnterpriseDeviceAuthenticationOnly](policy-csp-accounts.md) - -## ApplicationDefaults - -- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md) -- [EnableAppUriHandlers](policy-csp-applicationdefaults.md) - -## ApplicationManagement - -- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) -- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) -- [AllowAllTrustedApps](policy-csp-applicationmanagement.md) -- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md) -- [AllowAutomaticAppArchiving](policy-csp-applicationmanagement.md) -- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md) -- [AllowGameDVR](policy-csp-applicationmanagement.md) -- [AllowSharedUserAppData](policy-csp-applicationmanagement.md) -- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) -- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) -- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md) -- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md) -- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md) -- [DisableStoreOriginatedApps](policy-csp-applicationmanagement.md) -- [BlockNonAdminUserInstall](policy-csp-applicationmanagement.md) - -## Audit - -- [AccountLogon_AuditCredentialValidation](policy-csp-audit.md) -- [AccountLogon_AuditKerberosAuthenticationService](policy-csp-audit.md) -- [AccountLogon_AuditKerberosServiceTicketOperations](policy-csp-audit.md) -- [AccountLogon_AuditOtherAccountLogonEvents](policy-csp-audit.md) -- [AccountManagement_AuditApplicationGroupManagement](policy-csp-audit.md) -- [AccountManagement_AuditComputerAccountManagement](policy-csp-audit.md) -- [AccountManagement_AuditDistributionGroupManagement](policy-csp-audit.md) -- [AccountManagement_AuditOtherAccountManagementEvents](policy-csp-audit.md) -- [AccountManagement_AuditSecurityGroupManagement](policy-csp-audit.md) -- [AccountManagement_AuditUserAccountManagement](policy-csp-audit.md) -- [DetailedTracking_AuditDPAPIActivity](policy-csp-audit.md) -- [DetailedTracking_AuditPNPActivity](policy-csp-audit.md) -- [DetailedTracking_AuditProcessCreation](policy-csp-audit.md) -- [DetailedTracking_AuditProcessTermination](policy-csp-audit.md) -- [DetailedTracking_AuditRPCEvents](policy-csp-audit.md) -- [DetailedTracking_AuditTokenRightAdjusted](policy-csp-audit.md) -- [DSAccess_AuditDetailedDirectoryServiceReplication](policy-csp-audit.md) -- [DSAccess_AuditDirectoryServiceAccess](policy-csp-audit.md) -- [DSAccess_AuditDirectoryServiceChanges](policy-csp-audit.md) -- [DSAccess_AuditDirectoryServiceReplication](policy-csp-audit.md) -- [AccountLogonLogoff_AuditAccountLockout](policy-csp-audit.md) -- [AccountLogonLogoff_AuditUserDeviceClaims](policy-csp-audit.md) -- [AccountLogonLogoff_AuditGroupMembership](policy-csp-audit.md) -- [AccountLogonLogoff_AuditIPsecExtendedMode](policy-csp-audit.md) -- [AccountLogonLogoff_AuditIPsecMainMode](policy-csp-audit.md) -- [AccountLogonLogoff_AuditIPsecQuickMode](policy-csp-audit.md) -- [AccountLogonLogoff_AuditLogoff](policy-csp-audit.md) -- [AccountLogonLogoff_AuditLogon](policy-csp-audit.md) -- [AccountLogonLogoff_AuditNetworkPolicyServer](policy-csp-audit.md) -- [AccountLogonLogoff_AuditOtherLogonLogoffEvents](policy-csp-audit.md) -- [AccountLogonLogoff_AuditSpecialLogon](policy-csp-audit.md) -- [ObjectAccess_AuditApplicationGenerated](policy-csp-audit.md) -- [ObjectAccess_AuditCertificationServices](policy-csp-audit.md) -- [ObjectAccess_AuditDetailedFileShare](policy-csp-audit.md) -- [ObjectAccess_AuditFileShare](policy-csp-audit.md) -- [ObjectAccess_AuditFileSystem](policy-csp-audit.md) -- [ObjectAccess_AuditFilteringPlatformConnection](policy-csp-audit.md) -- [ObjectAccess_AuditFilteringPlatformPacketDrop](policy-csp-audit.md) -- [ObjectAccess_AuditHandleManipulation](policy-csp-audit.md) -- [ObjectAccess_AuditKernelObject](policy-csp-audit.md) -- [ObjectAccess_AuditOtherObjectAccessEvents](policy-csp-audit.md) -- [ObjectAccess_AuditRegistry](policy-csp-audit.md) -- [ObjectAccess_AuditRemovableStorage](policy-csp-audit.md) -- [ObjectAccess_AuditSAM](policy-csp-audit.md) -- [ObjectAccess_AuditCentralAccessPolicyStaging](policy-csp-audit.md) -- [PolicyChange_AuditPolicyChange](policy-csp-audit.md) -- [PolicyChange_AuditAuthenticationPolicyChange](policy-csp-audit.md) -- [PolicyChange_AuditAuthorizationPolicyChange](policy-csp-audit.md) -- [PolicyChange_AuditFilteringPlatformPolicyChange](policy-csp-audit.md) -- [PolicyChange_AuditMPSSVCRuleLevelPolicyChange](policy-csp-audit.md) -- [PolicyChange_AuditOtherPolicyChangeEvents](policy-csp-audit.md) -- [PrivilegeUse_AuditNonSensitivePrivilegeUse](policy-csp-audit.md) -- [PrivilegeUse_AuditOtherPrivilegeUseEvents](policy-csp-audit.md) -- [PrivilegeUse_AuditSensitivePrivilegeUse](policy-csp-audit.md) -- [System_AuditIPsecDriver](policy-csp-audit.md) -- [System_AuditOtherSystemEvents](policy-csp-audit.md) -- [System_AuditSecurityStateChange](policy-csp-audit.md) -- [System_AuditSecuritySystemExtension](policy-csp-audit.md) -- [System_AuditSystemIntegrity](policy-csp-audit.md) - -## Authentication - -- [AllowSecondaryAuthenticationDevice](policy-csp-authentication.md) - -## BITS - -- [JobInactivityTimeout](policy-csp-bits.md) -- [BandwidthThrottlingStartTime](policy-csp-bits.md) -- [BandwidthThrottlingEndTime](policy-csp-bits.md) -- [BandwidthThrottlingTransferRate](policy-csp-bits.md) -- [CostedNetworkBehaviorForegroundPriority](policy-csp-bits.md) -- [CostedNetworkBehaviorBackgroundPriority](policy-csp-bits.md) - -## Browser - -- [AllowAddressBarDropdown](policy-csp-browser.md) -- [AllowAutofill](policy-csp-browser.md) -- [AllowCookies](policy-csp-browser.md) -- [AllowDeveloperTools](policy-csp-browser.md) -- [AllowDoNotTrack](policy-csp-browser.md) -- [AllowExtensions](policy-csp-browser.md) -- [AllowFlash](policy-csp-browser.md) -- [AllowFlashClickToRun](policy-csp-browser.md) -- [AllowFullScreenMode](policy-csp-browser.md) -- [AllowInPrivate](policy-csp-browser.md) -- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) -- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) -- [AllowPasswordManager](policy-csp-browser.md) -- [AllowPopups](policy-csp-browser.md) -- [AllowPrinting](policy-csp-browser.md) -- [AllowSavingHistory](policy-csp-browser.md) -- [AllowSearchEngineCustomization](policy-csp-browser.md) -- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) -- [AllowSideloadingOfExtensions](policy-csp-browser.md) -- [AllowSmartScreen](policy-csp-browser.md) -- [AllowWebContentOnNewTabPage](policy-csp-browser.md) -- [AlwaysEnableBooksLibrary](policy-csp-browser.md) -- [ClearBrowsingDataOnExit](policy-csp-browser.md) -- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) -- [ConfigureFavoritesBar](policy-csp-browser.md) -- [ConfigureHomeButton](policy-csp-browser.md) -- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) -- [DisableLockdownOfStartPages](policy-csp-browser.md) -- [EnableExtendedBooksTelemetry](policy-csp-browser.md) -- [AllowTabPreloading](policy-csp-browser.md) -- [AllowPrelaunch](policy-csp-browser.md) -- [EnterpriseModeSiteList](policy-csp-browser.md) -- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) -- [HomePages](policy-csp-browser.md) -- [LockdownFavorites](policy-csp-browser.md) -- [ConfigureKioskMode](policy-csp-browser.md) -- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) -- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) -- [PreventFirstRunPage](policy-csp-browser.md) -- [PreventCertErrorOverrides](policy-csp-browser.md) -- [PreventSmartScreenPromptOverride](policy-csp-browser.md) -- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) -- [PreventLiveTileDataCollection](policy-csp-browser.md) -- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) -- [ProvisionFavorites](policy-csp-browser.md) -- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) -- [SetDefaultSearchEngine](policy-csp-browser.md) -- [SetHomeButtonURL](policy-csp-browser.md) -- [SetNewTabPageURL](policy-csp-browser.md) -- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) -- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) -- [UnlockHomeButton](policy-csp-browser.md) -- [UseSharedFolderForBooks](policy-csp-browser.md) -- [AllowAddressBarDropdown](policy-csp-browser.md) -- [AllowAutofill](policy-csp-browser.md) -- [AllowCookies](policy-csp-browser.md) -- [AllowDeveloperTools](policy-csp-browser.md) -- [AllowDoNotTrack](policy-csp-browser.md) -- [AllowExtensions](policy-csp-browser.md) -- [AllowFlash](policy-csp-browser.md) -- [AllowFlashClickToRun](policy-csp-browser.md) -- [AllowFullScreenMode](policy-csp-browser.md) -- [AllowInPrivate](policy-csp-browser.md) -- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) -- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) -- [AllowPasswordManager](policy-csp-browser.md) -- [AllowPopups](policy-csp-browser.md) -- [AllowPrinting](policy-csp-browser.md) -- [AllowSavingHistory](policy-csp-browser.md) -- [AllowSearchEngineCustomization](policy-csp-browser.md) -- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) -- [AllowSideloadingOfExtensions](policy-csp-browser.md) -- [AllowSmartScreen](policy-csp-browser.md) -- [AllowWebContentOnNewTabPage](policy-csp-browser.md) -- [AlwaysEnableBooksLibrary](policy-csp-browser.md) -- [ClearBrowsingDataOnExit](policy-csp-browser.md) -- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) -- [ConfigureFavoritesBar](policy-csp-browser.md) -- [ConfigureHomeButton](policy-csp-browser.md) -- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) -- [DisableLockdownOfStartPages](policy-csp-browser.md) -- [EnableExtendedBooksTelemetry](policy-csp-browser.md) -- [AllowTabPreloading](policy-csp-browser.md) -- [AllowPrelaunch](policy-csp-browser.md) -- [EnterpriseModeSiteList](policy-csp-browser.md) -- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) -- [HomePages](policy-csp-browser.md) -- [LockdownFavorites](policy-csp-browser.md) -- [ConfigureKioskMode](policy-csp-browser.md) -- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) -- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) -- [PreventFirstRunPage](policy-csp-browser.md) -- [PreventCertErrorOverrides](policy-csp-browser.md) -- [PreventSmartScreenPromptOverride](policy-csp-browser.md) -- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) -- [PreventLiveTileDataCollection](policy-csp-browser.md) -- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) -- [ProvisionFavorites](policy-csp-browser.md) -- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) -- [SetDefaultSearchEngine](policy-csp-browser.md) -- [SetHomeButtonURL](policy-csp-browser.md) -- [SetNewTabPageURL](policy-csp-browser.md) -- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) -- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) -- [UnlockHomeButton](policy-csp-browser.md) -- [UseSharedFolderForBooks](policy-csp-browser.md) - -## Camera - -- [AllowCamera](policy-csp-camera.md) - -## Cellular - -- [LetAppsAccessCellularData](policy-csp-cellular.md) -- [LetAppsAccessCellularData_ForceAllowTheseApps](policy-csp-cellular.md) -- [LetAppsAccessCellularData_ForceDenyTheseApps](policy-csp-cellular.md) -- [LetAppsAccessCellularData_UserInControlOfTheseApps](policy-csp-cellular.md) - -## Connectivity - -- [AllowCellularDataRoaming](policy-csp-connectivity.md) -- [AllowPhonePCLinking](policy-csp-connectivity.md) -- [DisallowNetworkConnectivityActiveTests](policy-csp-connectivity.md) - -## Cryptography - -- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md) - -## Defender - -- [AllowArchiveScanning](policy-csp-defender.md) -- [AllowBehaviorMonitoring](policy-csp-defender.md) -- [AllowCloudProtection](policy-csp-defender.md) -- [AllowEmailScanning](policy-csp-defender.md) -- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md) -- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md) -- [AllowIOAVProtection](policy-csp-defender.md) -- [AllowOnAccessProtection](policy-csp-defender.md) -- [AllowRealtimeMonitoring](policy-csp-defender.md) -- [AllowScanningNetworkFiles](policy-csp-defender.md) -- [AllowUserUIAccess](policy-csp-defender.md) -- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md) -- [AttackSurfaceReductionRules](policy-csp-defender.md) -- [AvgCPULoadFactor](policy-csp-defender.md) -- [CloudBlockLevel](policy-csp-defender.md) -- [CloudExtendedTimeout](policy-csp-defender.md) -- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md) -- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md) -- [SecurityIntelligenceLocation](policy-csp-defender.md) -- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md) -- [DaysToRetainCleanedMalware](policy-csp-defender.md) -- [DisableCatchupFullScan](policy-csp-defender.md) -- [DisableCatchupQuickScan](policy-csp-defender.md) -- [EnableControlledFolderAccess](policy-csp-defender.md) -- [EnableLowCPUPriority](policy-csp-defender.md) -- [EnableNetworkProtection](policy-csp-defender.md) -- [ExcludedPaths](policy-csp-defender.md) -- [ExcludedExtensions](policy-csp-defender.md) -- [ExcludedProcesses](policy-csp-defender.md) -- [PUAProtection](policy-csp-defender.md) -- [RealTimeScanDirection](policy-csp-defender.md) -- [ScanParameter](policy-csp-defender.md) -- [ScheduleQuickScanTime](policy-csp-defender.md) -- [ScheduleScanDay](policy-csp-defender.md) -- [ScheduleScanTime](policy-csp-defender.md) -- [SignatureUpdateFallbackOrder](policy-csp-defender.md) -- [SignatureUpdateFileSharesSources](policy-csp-defender.md) -- [SignatureUpdateInterval](policy-csp-defender.md) -- [SubmitSamplesConsent](policy-csp-defender.md) -- [ThreatSeverityDefaultAction](policy-csp-defender.md) - -## DeliveryOptimization - -- [DODownloadMode](policy-csp-deliveryoptimization.md) -- [DOGroupId](policy-csp-deliveryoptimization.md) -- [DOMaxCacheSize](policy-csp-deliveryoptimization.md) -- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md) -- [DOMaxCacheAge](policy-csp-deliveryoptimization.md) -- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md) -- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md) -- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md) -- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) -- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) -- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md) -- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md) -- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md) -- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md) -- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md) -- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md) -- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md) -- [DOCacheHost](policy-csp-deliveryoptimization.md) -- [DOCacheHostSource](policy-csp-deliveryoptimization.md) -- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md) -- [DOGroupIdSource](policy-csp-deliveryoptimization.md) -- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md) -- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md) -- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md) -- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md) -- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md) -- [DOVpnKeywords](policy-csp-deliveryoptimization.md) - -## DeviceGuard - -- [EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) -- [RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) -- [LsaCfgFlags](policy-csp-deviceguard.md) -- [ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) - -## DeviceLock - -- [MinimumPasswordAge](policy-csp-devicelock.md) -- [MaximumPasswordAge](policy-csp-devicelock.md) -- [ClearTextPassword](policy-csp-devicelock.md) -- [PasswordComplexity](policy-csp-devicelock.md) -- [PasswordHistorySize](policy-csp-devicelock.md) - -## Display - -- [EnablePerProcessDpi](policy-csp-display.md) -- [TurnOnGdiDPIScalingForApps](policy-csp-display.md) -- [TurnOffGdiDPIScalingForApps](policy-csp-display.md) -- [EnablePerProcessDpi](policy-csp-display.md) -- [EnablePerProcessDpiForApps](policy-csp-display.md) -- [DisablePerProcessDpiForApps](policy-csp-display.md) - -## DmaGuard - -- [DeviceEnumerationPolicy](policy-csp-dmaguard.md) - -## Education - -- [AllowGraphingCalculator](policy-csp-education.md) -- [PreventAddingNewPrinters](policy-csp-education.md) - -## Experience - -- [AllowSpotlightCollection](policy-csp-experience.md) -- [AllowThirdPartySuggestionsInWindowsSpotlight](policy-csp-experience.md) -- [AllowWindowsSpotlight](policy-csp-experience.md) -- [AllowWindowsSpotlightOnActionCenter](policy-csp-experience.md) -- [AllowWindowsSpotlightOnSettings](policy-csp-experience.md) -- [AllowWindowsSpotlightWindowsWelcomeExperience](policy-csp-experience.md) -- [AllowTailoredExperiencesWithDiagnosticData](policy-csp-experience.md) -- [ConfigureWindowsSpotlightOnLockScreen](policy-csp-experience.md) -- [AllowCortana](policy-csp-experience.md) -- [AllowWindowsConsumerFeatures](policy-csp-experience.md) -- [AllowWindowsTips](policy-csp-experience.md) -- [DoNotShowFeedbackNotifications](policy-csp-experience.md) -- [AllowFindMyDevice](policy-csp-experience.md) -- [AllowClipboardHistory](policy-csp-experience.md) -- [DoNotSyncBrowserSettings](policy-csp-experience.md) -- [PreventUsersFromTurningOnBrowserSyncing](policy-csp-experience.md) -- [ShowLockOnUserTile](policy-csp-experience.md) -- [DisableCloudOptimizedContent](policy-csp-experience.md) -- [DisableConsumerAccountStateContent](policy-csp-experience.md) -- [ConfigureChatIcon](policy-csp-experience.md) - -## ExploitGuard - -- [ExploitProtectionSettings](policy-csp-exploitguard.md) - -## FileExplorer - -- [DisableGraphRecentItems](policy-csp-fileexplorer.md) - -## Handwriting - -- [PanelDefaultModeDocked](policy-csp-handwriting.md) - -## HumanPresence - -- [ForceInstantWake](policy-csp-humanpresence.md) -- [ForceInstantLock](policy-csp-humanpresence.md) -- [ForceLockTimeout](policy-csp-humanpresence.md) -- [ForceInstantDim](policy-csp-humanpresence.md) - -## Kerberos - -- [PKInitHashAlgorithmConfiguration](policy-csp-kerberos.md) -- [PKInitHashAlgorithmSHA1](policy-csp-kerberos.md) -- [PKInitHashAlgorithmSHA256](policy-csp-kerberos.md) -- [PKInitHashAlgorithmSHA384](policy-csp-kerberos.md) -- [PKInitHashAlgorithmSHA512](policy-csp-kerberos.md) -- [CloudKerberosTicketRetrievalEnabled](policy-csp-kerberos.md) - -## LanmanWorkstation - -- [EnableInsecureGuestLogons](policy-csp-lanmanworkstation.md) - -## Licensing - -- [AllowWindowsEntitlementReactivation](policy-csp-licensing.md) -- [DisallowKMSClientOnlineAVSValidation](policy-csp-licensing.md) - -## LocalPoliciesSecurityOptions - -- [Accounts_EnableAdministratorAccountStatus](policy-csp-localpoliciessecurityoptions.md) -- [Accounts_BlockMicrosoftAccounts](policy-csp-localpoliciessecurityoptions.md) -- [Accounts_EnableGuestAccountStatus](policy-csp-localpoliciessecurityoptions.md) -- [Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](policy-csp-localpoliciessecurityoptions.md) -- [Accounts_RenameAdministratorAccount](policy-csp-localpoliciessecurityoptions.md) -- [Accounts_RenameGuestAccount](policy-csp-localpoliciessecurityoptions.md) -- [Devices_AllowUndockWithoutHavingToLogon](policy-csp-localpoliciessecurityoptions.md) -- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md) -- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md) -- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) -- [InteractiveLogon_SmartCardRemovalBehavior](policy-csp-localpoliciessecurityoptions.md) -- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) -- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md) -- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md) -- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) -- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md) -- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md) -- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md) -- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md) -- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md) -- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_AllowPKU2UAuthenticationRequests](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_LANManagerAuthenticationLevel](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) -- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md) -- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md) -- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md) -- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md) - -## LocalSecurityAuthority - -- [ConfigureLsaProtectedProcess](policy-csp-lsa.md) - -## LockDown - -- [AllowEdgeSwipe](policy-csp-lockdown.md) - -## Maps - -- [EnableOfflineMapsAutoUpdate](policy-csp-maps.md) - -## Messaging - -- [AllowMessageSync](policy-csp-messaging.md) - -## Multitasking - -- [BrowserAltTabBlowout](policy-csp-multitasking.md) - -## NetworkIsolation - -- [EnterpriseCloudResources](policy-csp-networkisolation.md) -- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md) -- [EnterpriseIPRange](policy-csp-networkisolation.md) -- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md) -- [EnterpriseProxyServers](policy-csp-networkisolation.md) -- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md) -- [NeutralResources](policy-csp-networkisolation.md) - -## NewsAndInterests - -- [AllowNewsAndInterests](policy-csp-newsandinterests.md) - -## Notifications - -- [DisallowNotificationMirroring](policy-csp-notifications.md) -- [DisallowTileNotification](policy-csp-notifications.md) -- [DisallowCloudNotification](policy-csp-notifications.md) -- [WnsEndpoint](policy-csp-notifications.md) - -## Power - -- [EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md) -- [EnergySaverBatteryThresholdOnBattery](policy-csp-power.md) -- [SelectPowerButtonActionPluggedIn](policy-csp-power.md) -- [SelectPowerButtonActionOnBattery](policy-csp-power.md) -- [SelectSleepButtonActionPluggedIn](policy-csp-power.md) -- [SelectSleepButtonActionOnBattery](policy-csp-power.md) -- [SelectLidCloseActionPluggedIn](policy-csp-power.md) -- [SelectLidCloseActionOnBattery](policy-csp-power.md) -- [TurnOffHybridSleepPluggedIn](policy-csp-power.md) -- [TurnOffHybridSleepOnBattery](policy-csp-power.md) -- [UnattendedSleepTimeoutPluggedIn](policy-csp-power.md) -- [UnattendedSleepTimeoutOnBattery](policy-csp-power.md) - -## Privacy - -- [DisablePrivacyExperience](policy-csp-privacy.md) -- [DisableAdvertisingId](policy-csp-privacy.md) -- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md) -- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsRunInBackground](policy-csp-privacy.md) -- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md) -- [AllowInputPersonalization](policy-csp-privacy.md) -- [LetAppsAccessAccountInfo](policy-csp-privacy.md) -- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCalendar](policy-csp-privacy.md) -- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCallHistory](policy-csp-privacy.md) -- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCamera](policy-csp-privacy.md) -- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessContacts](policy-csp-privacy.md) -- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessEmail](policy-csp-privacy.md) -- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureProgrammatic](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureWithoutBorder](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessLocation](policy-csp-privacy.md) -- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMessaging](policy-csp-privacy.md) -- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMicrophone](policy-csp-privacy.md) -- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMotion](policy-csp-privacy.md) -- [LetAppsAccessMotion_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMotion_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessMotion_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessNotifications](policy-csp-privacy.md) -- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessPhone](policy-csp-privacy.md) -- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessRadios](policy-csp-privacy.md) -- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessTasks](policy-csp-privacy.md) -- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsAccessTrustedDevices](policy-csp-privacy.md) -- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md) -- [LetAppsSyncWithDevices](policy-csp-privacy.md) -- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md) -- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md) -- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md) -- [EnableActivityFeed](policy-csp-privacy.md) -- [PublishUserActivities](policy-csp-privacy.md) -- [UploadUserActivities](policy-csp-privacy.md) -- [AllowCrossDeviceClipboard](policy-csp-privacy.md) -- [DisablePrivacyExperience](policy-csp-privacy.md) -- [LetAppsActivateWithVoice](policy-csp-privacy.md) -- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md) - -## RemoteDesktop - -- [AutoSubscription](policy-csp-remotedesktop.md) - -## Search - -- [AllowIndexingEncryptedStoresOrItems](policy-csp-search.md) -- [AllowSearchToUseLocation](policy-csp-search.md) -- [AllowUsingDiacritics](policy-csp-search.md) -- [AlwaysUseAutoLangDetection](policy-csp-search.md) -- [DisableBackoff](policy-csp-search.md) -- [DisableRemovableDriveIndexing](policy-csp-search.md) -- [DisableSearch](policy-csp-search.md) -- [PreventIndexingLowDiskSpaceMB](policy-csp-search.md) -- [PreventRemoteQueries](policy-csp-search.md) -- [AllowCloudSearch](policy-csp-search.md) -- [DoNotUseWebResults](policy-csp-search.md) -- [AllowCortanaInAAD](policy-csp-search.md) -- [AllowFindMyFiles](policy-csp-search.md) -- [AllowSearchHighlights](policy-csp-search.md) - -## Security - -- [ClearTPMIfNotReady](policy-csp-security.md) - -## Settings - -- [ConfigureTaskbarCalendar](policy-csp-settings.md) -- [PageVisibilityList](policy-csp-settings.md) -- [PageVisibilityList](policy-csp-settings.md) -- [AllowOnlineTips](policy-csp-settings.md) - -## SmartScreen - -- [EnableSmartScreenInShell](policy-csp-smartscreen.md) -- [PreventOverrideForFilesInShell](policy-csp-smartscreen.md) -- [EnableAppInstallControl](policy-csp-smartscreen.md) - -## Speech - -- [AllowSpeechModelUpdate](policy-csp-speech.md) - -## Start - -- [ForceStartSize](policy-csp-start.md) -- [DisableContextMenus](policy-csp-start.md) -- [ShowOrHideMostUsedApps](policy-csp-start.md) -- [HideFrequentlyUsedApps](policy-csp-start.md) -- [HideRecentlyAddedApps](policy-csp-start.md) -- [HidePeopleBar](policy-csp-start.md) -- [StartLayout](policy-csp-start.md) -- [ConfigureStartPins](policy-csp-start.md) -- [HideRecommendedSection](policy-csp-start.md) -- [HideTaskViewButton](policy-csp-start.md) -- [DisableControlCenter](policy-csp-start.md) -- [ForceStartSize](policy-csp-start.md) -- [DisableContextMenus](policy-csp-start.md) -- [ShowOrHideMostUsedApps](policy-csp-start.md) -- [HideFrequentlyUsedApps](policy-csp-start.md) -- [HideRecentlyAddedApps](policy-csp-start.md) -- [StartLayout](policy-csp-start.md) -- [ConfigureStartPins](policy-csp-start.md) -- [HideRecommendedSection](policy-csp-start.md) -- [SimplifyQuickSettings](policy-csp-start.md) -- [DisableEditingQuickSettings](policy-csp-start.md) -- [HideTaskViewButton](policy-csp-start.md) - -## Storage - -- [AllowDiskHealthModelUpdates](policy-csp-storage.md) -- [RemovableDiskDenyWriteAccess](policy-csp-storage.md) -- [AllowStorageSenseGlobal](policy-csp-storage.md) -- [ConfigStorageSenseGlobalCadence](policy-csp-storage.md) -- [AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md) -- [ConfigStorageSenseRecycleBinCleanupThreshold](policy-csp-storage.md) -- [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md) -- [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md) - -## System - -- [AllowTelemetry](policy-csp-system.md) -- [AllowBuildPreview](policy-csp-system.md) -- [AllowFontProviders](policy-csp-system.md) -- [AllowLocation](policy-csp-system.md) -- [AllowTelemetry](policy-csp-system.md) -- [TelemetryProxy](policy-csp-system.md) -- [DisableOneDriveFileSync](policy-csp-system.md) -- [AllowWUfBCloudProcessing](policy-csp-system.md) -- [AllowUpdateComplianceProcessing](policy-csp-system.md) -- [AllowDesktopAnalyticsProcessing](policy-csp-system.md) -- [DisableEnterpriseAuthProxy](policy-csp-system.md) -- [LimitEnhancedDiagnosticDataWindowsAnalytics](policy-csp-system.md) -- [AllowDeviceNameInDiagnosticData](policy-csp-system.md) -- [ConfigureTelemetryOptInSettingsUx](policy-csp-system.md) -- [ConfigureTelemetryOptInChangeNotification](policy-csp-system.md) -- [DisableDeviceDelete](policy-csp-system.md) -- [DisableDiagnosticDataViewer](policy-csp-system.md) -- [ConfigureMicrosoft365UploadEndpoint](policy-csp-system.md) -- [TurnOffFileHistory](policy-csp-system.md) -- [DisableDirectXDatabaseUpdate](policy-csp-system.md) -- [AllowCommercialDataPipeline](policy-csp-system.md) -- [LimitDiagnosticLogCollection](policy-csp-system.md) -- [LimitDumpCollection](policy-csp-system.md) -- [EnableOneSettingsAuditing](policy-csp-system.md) -- [DisableOneSettingsDownloads](policy-csp-system.md) -- [HideUnsupportedHardwareNotifications](policy-csp-system.md) - -## SystemServices - -- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md) -- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md) -- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md) -- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md) -- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md) -- [ConfigureXboxLiveNetworkingServiceStartupMode](policy-csp-systemservices.md) - -## TextInput - -- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md) -- [AllowLinguisticDataCollection](policy-csp-textinput.md) -- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md) -- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md) -- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md) -- [ConfigureKoreanIMEVersion](policy-csp-textinput.md) - -## TimeLanguageSettings - -- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) -- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md) -- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md) -- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) - -## Troubleshooting - -- [AllowRecommendations](policy-csp-troubleshooting.md) - -## Update - -- [ActiveHoursEnd](policy-csp-update.md) -- [ActiveHoursStart](policy-csp-update.md) -- [ActiveHoursMaxRange](policy-csp-update.md) -- [AutoRestartRequiredNotificationDismissal](policy-csp-update.md) -- [AutoRestartNotificationSchedule](policy-csp-update.md) -- [SetAutoRestartNotificationDisable](policy-csp-update.md) -- [ScheduleRestartWarning](policy-csp-update.md) -- [ScheduleImminentRestartWarning](policy-csp-update.md) -- [AllowAutoUpdate](policy-csp-update.md) -- [AutoRestartDeadlinePeriodInDays](policy-csp-update.md) -- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](policy-csp-update.md) -- [EngagedRestartTransitionSchedule](policy-csp-update.md) -- [EngagedRestartSnoozeSchedule](policy-csp-update.md) -- [EngagedRestartDeadline](policy-csp-update.md) -- [EngagedRestartTransitionScheduleForFeatureUpdates](policy-csp-update.md) -- [EngagedRestartSnoozeScheduleForFeatureUpdates](policy-csp-update.md) -- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md) -- [DetectionFrequency](policy-csp-update.md) -- [ManagePreviewBuilds](policy-csp-update.md) -- [BranchReadinessLevel](policy-csp-update.md) -- [ProductVersion](policy-csp-update.md) -- [TargetReleaseVersion](policy-csp-update.md) -- [AllowUpdateService](policy-csp-update.md) -- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md) -- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md) -- [DeferUpdatePeriod](policy-csp-update.md) -- [DeferUpgradePeriod](policy-csp-update.md) -- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md) -- [PauseDeferrals](policy-csp-update.md) -- [PauseFeatureUpdates](policy-csp-update.md) -- [PauseQualityUpdates](policy-csp-update.md) -- [PauseFeatureUpdatesStartTime](policy-csp-update.md) -- [PauseQualityUpdatesStartTime](policy-csp-update.md) -- [RequireDeferUpgrade](policy-csp-update.md) -- [AllowMUUpdateService](policy-csp-update.md) -- [ScheduledInstallDay](policy-csp-update.md) -- [ScheduledInstallTime](policy-csp-update.md) -- [ScheduledInstallEveryWeek](policy-csp-update.md) -- [ScheduledInstallFirstWeek](policy-csp-update.md) -- [ScheduledInstallSecondWeek](policy-csp-update.md) -- [ScheduledInstallThirdWeek](policy-csp-update.md) -- [ScheduledInstallFourthWeek](policy-csp-update.md) -- [UpdateServiceUrl](policy-csp-update.md) -- [UpdateServiceUrlAlternate](policy-csp-update.md) -- [FillEmptyContentUrls](policy-csp-update.md) -- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md) -- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md) -- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md) -- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md) -- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md) -- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) -- [SetEDURestart](policy-csp-update.md) -- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) -- [SetDisableUXWUAccess](policy-csp-update.md) -- [SetDisablePauseUXAccess](policy-csp-update.md) -- [UpdateNotificationLevel](policy-csp-update.md) -- [NoUpdateNotificationsDuringActiveHours](policy-csp-update.md) -- [DisableDualScan](policy-csp-update.md) -- [AutomaticMaintenanceWakeUp](policy-csp-update.md) -- [ConfigureDeadlineForQualityUpdates](policy-csp-update.md) -- [ConfigureDeadlineForFeatureUpdates](policy-csp-update.md) -- [ConfigureDeadlineGracePeriod](policy-csp-update.md) -- [ConfigureDeadlineGracePeriodForFeatureUpdates](policy-csp-update.md) -- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md) -- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md) -- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md) - -## UserRights - -- [AccessCredentialManagerAsTrustedCaller](policy-csp-userrights.md) -- [AccessFromNetwork](policy-csp-userrights.md) -- [ActAsPartOfTheOperatingSystem](policy-csp-userrights.md) -- [AllowLocalLogOn](policy-csp-userrights.md) -- [BackupFilesAndDirectories](policy-csp-userrights.md) -- [ChangeSystemTime](policy-csp-userrights.md) -- [CreatePageFile](policy-csp-userrights.md) -- [CreateToken](policy-csp-userrights.md) -- [CreateGlobalObjects](policy-csp-userrights.md) -- [CreatePermanentSharedObjects](policy-csp-userrights.md) -- [CreateSymbolicLinks](policy-csp-userrights.md) -- [DebugPrograms](policy-csp-userrights.md) -- [DenyAccessFromNetwork](policy-csp-userrights.md) -- [DenyLocalLogOn](policy-csp-userrights.md) -- [DenyRemoteDesktopServicesLogOn](policy-csp-userrights.md) -- [EnableDelegation](policy-csp-userrights.md) -- [RemoteShutdown](policy-csp-userrights.md) -- [GenerateSecurityAudits](policy-csp-userrights.md) -- [ImpersonateClient](policy-csp-userrights.md) -- [IncreaseSchedulingPriority](policy-csp-userrights.md) -- [LoadUnloadDeviceDrivers](policy-csp-userrights.md) -- [LockMemory](policy-csp-userrights.md) -- [ManageAuditingAndSecurityLog](policy-csp-userrights.md) -- [ModifyObjectLabel](policy-csp-userrights.md) -- [ModifyFirmwareEnvironment](policy-csp-userrights.md) -- [ManageVolume](policy-csp-userrights.md) -- [ProfileSingleProcess](policy-csp-userrights.md) -- [RestoreFilesAndDirectories](policy-csp-userrights.md) -- [TakeOwnership](policy-csp-userrights.md) -- [BypassTraverseChecking](policy-csp-userrights.md) -- [ReplaceProcessLevelToken](policy-csp-userrights.md) -- [ChangeTimeZone](policy-csp-userrights.md) -- [ShutDownTheSystem](policy-csp-userrights.md) -- [LogOnAsBatchJob](policy-csp-userrights.md) -- [ProfileSystemPerformance](policy-csp-userrights.md) -- [DenyLogOnAsBatchJob](policy-csp-userrights.md) -- [LogOnAsService](policy-csp-userrights.md) -- [IncreaseProcessWorkingSet](policy-csp-userrights.md) - -## VirtualizationBasedTechnology - -- [HypervisorEnforcedCodeIntegrity](policy-csp-virtualizationbasedtechnology.md) -- [RequireUEFIMemoryAttributesTable](policy-csp-virtualizationbasedtechnology.md) - -## WebThreatDefense - -- [ServiceEnabled](policy-csp-webthreatdefense.md) -- [NotifyMalicious](policy-csp-webthreatdefense.md) -- [NotifyPasswordReuse](policy-csp-webthreatdefense.md) -- [NotifyUnsafeApp](policy-csp-webthreatdefense.md) -- [CaptureThreatWindow](policy-csp-webthreatdefense.md) - -## Wifi - -- [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md) -- [AllowInternetSharing](policy-csp-wifi.md) - -## WindowsDefenderSecurityCenter - -- [CompanyName](policy-csp-windowsdefendersecuritycenter.md) -- [DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) -- [DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) -- [DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) -- [DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md) -- [DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) -- [DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) -- [Email](policy-csp-windowsdefendersecuritycenter.md) -- [EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) -- [EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) -- [HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) -- [HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) -- [HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) -- [HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) -- [Phone](policy-csp-windowsdefendersecuritycenter.md) -- [URL](policy-csp-windowsdefendersecuritycenter.md) - -## WindowsInkWorkspace - -- [AllowWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) -- [AllowSuggestedAppsInWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) - -## WindowsLogon - -- [HideFastUserSwitching](policy-csp-windowslogon.md) -- [EnableFirstLogonAnimation](policy-csp-windowslogon.md) - -## WindowsSandbox - -- [AllowVGPU](policy-csp-windowssandbox.md) -- [AllowNetworking](policy-csp-windowssandbox.md) -- [AllowAudioInput](policy-csp-windowssandbox.md) -- [AllowVideoInput](policy-csp-windowssandbox.md) -- [AllowPrinterRedirection](policy-csp-windowssandbox.md) -- [AllowClipboardRedirection](policy-csp-windowssandbox.md) - -## WirelessDisplay - -- [AllowProjectionToPC](policy-csp-wirelessdisplay.md) -- [RequirePinForPairing](policy-csp-wirelessdisplay.md) - ## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 03c3eb3bb2..83bd626bba 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 12/08/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1094,6 +1094,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [Browser](policy-csp-browser.md) - [Camera](policy-csp-camera.md) - [Cellular](policy-csp-cellular.md) +- [CloudDesktop](policy-csp-clouddesktop.md) - [CloudPC](policy-csp-cloudpc.md) - [Connectivity](policy-csp-connectivity.md) - [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index f4cb783c7e..282bca427e 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,1350 +1,1535 @@ --- -title: Policy CSP - TextInput -description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file. +title: TextInput Policy CSP +description: Learn more about the TextInput Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 03/03/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TextInput -
+ + + - -## TextInput policies + +## AllowHardwareKeyboardTextSuggestions -
-
- TextInput/AllowHardwareKeyboardTextSuggestions -
-
- TextInput/AllowIMELogging -
-
- TextInput/AllowIMENetworkAccess -
-
- TextInput/AllowInputPanel -
-
- TextInput/AllowJapaneseIMESurrogatePairCharacters -
-
- TextInput/AllowJapaneseIVSCharacters -
-
- TextInput/AllowJapaneseNonPublishingStandardGlyph -
-
- TextInput/AllowJapaneseUserDictionary -
-
- TextInput/AllowKeyboardTextSuggestions -
-
- TextInput/AllowKoreanExtendedHanja -
-
- TextInput/AllowLanguageFeaturesUninstall -
-
- TextInput/AllowLinguisticDataCollection -
-
- TextInput/AllowTextInputSuggestionUpdate -
-
- TextInput/ConfigureJapaneseIMEVersion -
-
- TextInput/ConfigureSimplifiedChineseIMEVersion -
-
- TextInput/ConfigureTraditionalChineseIMEVersion -
-
- TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode -
-
- TextInput/ExcludeJapaneseIMEExceptJIS0208 -
-
- TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC -
-
- TextInput/ExcludeJapaneseIMEExceptShiftJIS -
-
- TextInput/ForceTouchKeyboardDockedState -
-
- TextInput/TouchKeyboardDictationButtonAvailability -
-
- TextInput/TouchKeyboardEmojiButtonAvailability -
-
- TextInput/TouchKeyboardFullModeAvailability -
-
- TextInput/TouchKeyboardHandwritingModeAvailability -
-
- TextInput/TouchKeyboardNarrowModeAvailability -
-
- TextInput/TouchKeyboardSplitModeAvailability -
-
- TextInput/TouchKeyboardWideModeAvailability -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowHardwareKeyboardTextSuggestions +``` + -
- - -**TextInput/AllowHardwareKeyboardTextSuggestions** - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + Placeholder only. Do not use in production environment. - - - - -
- - -**TextInput/AllowIMELogging** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Allows the user to turn on and off the logging for incorrect conversion, and saving auto-tuning result to a file and history-based predictive input. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**TextInput/AllowIMENetworkAccess** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. - -Most restricted value is 0. - -In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. In Windows 10, version 1803, suggestion services are also available in Japanese IME. - - - - -
- - -**TextInput/AllowInputPanel** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Allows the IT admin to disable the touch/handwriting keyboard on Windows. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**TextInput/AllowJapaneseIMESurrogatePairCharacters** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Allows the Japanese IME surrogate pair characters. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**TextInput/AllowJapaneseIVSCharacters** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Allows Japanese Ideographic Variation Sequence (IVS) characters. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**TextInput/AllowJapaneseNonPublishingStandardGlyph** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Allows the Japanese non-publishing standard glyph. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**TextInput/AllowJapaneseUserDictionary** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Allows the Japanese user dictionary. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**TextInput/AllowKeyboardTextSuggestions** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Enabled. - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowIMELogging + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowIMELogging +``` + + + + +Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowIMENetworkAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowIMENetworkAccess +``` + + + + +Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. Most restricted value is 0. In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowInputPanel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowInputPanel +``` + + + + +Allows the IT admin to disable the touch/handwriting keyboard on Windows. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowJapaneseIMESurrogatePairCharacters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseIMESurrogatePairCharacters +``` + + + + +Allows the Japanese IME surrogate pair characters. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowJapaneseIVSCharacters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseIVSCharacters +``` + + + + +Allows Japanese Ideographic Variation Sequence (IVS) characters. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowJapaneseNonPublishingStandardGlyph + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseNonPublishingStandardGlyph +``` + + + + +Allows the Japanese non-publishing standard glyph. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowJapaneseUserDictionary + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowJapaneseUserDictionary +``` + + + + +Allows the Japanese user dictionary. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowKeyboardTextSuggestions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowKeyboardTextSuggestions +``` + + + + + Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. Most restricted value is 0. + + + + To validate that text prediction is disabled on Windows 10 for desktop, do the following: -1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. -2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. -3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. +1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the "Use Text Prediction" setting is enabled from the options button. +1. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the "Show text suggestions as I type" setting is enabled in the Settings app. +1. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -**TextInput/AllowKoreanExtendedHanja** + +**Allowed values**: -
+| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -This policy has been deprecated. + + + - - + -
+ +## AllowLanguageFeaturesUninstall - -**TextInput/AllowLanguageFeaturesUninstall** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -The table below shows the applicability of Windows: + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowLanguageFeaturesUninstall +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +When this policy setting is enabled, some language features (such as handwriting recognizers and spell checking dictionaries) included with a language can be uninstalled from a user’s machine when the language is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting is disabled, language features remain on the user’s machine when the language is uninstalled. + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
+ +**Allowed values**: - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -Allows the uninstall of language features, such as spell checkers on a device. + +**Group policy mapping**: -Most restricted value is 0. +| Name | Value | +|:--|:--| +| Name | AllowLanguageFeaturesUninstall | +| Friendly Name | Allow uninstallation of language features when a language is uninstalled | +| Location | Computer Configuration | +| Path | Windows Components > Text Input | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\TextInput | +| Registry Value Name | AllowLanguageFeaturesUninstall | +| ADMX File Name | TextInput.admx | + - - -ADMX Info: -- GP Friendly name: *Allow Uninstallation of Language Features* -- GP name: *AllowLanguageFeaturesUninstall* -- GP path: *Windows Components/Text Input* -- GP ADMX file name: *TextInput.admx* + + + - - -The following list shows the supported values: + -- 0 – Not allowed. -- 1 (default) – Allowed. + +## AllowLinguisticDataCollection - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowLinguisticDataCollection +``` + - -**TextInput/AllowLinguisticDataCollection** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and suggestion capabilities of apps and services running on Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowLinguisticDataCollection | +| Friendly Name | Improve inking and typing recognition | +| Location | Computer Configuration | +| Path | Windows Components > Text Input | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\TextInput | +| Registry Value Name | AllowLinguisticDataCollection | +| ADMX File Name | TextInput.admx | + + + + + + + + + +## AllowTextInputSuggestionUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/AllowTextInputSuggestionUpdate +``` + + + + +Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI. When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image. Most restricted value is 0. The following list shows the supported values: 0 - Not allowed. 1 (default) - Allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## ConfigureJapaneseIMEVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureJapaneseIMEVersion +``` + + + + +This policy setting controls the version of Microsoft IME.​ + +If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ + +If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ + +If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. + +This Policy setting applies only to Microsoft Japanese IME. + +Note: Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is configured by default. | +| 1 | Does not allow you to configure which Microsoft Japanese IME version to use. The previous version of Microsoft Japanese IME is always selected. | +| 2 | Does not allow you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is always selected. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | L_ConfigureJapaneseImeVersion | +| Friendly Name | Configure Japanese IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\JPN | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + - - -ADMX Info: -- GP Friendly name: *Improve inking and typing recognition* -- GP name: *AllowLinguisticDataCollection* -- GP path: *Windows Components/Text Input* -- GP ADMX file name: *TextInput.admx* + + + - - -This setting supports a range of values between 0 and 1. + - - + +## ConfigureKoreanIMEVersion -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**TextInput/AllowTextInputSuggestionUpdate** + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureKoreanIMEVersion +``` + - -The table below shows the applicability of Windows: + + +This policy setting controls the version of Microsoft IME.​ -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ - -
+If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. -> [!div class = "checklist"] -> * Device +This Policy setting applies only to Microsoft Korean IME. + +Note: Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + -
+ +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | L_ConfigureKoreanImeVersion | +| Friendly Name | Configure Korean IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\KOR | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + + + + + + + + + +## ConfigureSimplifiedChineseIMEVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureSimplifiedChineseIMEVersion +``` + - - -Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI. -When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image. + + +This policy setting controls the version of Microsoft IME.​ + +If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ -Most restricted value is 0. +If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ -Default: Enabled +If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. - - -The following list shows the supported values: +This Policy setting applies only to Microsoft Simplified Chinese IME. -- 1 (Enabled) - The newer UX is downloaded from Microsoft service. -- 0 (Disabled) - The UX remains unchanged with what the operating system installs. +Note: Changes to this setting will not take effect until the user logs off. + - - + + + -
- - -**TextInput/ConfigureJapaneseIMEVersion** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> - The policy is only enforced in Windows 10 for desktop. -> - This policy requires reboot to take effect. - -Allows IT admins to configure Microsoft Japanese IME version in the desktop. - - - -The following list shows the supported values: - -- 0 (default) - Allows you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is configured by default. -- 1 - Does not allow you to configure which Microsoft Japanese IME version to use. The previous version of Microsoft Japanese IME is always selected. -- 2 - Does not allow you to configure which Microsoft Japanese IME version to use. The new Microsoft Japanese IME version is always selected. - - - - -
- - -**TextInput/ConfigureSimplifiedChineseIMEVersion** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> - This policy is enforced only in Windows 10 for desktop. -> - This policy requires reboot to take effect. - -Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. - - - -The following list shows the supported values: - -- 0 (default) - Allows you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is configured by default. -- 1 - Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The previous version of Microsoft Simplified Chinese IME is always selected. -- 2 - Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is always selected. - - - - -
- - -**TextInput/ConfigureTraditionalChineseIMEVersion** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> - This policy is enforced only in Windows 10 for desktop. -> - This policy requires reboot to take effect. - -Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. - - - -The following list shows the supported values: - -- 0 (default) - Allows you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is configured by default. -- 1 - Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The previous version of Microsoft Traditional Chinese IME is always selected. -- 2 - Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is always selected. - - - - -
- - -**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. - -The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. -But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. -When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. - -This policy corresponds to "Show the touch keyboard when not in tablet mode and there's no keyboard attached" in the Settings app. - - - -The following list shows the supported values: - -- 0 (default) - Disabled. -- 1 - Enabled. - - - - -
- - -**TextInput/ExcludeJapaneseIMEExceptJIS0208** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is configured by default. | +| 1 | Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The previous version of Microsoft Simplified Chinese IME is always selected. | +| 2 | Does not allow you to configure which Microsoft Simplified Chinese IME version to use. The new Microsoft Simplified Chinese IME version is always selected. | + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | L_ConfigureSimplifiedChineseImeVersion | +| Friendly Name | Configure Simplified Chinese IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\CHS | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + + + + + + + + + +## ConfigureTraditionalChineseIMEVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ConfigureTraditionalChineseIMEVersion +``` + + + + +This policy setting controls the version of Microsoft IME.​ + +If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ + +If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ + +If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. + +This Policy setting applies only to Microsoft Traditional Chinese IME. + +Note: Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allows you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is configured by default. | +| 1 | Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The previous version of Microsoft Traditional Chinese IME is always selected. | +| 2 | Does not allow you to configure which Microsoft Traditional Chinese IME version to use. The new Microsoft Traditional Chinese IME version is always selected. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | L_ConfigureTraditionalChineseImeVersion | +| Friendly Name | Configure Traditional Chinese IME version | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\CHT | +| Registry Value Name | ConfigureImeVersion | +| ADMX File Name | EAIME.admx | + + + + + + + + + +## EnableTouchKeyboardAutoInvokeInDesktopMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode +``` + + + + +This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + +## ExcludeJapaneseIMEExceptJIS0208 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ExcludeJapaneseIMEExceptJIS0208 +``` + + + + Allows the users to restrict character code range of conversion by setting the character filter. + - - -The following list shows the supported values: + + + -- 0 (default) – No characters are filtered. -- 1 – All characters except JIS0208 are filtered. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** +| Value | Description | +|:--|:--| +| 0 (Default) | No characters are filtered. | +| 1 | All characters except JIS0208 are filtered. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## ExcludeJapaneseIMEExceptJIS0208andEUDC - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC +``` + + + Allows the users to restrict character code range of conversion by setting the character filter. + - - -The following list shows the supported values: + + + -- 0 (default) – No characters are filtered. -- 1 – All characters except JIS0208 and EUDC are filtered. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/ExcludeJapaneseIMEExceptShiftJIS** +| Value | Description | +|:--|:--| +| 0 (Default) | No characters are filtered. | +| 1 | All characters except JIS0208 and EUDC are filtered. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## ExcludeJapaneseIMEExceptShiftJIS - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ExcludeJapaneseIMEExceptShiftJIS +``` + + + Allows the users to restrict character code range of conversion by setting the character filter. + - - -The following list shows the supported values: + + + -- 0 (default) – No characters are filtered. -- 1 – All characters except ShiftJIS are filtered. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/ForceTouchKeyboardDockedState** +| Value | Description | +|:--|:--| +| 0 (Default) | No characters are filtered. | +| 1 | All characters except ShiftJIS are filtered. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## ForceTouchKeyboardDockedState - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/ForceTouchKeyboardDockedState +``` + -
- - - + + Specifies the touch keyboard is always docked. When this policy is set to enabled, the touch keyboard is always docked. + - - -The following list shows the supported values: + + + -- 0 - (default) - The OS determines when it's most appropriate to be available. -- 1 - Touch keyboard is always docked. -- 2 - Touch keyboard docking can be changed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/TouchKeyboardDictationButtonAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Touch keyboard is always docked. | +| 2 | Touch keyboard docking can be changed. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## TouchKeyboardDictationButtonAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardDictationButtonAvailability +``` + -
- - - + + Specifies whether the dictation input button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the dictation input button on touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines when it's most appropriate to be available. -- 1 - Dictation button on the keyboard is always available. -- 2 - Dictation button on the keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/TouchKeyboardEmojiButtonAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Dictation button on the keyboard is always available. | +| 2 | Dictation button on the keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## TouchKeyboardEmojiButtonAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardEmojiButtonAvailability +``` + -
+ + +Specifies whether the emoji button is enabled or disabled for the touch keyboard. When this policy is set to disabled, the emoji button on touch keyboard is disabled. + - - -Specifies whether the emoji, GIF (only in Windows 11), and kaomoji (only in Windows 11) buttons are available or unavailable for the touch keyboard. When this policy is set to disabled, the buttons are hidden and unavailable. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) - The OS determines when buttons are most appropriate to be available. -- 1 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always available. -- 2 - Emoji, GIF, and Kaomoji buttons on the touch keyboard are always unavailable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
+| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Emoji button on keyboard is always available. | +| 2 | Emoji button on keyboard is always disabled. | + - -**TextInput/TouchKeyboardFullModeAvailability** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TouchKeyboardFullModeAvailability - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardFullModeAvailability +``` + -> [!div class = "checklist"] -> * Device - -
- - - + + Specifies whether the full keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the full keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Full keyboard is always available. -- 2 - Full keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/TouchKeyboardHandwritingModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Full keyboard is always available. | +| 2 | Full keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## TouchKeyboardHandwritingModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardHandwritingModeAvailability +``` + -
- - - + + Specifies whether the handwriting input panel is enabled or disabled. When this policy is set to disabled, the handwriting input panel is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Handwriting input panel is always available. -- 2 - Handwriting input panel is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/TouchKeyboardNarrowModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Handwriting input panel is always available. | +| 2 | Handwriting input panel is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## TouchKeyboardNarrowModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardNarrowModeAvailability +``` + -
- - - + + Specifies whether the narrow keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the narrow keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Narrow keyboard is always available. -- 2 - Narrow keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/TouchKeyboardSplitModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Narrow keyboard is always available. | +| 2 | Narrow keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## TouchKeyboardSplitModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardSplitModeAvailability +``` + -
- - - + + Specifies whether the split keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the split keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Split keyboard is always available. -- 2 - Split keyboard is always disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
+ +**Allowed values**: - -**TextInput/TouchKeyboardWideModeAvailability** +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Split keyboard is always available. | +| 2 | Split keyboard is always disabled. | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## TouchKeyboardWideModeAvailability - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/TextInput/TouchKeyboardWideModeAvailability +``` + -
- - - + + Specifies whether the wide keyboard mode is enabled or disabled for the touch keyboard. When this policy is set to disabled, the wide keyboard mode for touch keyboard is disabled. + - - -The following list shows the supported values: + + + -- 0 (default) - The OS determines, when it's most appropriate to be available. -- 1 - Wide keyboard is always available. -- 2 - Wide keyboard is always disabled. + +**Description framework properties**: - - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -## Related topics +| Value | Description | +|:--|:--| +| 0 (Default) | The OS determines when it's most appropriate to be available. | +| 1 | Wide keyboard is always available. | +| 2 | Wide keyboard is always disabled. | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 77496a13ff..c48183ccf1 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,248 +1,320 @@ --- -title: Policy CSP - TimeLanguageSettings -description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device. +title: TimeLanguageSettings Policy CSP +description: Learn more about the TimeLanguageSettings Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/28/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TimeLanguageSettings -
+ + + - -## TimeLanguageSettings policies + +## AllowSet24HourClock -
-
- TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks -
-
- TimeLanguageSettings/ConfigureTimeZone -
-
- TimeLanguageSettings/MachineUILanguageOverwrite -
-
- TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall -
-
+> [!NOTE] +> This policy is deprecated and may be removed in a future release. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/AllowSet24HourClock +``` + - -**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks** + + +This policy is deprecated. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + -
+ + + - - -This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but aren't used by any users on that machine. + -If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they aren't used by any user on that system. + +## BlockCleanupOfUnusedPreinstalledLangPacks -If you disable (value 0) or don't configure this policy setting, language packs that are installed as part of the system image but aren't used by any user on that system will be removed as part of a scheduled cleanup task. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks +``` + - - -ADMX Info: -- GP Friendly name: *Block cleanup of unused language packs* -- GP name: *BlockCleanupOfUnusedPreinstalledLangPacks* -- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + + +This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used by any users on that machine. - - +If you enable this policy setting, language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. - - +If you disable or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task. + - - + + + -
+ +**Description framework properties**: - -**TimeLanguageSettings/ConfigureTimeZone** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -The table below shows the applicability of Windows: + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Not blocked. | +| 1 | Blocked. | + - -
+ +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | BlockCleanupOfUnusedPreinstalledLangPacks | +| Friendly Name | Block clean-up of unused language packs | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | BlockCleanupOfUnusedPreinstalledLangPacks | +| ADMX File Name | Globalization.admx | + -> [!div class = "checklist"] -> * Device + + + -
+ - - -Specifies the time zone to be applied to the device. This policy name is the standard Windows name for the target time zone. + +## ConfigureTimeZone + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/ConfigureTimeZone +``` + + + + +Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. + + + + > [!TIP] > To get the list of available time zones, run `Get-TimeZone -ListAvailable` in PowerShell. + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + + + - - -
+ - -**TimeLanguageSettings/MachineUILanguageOverwrite** + +## MachineUILanguageOverwrite - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/MachineUILanguageOverwrite +``` + - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + This policy setting controls which UI language is used for computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language isn't installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. -If you disable or don't configure this policy setting, there's no restriction of a specific language used for the Windows menus and dialogs. +If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs. + - - + + + - - -ADMX Info: -- GP Friendly name: *Force selected system UI language to overwrite the user UI language* -- GP name: *MachineUILanguageOverwrite* -- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
+ +**Group policy mapping**: - -**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall** +| Name | Value | +|:--|:--| +| Name | MachineUILanguageOverwrite | +| Friendly Name | Force selected system UI language to overwrite the user UI language | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\MUI\Settings | +| Registry Value Name | MachineUILock | +| ADMX File Name | Globalization.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## RestrictLanguagePacksAndFeaturesInstall - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall +``` -
+```Device +./Device/Vendor/MSFT/Policy/Config/TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall +``` + - - -This policy setting restricts standard users from installing language features on demand. This policy doesn't restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.” + + +This policy setting restricts the install of language packs and language features, such as spell checkers, on a device. + -If you enable this policy setting, the installation of language features is prevented for standard users. + + + -If you disable or don't configure this policy setting, there's no language feature installation restriction for the standard users. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + - - + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | RestrictLanguagePacksAndFeaturesInstall | +| Path | Globalization > AT > ControlPanel > RegionalOptions | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index cfbe252574..1da9f8bae4 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,139 +1,158 @@ --- -title: Policy CSP - VirtualizationBasedTechnology -description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. +title: VirtualizationBasedTechnology Policy CSP +description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/25/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - VirtualizationBasedTechnology -
+ + + - -## VirtualizationBasedTechnology policies + +## HypervisorEnforcedCodeIntegrity -
-
- VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity -
-
- VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity +``` + - -**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity** + + +Hypervisor-Protected Code Integrity: 0 - Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock, 1 - Turns on Hypervisor-Protected Code Integrity with UEFI lock, 2 - Turns on Hypervisor-Protected Code Integrity without UEFI lock. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock. | +| 1 | (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock. | +| 2 | (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock. | + -
+ +**Group policy mapping**: - - -Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Virtualization Based Protection of Code Integrity | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + ->[!NOTE] ->After the policy is pushed, a system reboot will be required to change the state of HVCI. + + + - - -The following are the supported values: + -- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock. -- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock. -- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock. + +## RequireUEFIMemoryAttributesTable - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable +``` + - - -
+ + +Require UEFI Memory Attributes Table + - -**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
+ +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Do not require UEFI Memory Attributes Table | +| 1 | Require UEFI Memory Attributes Table | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
+| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Require UEFI Memory Attributes Table | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + - - -Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). + + + ->[!NOTE] ->After the policy is pushed, a system reboot will be required to change the state of HVCI. + - - + + + -The following are the supported values: + -- 0: (Disabled) Do not require UEFI Memory Attributes Table. -- 1: (Enabled) Require UEFI Memory Attributes Table. +## Related articles - - - - - - - - -
- - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 95465df853..b7c56f1f8f 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -1,233 +1,361 @@ --- -title: Policy CSP - WebThreatDefense -description: Learn about the Policy CSP - WebThreatDefense. -ms.author: v-aljupudi -ms.topic: article +title: WebThreatDefense Policy CSP +description: Learn more about the WebThreatDefense Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: alekyaj -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - WebThreatDefense + + +> [!NOTE] +> In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. + + + +## CaptureThreatWindow + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow +``` + + + + +Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CaptureThreatWindow | +| Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | + + + + + + + + + +## NotifyMalicious + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate. + +If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. + +If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn your users if they type their work or school password into one of the malicious scenarios described above. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NotifyMalicious | +| Friendly Name | Notify Malicious | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | NotifyMalicious | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + +## NotifyPasswordReuse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. + +If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it. + +If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they reuse their work or school password. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NotifyPasswordReuse | +| Friendly Name | Notify Password Reuse | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | NotifyPasswordReuse | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + +## NotifyUnsafeApp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc. + +If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps. + +If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NotifyUnsafeApp | +| Friendly Name | Notify Unsafe App | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | NotifyUnsafeApp | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + +## ServiceEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled +``` + + + + +This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. Users do not see notifications for any protection scenarios when Enhanced Phishing Protection in Microsoft Defender is in audit mode. Audit mode captures unsafe password entry events and sends telemetry through Microsoft Defender. + +If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off. + +If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it will not capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. + +If you don’t configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled | + + + +**Group policy mapping**: -
- - -## WebThreatDefense policies - -
-
- WebThreatDefense/EnableService -
-
- WebThreatDefense/NotifyMalicious -
-
- WebThreatDefense/NotifyPasswordReuse -
-
- WebThreatDefense/NotifyUnsafeApp -
-
- ->[!NOTE] ->In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category. - - -**WebThreatDefense/EnableService** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender. - -If you enable this policy setting or don’t configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off. - -If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. - - - -ADMX Info: -- GP Friendly name: *Configure Web Threat Defense* -- GP name: *EnableWebThreatDefenseService* -- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections* -- GP ADMX file name: *WebThreatDefense.admx* - - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection. -- 1: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users. - - - - - -
- - -**WebThreatDefense/NotifyMalicious** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. - -If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password. - -If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above. - - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. -- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. - - - -
- - -**WebThreatDefense/NotifyPasswordReuse** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password. - -If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it. - -If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password. - - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection notifications when users reuse their work or school password. -- 1: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. - - - - -
- - -**WebThreatDefense/NotifyUnsafeApp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc. - -If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps. - -If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps. - - -The following list shows the supported values: - -- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc. -- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps. - - - -
- -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | ServiceEnabled | +| Friendly Name | Service Enabled | +| Location | Computer Configuration | +| Path | Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\WTDS\Components | +| Registry Value Name | ServiceEnabled | +| ADMX File Name | WebThreatDefense.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 09a9eb148e..5ff30f8fd7 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,336 +1,371 @@ --- -title: Policy CSP - Wifi -description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots. +title: Wifi Policy CSP +description: Learn more about the Wifi Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Wifi + + + -
+ +## AllowAutoConnectToWiFiSenseHotspots - -## Wifi policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
-
- WiFi/AllowWiFiHotSpotReporting -
-
- Wifi/AllowAutoConnectToWiFiSenseHotspots -
-
- Wifi/AllowInternetSharing -
-
- Wifi/AllowManualWiFiConfiguration -
-
- Wifi/AllowWiFi -
-
- Wifi/AllowWiFiDirect -
-
- Wifi/WLANScanMode -
-
+ +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowAutoConnectToWiFiSenseHotspots +``` + + + +This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". -
+"Connect to suggested open hotspots" enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to. - -**WiFi/AllowWiFiHotSpotReporting** +"Connect to networks shared by my contacts" enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts. -
+"Enable paid services" enables Windows to temporarily connect to open hotspots to determine if paid services are available. - +If this policy setting is disabled, both "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services" will be turned off and users on this device will be prevented from enabling them. + +If this policy setting is not configured or is enabled, users can choose to enable or disable either "Connect to suggested open hotspots" or "Connect to networks shared by my contacts". + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WiFiSense | +| Friendly Name | Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services | +| Location | Computer Configuration | +| Path | Network > WLAN Service > WLAN Settings | +| Registry Key Name | Software\Microsoft\wcmsvc\wifinetworkmanager\config | +| Registry Value Name | AutoConnectAllowedOEM | +| ADMX File Name | wlansvc.admx | + + + + + + + + + +## AllowInternetSharing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowInternetSharing +``` + + + + +Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. + +ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. + +If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. + +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) + +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. + +Note: Internet Connection Sharing is only available when two or more network connections are present. + +Note: When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. + +Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. + +Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_ShowSharedAccessUI | +| Friendly Name | Prohibit use of Internet Connection Sharing on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ShowSharedAccessUI | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## AllowManualWiFiConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowManualWiFiConfiguration +``` + + + + +Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0. **Note**: Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | No Wi-Fi connection outside of MDM provisioned network is allowed. | +| 1 (Default) | Adding new network SSIDs beyond the already MDM provisioned ones is allowed. | + + + + + + + + + +## AllowWiFi + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWiFi +``` + + + + This policy has been deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowWiFiDirect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWiFiDirect +``` + + + + +Allow WiFi Direct connection. . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## WLANScanMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/WLANScanMode +``` + + + + +Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. The default value is 0. Supported operations are Add, Delete, Get, and Replace. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-500]` | +| Default Value | 0 | + + + + + + + + + + + - - - -
- - -**Wifi/AllowAutoConnectToWiFiSenseHotspots** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow or disallow the device to automatically connect to Wi-Fi hotspots. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services* -- GP name: *WiFiSense* -- GP path: *Network/WLAN Service/WLAN Settings* -- GP ADMX file name: *wlansvc.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
- - -**Wifi/AllowInternetSharing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow or disallow internet sharing. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Prohibit use of Internet Connection Sharing on your DNS domain network* -- GP name: *NC_ShowSharedAccessUI* -- GP path: *Network/Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -The following list shows the supported values: - -- 0 – Do not allow the use of Internet Sharing. -- 1 (default) – Allow the use of Internet Sharing. - - - - -
- - -**Wifi/AllowManualWiFiConfiguration** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. - -Most restricted value is 0. - -> [!NOTE] -> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. - - - -The following list shows the supported values: - -- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. -- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. - - - - -
- - -**Wifi/AllowWiFi** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow or disallow WiFi connection. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – WiFi connection is not allowed. -- 1 (default) – WiFi connection is allowed. - - - - -
- - -**Wifi/AllowWiFiDirect** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow WiFi Direct connection.. - - - -The following list shows the supported values: - -- 0 - WiFi Direct connection is not allowed. -- 1 - WiFi Direct connection is allowed. - - - - -
- - -**Wifi/WLANScanMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. - -Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. - -The default value is 0. - -Supported operations are Add, Delete, Get, and Replace. - - - -
- - - + + +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 01a6430be0..0d01446a54 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,78 +1,80 @@ --- -title: Policy CSP - WindowsAutoPilot -description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature. +title: WindowsAutopilot Policy CSP +description: Learn more about the WindowsAutopilot Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/07/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/25/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - WindowsAutoPilot + + +# Policy CSP - WindowsAutopilot + + + -
+ +## EnableAgilityPostEnrollment - -## WindowsAutoPilot policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
-
- WindowsAutoPilot/EnableAgilityPostEnrollment -
-
+ +```Device +./Device/Vendor/MSFT/Policy/Config/WindowsAutopilot/EnableAgilityPostEnrollment +``` + + + +Specifies whether to check for Windows Autopilot updates after enrollment. Most restricted value is 0. + -
+ + + - -**WindowsAutoPilot/EnableAgilityPostEnrollment** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
+| Value | Description | +|:--|:--| +| 0 (Default) | Not enabled | +| 1 | Enabled | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ + + - - -This policy enables Windows Autopilot to be kept up-to-date during the out-of-box experience after MDM enrollment. + - - +## Related articles - - - - - - - - -
- - - -## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 658f2a7a2c..28a7e49547 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -540,7 +540,7 @@ items: href: policy-csp-webthreatdefense.md - name: Wifi href: policy-csp-wifi.md - - name: WindowsAutoPilot + - name: WindowsAutopilot href: policy-csp-windowsautopilot.md - name: WindowsConnectionManager href: policy-csp-windowsconnectionmanager.md From c995863635460dd7aa5498b779231e6a9c0c8c89 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 8 Dec 2022 12:20:29 -0800 Subject: [PATCH 009/152] test - update date --- windows/client-management/mdm/policy-csp-tenantrestrictions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index 936808277a..bb44b6a25a 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -4,7 +4,7 @@ description: Learn more about the TenantRestrictions Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 12/08/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage From f7c4e3bd5053c04890ca498b234fbaff59d1d3c4 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 8 Dec 2022 13:58:02 -0800 Subject: [PATCH 010/152] add taskscheduler csp --- .../mdm/policy-csp-taskscheduler.md | 103 ++++++++++-------- 1 file changed, 57 insertions(+), 46 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index a333e1450f..f18ac472a3 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,69 +1,80 @@ --- -title: Policy CSP - TaskScheduler -description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0). +title: TaskScheduler Policy CSP +description: Learn more about the TaskScheduler Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/08/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TaskScheduler -
+ + + - -## TaskScheduler policies + +## EnableXboxGameSaveTask -
-
- TaskScheduler/EnableXboxGameSaveTask -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/TaskScheduler/EnableXboxGameSaveTask +``` + -
+ + +This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. + - -**TaskScheduler/EnableXboxGameSaveTask** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
+ +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + -> [!div class = "checklist"] -> * Device + + + -
+ - - -This setting determines whether the specific task is enabled (1) or disabled (0). Default: Disabled. + + + - - -
+ - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 4648ff2d863ec33f8e03924c6729223e02a78726 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 8 Dec 2022 14:08:53 -0800 Subject: [PATCH 011/152] add taskmanager csp --- .../mdm/policy-csp-taskmanager.md | 118 +++++++++--------- 1 file changed, 56 insertions(+), 62 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 0ee8b53c39..5c46c7733c 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,86 +1,80 @@ --- -title: Policy CSP - TaskManager -description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks. +title: TaskManager Policy CSP +description: Learn more about the TaskManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/08/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - TaskManager -
+ + + - -## TaskManager policies + +## AllowEndTask -
-
- TaskManager/AllowEndTask -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/TaskManager/AllowEndTask +``` + - -**TaskManager/AllowEndTask** + + +This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disabled. EndTask functionality is blocked in TaskManager. | +| 1 (Default) | Enabled. Users can perform EndTask in TaskManager. | + -
+ + + - - -This setting determines whether non-administrators can use Task Manager to end tasks. + -Supported value type is integer. + + + -Supported values: -- 0 - Disabled. EndTask functionality is blocked in TaskManager. -- 1 - Enabled (default). Users can perform EndTask in TaskManager. + - - - - - - - - -**Validation procedure:** -- When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager. -- When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager. - - - -
- - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From ef5fac2c9ff44a7cb4cf8332d1ef1d479de9591b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 8 Dec 2022 16:06:03 -0800 Subject: [PATCH 012/152] add userrights csp --- .../mdm/policy-csp-userrights.md | 2648 ++++++++++------- 1 file changed, 1617 insertions(+), 1031 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 9359f7ab9e..c6c6ea7779 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,26 +1,31 @@ --- -title: Policy CSP - UserRights -description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question. +title: UserRights Policy CSP +description: Learn more about the UserRights Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/08/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/24/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - UserRights -
+ + -User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. -Here's an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. +## General example + +Here's an example for setting the user right [BackupFilesAndDirectories](#backupfilesanddirectories) for Administrators and Authenticated Users groups. ```xml @@ -44,1418 +49,1999 @@ Here's an example for setting the user right BackupFilesAndDirectories for Admin ``` -Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator. +Here are examples of data fields. The encoded `0xF000` is the standard delimiter/separator. - Grant a user right to Administrators group via SID: - ```xml - *S-1-5-32-544 - ``` + + ```xml + *S-1-5-32-544 + ``` - Grant a user right to multiple groups (Administrators, Authenticated Users) via SID: - ```xml - *S-1-5-32-544*S-1-5-11 - ``` + + ```xml + *S-1-5-32-544*S-1-5-11 + ``` - Grant a user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings: - ```xml - *S-1-5-32-544Authenticated Users - ``` + + ```xml + *S-1-5-32-544Authenticated Users + ``` - Grant a user right to multiple groups (Authenticated Users, Administrators) via strings: - ```xml - Authenticated UsersAdministrators - ``` + + ```xml + Authenticated UsersAdministrators + ``` - Empty input indicates that there are no users configured to have that user right: - ```xml - - ``` - If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. + ```xml + + ``` + +If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using `0xF000` as the delimiter/separator. > [!NOTE] -> `` is the entity encoding of 0xF000. +> `` is the entity encoding of `0xF000`. -For example, the following syntax grants user rights to Authenticated Users and Replicator user groups.: +For example, the following syntax grants user rights to Authenticated Users and Replicator user groups: ```xml ``` -For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2: +For example, the following syntax grants user rights to two specific Azure Active Directory (Azure AD) users from Contoso, user1 and user2: ```xml ``` -For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group: +For example, the following syntax grants user rights to a specific user or group, by using the SID of the account or group: ```xml ``` -
+ - -## UserRights policies + +## AccessCredentialManagerAsTrustedCaller -
-
- UserRights/AccessCredentialManagerAsTrustedCaller -
-
- UserRights/AccessFromNetwork -
-
- UserRights/ActAsPartOfTheOperatingSystem -
-
- UserRights/AllowLocalLogOn -
-
- UserRights/BackupFilesAndDirectories -
-
- UserRights/ChangeSystemTime -
-
- UserRights/CreateGlobalObjects -
-
- UserRights/CreatePageFile -
-
- UserRights/CreatePermanentSharedObjects -
-
- UserRights/CreateSymbolicLinks -
-
- UserRights/CreateToken -
-
- UserRights/DebugPrograms -
-
- UserRights/DenyAccessFromNetwork -
-
- UserRights/DenyLocalLogOn -
-
- UserRights/DenyRemoteDesktopServicesLogOn -
-
- UserRights/EnableDelegation -
-
- UserRights/GenerateSecurityAudits -
-
- UserRights/ImpersonateClient -
-
- UserRights/IncreaseSchedulingPriority -
-
- UserRights/LoadUnloadDeviceDrivers -
-
- UserRights/LockMemory -
-
- UserRights/ManageAuditingAndSecurityLog -
-
- UserRights/ManageVolume -
-
- UserRights/ModifyFirmwareEnvironment -
-
- UserRights/ModifyObjectLabel -
-
- UserRights/ProfileSingleProcess -
-
- UserRights/RemoteShutdown -
-
- UserRights/RestoreFilesAndDirectories -
-
- UserRights/TakeOwnership -
-
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/AccessCredentialManagerAsTrustedCaller +``` + -
+ + +This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + - -**UserRights/AccessCredentialManagerAsTrustedCaller** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -
+ +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | Access Credential Manager ase a trusted caller | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -> [!div class = "checklist"] -> * Device + + + -
+ - - -This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it's only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. + +## AccessFromNetwork - - -GP Info: -- GP Friendly name: *Access Credential Manager as a trusted caller* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/AccessFromNetwork +``` + -
+ + +This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. - -**UserRights/AccessFromNetwork** +**Note**: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | Access this computer from the network | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -
+ + + - - -This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services isn't affected by this user right. + -> [!NOTE] -> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. + +## ActAsPartOfTheOperatingSystem - - -GP Info: -- GP Friendly name: *Access this computer from the network* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ActAsPartOfTheOperatingSystem +``` + -
- - -**UserRights/ActAsPartOfTheOperatingSystem** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Act as part of the operating system* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/AllowLocalLogOn** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Act as part of the operating system | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLocalLogOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn +``` + - - -This user right determines which users can sign in to the computer. + + +This user right determines which users can log on to the computer. -> [!NOTE] -> Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. +**Note**: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( ) at the Microsoft website. + - - -GP Info: -- GP Friendly name: *Allow log on locally* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/BackupFilesAndDirectories** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Allow log on locally | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BackupFilesAndDirectories -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories +``` + - - -This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Read. + + +This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. > [!CAUTION] -> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, assign this user right to trusted users only. +> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users + - - -GP Info: -- GP Friendly name: *Back up files and directories* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ChangeSystemTime** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Back up files and directories | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BypassTraverseChecking -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/BypassTraverseChecking +``` + - - + + +This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Bypass traverse checking | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## ChangeSystemTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime +``` + + + + This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. + + + + > [!CAUTION] -> Configuring user rights replaces existing users or groups previously assigned to those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy. +> When you configure user rights, it replaces existing users or groups that were previously assigned to those user rights. The system requires that the **Local Service** account (SID `S-1-5-19`) always has the ChangeSystemTime right. Always specify **Local Service**, in addition to any other accounts that you need to configure in this policy. > -> Not including the Local Service account will result in failure with the following error: +> If you don't include the **Local Service** account, the request fails with the following error: > -> | Error code | Symbolic name | Error description | Header | -> |----------|----------|----------|----------| -> | 0x80070032 (Hex)|ERROR_NOT_SUPPORTED|The request isn't supported.| winerror.h | +> | Error code | Symbolic name | Error description | Header | +> |--------------------|---------------------|------------------------------|------------| +> | `0x80070032` (Hex) | ERROR_NOT_SUPPORTED | The request isn't supported. | winerror.h | - - -GP Info: -- GP Friendly name: *Change the system time* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreateGlobalObjects** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Change the system time | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ChangeTimeZone -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeTimeZone +``` + - - -This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. + + +This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Change the time zone | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## CreateGlobalObjects + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreateGlobalObjects +``` + + + + +This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Assign this user right only to trusted users. + - - -GP Info: -- GP Friendly name: *Create global objects* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreatePageFile** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create global objects | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreatePageFile -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePageFile +``` + - - -This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually doesn't need to be assigned to any users. + + +This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users + - - -GP Info: -- GP Friendly name: *Create a pagefile* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreatePermanentSharedObjects** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create a pagefile | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreatePermanentSharedObjects -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreatePermanentSharedObjects +``` + - - -This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it's not necessary to specifically assign it. + + +This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. + - - -GP Info: -- GP Friendly name: *Create permanent shared objects* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreateSymbolicLinks** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create permanent shared objects | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreateSymbolicLinks -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreateSymbolicLinks +``` + - - -This user right determines if the user can create a symbolic link from the computer they're signed in to. + + +This user right determines if the user can create a symbolic link from the computer he is logged on to. > [!CAUTION] -> This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. +> This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. -> [!NOTE] -> This setting can be used in conjunction with a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. +**Note**: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. + - - -GP Info: -- GP Friendly name: *Create symbolic links* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/CreateToken** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create symbolic links | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CreateToken -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/CreateToken +``` + - - -This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System. + + +This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. > [!CAUTION] -> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. +> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + - - -GP Info: -- GP Friendly name: *Create a token object* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DebugPrograms** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Create a token object | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DebugPrograms -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DebugPrograms +``` + - - -This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. + + +This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Debug programs* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DenyAccessFromNetwork** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Debug programs | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyAccessFromNetwork -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyAccessFromNetwork +``` + - - -This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access to this computer from the network policy setting if a user account is subject to both policies. + + +This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. + - - -GP Info: -- GP Friendly name: *Deny access to this computer from the network* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/DenyLocalLogOn** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Deny access to this computer from the network | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyLocalLogOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLocalLogOn +``` + - - -This security setting determines which users are prevented from logging on to the computer. This policy setting supersedes the **Allow log on locally** policy setting if an account is subject to both policies. + + +This security setting determines which service accounts are prevented from registering a process as a service. -> [!NOTE] -> If you apply this security policy to the **Everyone** group, no one will be able to log on locally. +**Note**: This security setting does not apply to the System, Local Service, or Network Service accounts. + - - -GP Info: -- GP Friendly name: *Deny log on Locally* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + - - + -
+ - -**UserRights/DenyRemoteDesktopServicesLogOn** + +**Description framework properties**: - -The table below shows the applicability of Windows: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
+| Name | Value | +|:--|:--| +| Name | Deny log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ +## DenyLogOnAsBatchJob - - -This user right determines which users and groups are prohibited from logging on as Remote Desktop Services clients. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + - - -GP Info: -- GP Friendly name: *Deny log on through Remote Desktop Services* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsBatchJob +``` + - - + + +This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. + -
+ + + - -**UserRights/EnableDelegation** + +**Description framework properties**: - -The table below shows the applicability of Windows: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
+| Name | Value | +|:--|:--| +| Name | Deny log on as a batch job | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ +## DenyRemoteDesktopServicesLogOn - - -This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyRemoteDesktopServicesLogOn +``` + + + + +This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Deny log on through Remote Desktop Services | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## EnableDelegation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/EnableDelegation +``` + + + + +This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. > [!CAUTION] > Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. + - - -GP Info: -- GP Friendly name: *Enable computer and user accounts to be trusted for delegation* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/GenerateSecurityAudits** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Enable computer and user accounts to be trusted for delegation | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GenerateSecurityAudits -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/GenerateSecurityAudits +``` + - - + + This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. + - - -GP Info: -- GP Friendly name: *Generate security audits* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ImpersonateClient** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Generate security audits | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ImpersonateClient -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ImpersonateClient +``` + - - + + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. > [!CAUTION] -> Assigning this user right can be a security risk. Assign this user right to trusted users only. +> Assigning this user right can be a security risk. Only assign this user right to trusted users. -> [!NOTE] -> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. +**Note**: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right. -1. The access token that is being impersonated is for this user. -1. The user, in this sign-in session, created the access token by signing in to the network with explicit credentials. -1. The requested level is less than Impersonate, such as Anonymous or Identify. +**Warning**: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. + -Because of these factors, users don't usually need this user right. + + + -> [!WARNING] -> If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run. + +**Description framework properties**: - - -GP Info: -- GP Friendly name: *Impersonate a client after authentication* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - - + +**Group policy mapping**: -
+| Name | Value | +|:--|:--| +| Name | Impersonate a client after authentication | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -**UserRights/IncreaseSchedulingPriority** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## IncreaseProcessWorkingSet - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseProcessWorkingSet +``` + -> [!div class = "checklist"] -> * Device + + +Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process’s working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. -
+**Warning**: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. + - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Increase a process working set | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## IncreaseSchedulingPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/IncreaseSchedulingPriority +``` + + + + This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. + - - -GP Info: -- GP Friendly name: *Increase scheduling priority* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + > [!WARNING] -> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers don't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers won't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 or later and that use the Intel GFX driver. > > On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. - - + -
+ +**Description framework properties**: - -**UserRights/LoadUnloadDeviceDrivers** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -The table below shows the applicability of Windows: + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Increase scheduling priority | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LoadUnloadDeviceDrivers -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - -This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users. + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LoadUnloadDeviceDrivers +``` + + + + +This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. > [!CAUTION] -> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. +> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. + - - -GP Info: -- GP Friendly name: *Load and unload device drivers* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/LockMemory** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Load and unload device drivers | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockMemory -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LockMemory +``` + - - -This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege might significantly affect system performance by decreasing the amount of available random access memory (RAM). + + +This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). + - - -GP Info: -- GP Friendly name: *Lock pages in memory* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ManageAuditingAndSecurityLog** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Lock pages in memory | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LogOnAsBatchJob -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LogOnAsBatchJob +``` + - - -This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting doesn't allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege also can view and clear the security log. + + +This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user. + - - -GP Info: -- GP Friendly name: *Manage auditing and security log* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ManageVolume** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Log on as a batch job | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LogOnAsService -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/LogOnAsService +``` + - - -This user right determines which users and groups can run maintenance tasks on a volume, such as remote de-fragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + + +This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right. + - - -GP Info: -- GP Friendly name: *Perform volume maintenance tasks* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ModifyFirmwareEnvironment** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ManageAuditingAndSecurityLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ManageAuditingAndSecurityLog +``` + - - -This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. + + +This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. + -> [!NOTE] -> This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. + + + - - -GP Info: -- GP Friendly name: *Modify firmware environment values* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -
+ +**Group policy mapping**: - -**UserRights/ModifyObjectLabel** +| Name | Value | +|:--|:--| +| Name | Manage auditing and security log | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
+ +## ManageVolume - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ManageVolume +``` + -
+ + +This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. + - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Perform volume maintenance tasks | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## ModifyFirmwareEnvironment + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyFirmwareEnvironment +``` + + + + +This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. + +**Note**: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Modify firmware environment values | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## ModifyObjectLabel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ModifyObjectLabel +``` + + + + This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. + - - -GP Info: -- GP Friendly name: *Modify an object label* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/ProfileSingleProcess** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Modify an object label | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProfileSingleProcess -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSingleProcess +``` + - - + + This user right determines which users can use performance monitoring tools to monitor the performance of system processes. + - - -GP Info: -- GP Friendly name: *Profile single process* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/RemoteShutdown** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Profile single process | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProfileSystemPerformance -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ProfileSystemPerformance +``` + - - + + +This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Profile system performance | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## RemoteShutdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/RemoteShutdown +``` + + + + This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. + - - -GP Info: -- GP Friendly name: *Force shutdown from a remote system* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/RestoreFilesAndDirectories** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Force shutdown from a remote system | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ReplaceProcessLevelToken -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ReplaceProcessLevelToken +``` + - - -This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and it determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Write. + + +This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Replace a process level token | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## RestoreFilesAndDirectories + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/RestoreFilesAndDirectories +``` + + + + +This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. > [!CAUTION] -> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, assign this user right to trusted users only. +> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Restore files and directories* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**UserRights/TakeOwnership** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | Restore files and directories | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShutDownTheSystem -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/ShutDownTheSystem +``` + - - + + +This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Shut down the system | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + +## TakeOwnership + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/TakeOwnership +``` + + + + This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. > [!CAUTION] -> Assigning this user right can be a security risk. Since owners of objects have full control of them, assign this user right to trusted users only. +> Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. + - - -GP Info: -- GP Friendly name: *Take ownership of files or other objects* -- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* + + + - - -
+ +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -## Related topics + +**Group policy mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | Take ownership of files or other objects | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From b81cc82464f9987012791f3f3517d127e23faf4c Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Fri, 9 Dec 2022 11:07:21 -0500 Subject: [PATCH 013/152] Test per Aaron. Change date from 2019 to 2020. --- windows/client-management/mdm/policy-csp-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index e2ccc30eb8..c4579bded6 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 09/27/2019 +ms.date: 09/27/2020 ms.reviewer: manager: aaroncz --- From 22f5d1eac8e0f5482d080f93a6c12c8db6cf4066 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 9 Dec 2022 13:50:42 -0500 Subject: [PATCH 014/152] application defaults with examples --- .../mdm/policy-csp-applicationdefaults.md | 223 +++++++++--------- 1 file changed, 118 insertions(+), 105 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index de90f8c39c..b2ec1085e2 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,80 +1,74 @@ --- -title: Policy CSP - ApplicationDefaults -description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10. +title: ApplicationDefaults Policy CSP +description: Learn more about the ApplicationDefaults Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ApplicationDefaults + + + + +## DefaultAssociationsConfiguration -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -## ApplicationDefaults policies + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration +``` + -
-
- ApplicationDefaults/DefaultAssociationsConfiguration -
-
- ApplicationDefaults/EnableAppUriHandlers -
-
+ + +This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. + + + + -
+ +**Description framework properties**: - -**ApplicationDefaults/DefaultAssociationsConfiguration** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DefaultAssociationsConfiguration | +| Friendly Name | Set a default associations configuration file | +| Element Name | Default Associations Configuration File | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | WindowsExplorer.admx | + - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy allows an administrator to set default file type and protocol associations. When set, default associations are applied on sign in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). Then, it needs to be base64 encoded before being added to SyncML. - -If policy is enabled and the client machine is having Azure Active Directory, the associations assigned in SyncML are processed and default associations are applied. - - - -ADMX Info: -- GP Friendly name: *Set a default associations configuration file* -- GP name: *DefaultAssociationsConfiguration* -- GP element: *DefaultAssociationsConfiguration_TextBox* -- GP path: *File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - + + To create the SyncML, follow these steps:
  1. Install a few apps and change your defaults.
  2. @@ -84,7 +78,6 @@ To create the SyncML, follow these steps:
Here's an example output from the dism default association export command: - ```xml @@ -101,7 +94,6 @@ Here's the base64 encoded result: ``` syntax PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= ``` - Here's the SyncMl example: ```xml @@ -126,64 +118,85 @@ Here's the SyncMl example: ``` + - - + -
+ +## EnableAppUriHandlers - -**ApplicationDefaults/EnableAppUriHandlers** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationDefaults/EnableAppUriHandlers +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - + + This policy setting determines whether Windows supports web-to-app linking with app URI handlers. -Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI. +Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI. Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app. -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + - - -ADMX Info: -- GP Friendly name: *Configure web-to-app linking with app URI handlers* -- GP name: *EnableAppUriHandlers* -- GP path: *System/Group Policy* -- GP ADMX file name: *GroupPolicy.admx* + + + - - -This setting supports a range of values between 0 and 1. + +**Description framework properties**: - - -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | EnableAppUriHandlers | +| Friendly Name | Configure web-to-app linking with app URI handlers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableAppUriHandlers | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From d94d662309ee7b19c7e52421107664c9191a4a59 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 9 Dec 2022 14:13:03 -0500 Subject: [PATCH 015/152] application defaults add Example separator --- .../mdm/policy-csp-applicationdefaults.md | 2 + .../mdm/policy-csp-applicationmanagement.md | 1913 +++++++++-------- 2 files changed, 1060 insertions(+), 855 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index b2ec1085e2..7b6088c9a0 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -69,6 +69,8 @@ This policy allows an administrator to set default file type and protocol associ +**Example**: + To create the SyncML, follow these steps:
  1. Install a few apps and change your defaults.
  2. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 65e5e7915b..42280b4c3e 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,930 +1,1133 @@ --- -title: Policy CSP - ApplicationManagement -description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10. +title: ApplicationManagement Policy CSP +description: Learn more about the ApplicationManagement Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ApplicationManagement -
    + + + - -## ApplicationManagement policies + +## AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAutomaticAppArchiving -
    -
    - ApplicationManagement/AllowAllTrustedApps -
    -
    - ApplicationManagement/AllowAppStoreAutoUpdate -
    -
    - ApplicationManagement/AllowDeveloperUnlock -
    -
    - ApplicationManagement/AllowGameDVR -
    -
    - ApplicationManagement/AllowSharedUserAppData -
    -
    - ApplicationManagement/BlockNonAdminUserInstall -
    -
    - ApplicationManagement/DisableStoreOriginatedApps -
    -
    - ApplicationManagement/LaunchAppAfterLogOn -
    -
    - ApplicationManagement/MSIAllowUserControlOverInstall -
    -
    - ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges -
    -
    - ApplicationManagement/RequirePrivateStoreOnly -
    -
    - ApplicationManagement/RestrictAppDataToSystemVolume -
    -
    - ApplicationManagement/RestrictAppToSystemVolume -
    -
    - ApplicationManagement/ScheduleForceRestartForUpdateFailures -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps +``` + -
    + + +This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. - -**ApplicationManagement/AllowAutomaticAppArchiving** +If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). - +If you disable or do not configure this policy setting, you cannot install LOB or developer-signed Windows Store apps. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + -> [!div class = "checklist"] -> * Device -> * User + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit allow unlock. | +| 65535 (Default) | Not configured. | + - - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AppxDeploymentAllowAllTrustedApps | +| Friendly Name | Allow all trusted apps to install | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowAllTrustedApps | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowAppStoreAutoUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAppStoreAutoUpdate +``` + + + + +Specifies whether automatic update of apps from Microsoft Store are allowed. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 | Allowed. | +| 2 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoInstall | +| Friendly Name | Turn off Automatic Download and Install of updates | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | AutoDownload | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## AllowAutomaticAppArchiving + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAutomaticAppArchiving +``` + + + + This policy setting controls whether the system can archive infrequently used apps. -- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. -- If you disable this policy setting, then the system won't archive any apps. - -If you don't configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. - - - -ADMX Info: -- GP Friendly name: *Allow all trusted apps to install* -- GP name: *AllowAutomaticAppArchiving* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit disable. -- 1 - Explicit enable. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowAllTrustedApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether non Microsoft Store apps are allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow all trusted apps to install* -- GP name: *AppxDeploymentAllowAllTrustedApps* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit deny. -- 1 - Explicit allow unlock. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowAppStoreAutoUpdate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether automatic update of apps from Microsoft Store is allowed. - - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download and Install of updates* -- GP name: *DisableAutoInstall* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**ApplicationManagement/AllowDeveloperUnlock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether developer unlock is allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)* -- GP name: *AllowDevelopmentWithoutDevLicense* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 - Explicit deny. -- 1 - Explicit allow unlock. -- 65535 (default) - Not configured. - - - - -
    - - -**ApplicationManagement/AllowGameDVR** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> The policy is only enforced in Windows 10 for desktop. - -Specifies whether DVR and broadcasting are allowed. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Enables or disables Windows Game Recording and Broadcasting* -- GP name: *AllowGameDVR* -- GP path: *Windows Components/Windows Game Recording and Broadcasting* -- GP ADMX file name: *GameDVR.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**ApplicationManagement/AllowSharedUserAppData** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../includes/allow-windows-app-to-share-data-users-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow a Windows app to share application data between users* -- GP name: *AllowSharedLocalAppData* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. - -Most restricted value: 0 - - - -
    - - -**ApplicationManagement/BlockNonAdminUserInstall** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - -Manages non-administrator users' ability to install Windows app packages. - -If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. - -If you disable or don't configure this policy, all users will be able to initiate installation of Windows app packages. - - - -ADMX Info: -- GP Friendly name: *Prevent non-admin users from installing packaged Windows apps* -- GP name: *BlockNonAdminUserInstall* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: -- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages. -- 1 - Enabled. Non-administrator users won't be able to initiate installation of Windows app packages. - - - - - - - - - -
    - - -**ApplicationManagement/DisableStoreOriginatedApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. - - - -ADMX Info: -- GP Friendly name: *Disable all apps from Microsoft Store* -- GP name: *DisableStoreApps* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* - - - -The following list shows the supported values: - -- 0 (default) – Enable launch of apps. -- 1 – Disable launch of apps. - - - - -
    - - -**ApplicationManagement/LaunchAppAfterLogOn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after a sign in. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. - -For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. Example of the declaration here: - -```xml - - - +If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. + +If you disable this policy setting, then the system will not archive any apps. + +If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit enable. | +| 65535 (Default) | Not configured. User's Choice. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowAutomaticAppArchiving | +| Friendly Name | Archive infrequently used apps | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowAutomaticAppArchiving | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowDeveloperUnlock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock ``` + + + + +Allows or denies development of Microsoft Store applications and installing them directly from an IDE. + +If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Microsoft Store apps and install them directly from an IDE. + +If you disable or do not configure this setting, you cannot develop Microsoft Store apps or install them directly from an IDE. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Explicit deny. | +| 1 | Explicit allow unlock. | +| 65535 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowDevelopmentWithoutDevLicense | +| Friendly Name | Allows development of Windows Store apps and installing them from an integrated development environment (IDE) | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowDevelopmentWithoutDevLicense | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowGameDVR + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowGameDVR +``` + + + + +Windows Game Recording and Broadcasting. + +This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. +If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowGameDVR | +| Friendly Name | Enables or disables Windows Game Recording and Broadcasting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Game Recording and Broadcasting | +| Registry Key Name | Software\Policies\Microsoft\Windows\GameDVR | +| Registry Value Name | AllowGameDVR | +| ADMX File Name | GameDVR.admx | + + + + + + + + + +## AllowSharedUserAppData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData +``` + + + + +Manages a Windows app's ability to share data between users who have installed the app. + +If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. + +If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. | +| 1 | Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSharedLocalAppData | +| Friendly Name | Allow a Windows app to share application data between users | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager | +| Registry Value Name | AllowSharedLocalAppData | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## AllowStore > [!NOTE] -> This policy only works on modern apps. +> This policy is deprecated and may be removed in a future release. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowStore +``` + - - + + +This policy is deprecated + - - + + + -
    + +**Description framework properties**: - -**ApplicationManagement/MSIAllowUserControlOverInstall** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Disallow. | +| 1 (Default) | Allow. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ApplicationRestrictions -
    +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - - -Added in Windows 10, version 1803. This policy setting permits users to change installation options that typically are available only to system administrators. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ApplicationRestrictions +``` + + + + +This policy is deprecated + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## BlockNonAdminUserInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/BlockNonAdminUserInstall +``` + + + + +Manages non-Administrator users' ability to install Windows app packages. + +If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. + +If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. All users will be able to initiate installation of Windows app packages. | +| 1 | Enabled. Non-administrator users will not be able to initiate installation of Windows app packages. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BlockNonAdminUserInstall | +| Friendly Name | Prevent non-admin users from installing packaged Windows apps | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | BlockNonAdminUserInstall | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## DisableStoreOriginatedApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/DisableStoreOriginatedApps +``` + + + + +Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise and Education editions of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable launch of apps. | +| 1 | Disable launch of apps. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableStoreApps | +| Friendly Name | Disable all apps from Microsoft Store | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableStoreApps | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## LaunchAppAfterLogOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/LaunchAppAfterLogOn +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +## MSIAllowUserControlOverInstall + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAllowUserControlOverInstall +``` + + + + +This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. -If you disable or don't configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. +If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed. - - - -ADMX Info: -- GP Friendly name: *Allow user control over installs* -- GP name: *EnableUserControl* -- GP path: *Windows Components/Windows Installer* -- GP ADMX file name: *MSI.admx* - - - -This setting supports a range of values between 0 and 1. - - - - -
    - - -**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Added in Windows 10, version 1803. This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. - -If you enable this policy setting, privileges are extended to all programs. These privileges are reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. - -If you disable or don't configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator doesn't distribute or offer. - -> [!NOTE] -> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. - -> [!CAUTION] -> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be secure. - - - -ADMX Info: -- GP Friendly name: *Always install with elevated privileges* -- GP name: *AlwaysInstallElevated* -- GP path: *Windows Components/Windows Installer* -- GP ADMX file name: *MSI.admx* - - - -This setting supports a range of values between 0 and 1. - - - - -
    - - -**ApplicationManagement/RequirePrivateStoreOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Allows disabling of the retail catalog and only enables the Private store. - - -Most restricted value is 1. - - - -ADMX Info: -- GP Friendly name: *Only display the private store within the Microsoft Store* -- GP name: *RequirePrivateStoreOnly* -- GP path: *Windows Components/Store* -- GP ADMX file name: *WindowsStore.admx* - - - -The following list shows the supported values: - -- 0 (default) – Allow both public and Private store. -- 1 – Only Private store is enabled. - - - - -
    - - -**ApplicationManagement/RestrictAppDataToSystemVolume** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether application data is restricted to the system drive. - -Most restricted value is 1. - - - -ADMX Info: -- GP Friendly name: *Prevent users' app data from being stored on non-system volumes* -- GP name: *RestrictAppDataToSystemVolume* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - - - - -
    - - -**ApplicationManagement/RestrictAppToSystemVolume** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether the installation of applications is restricted to the system drive. - -Most restricted value is 1. - - - -ADMX Info: -- GP Friendly name: *Disable installing Windows apps on non-system volumes* -- GP name: *DisableDeploymentToNonSystemVolumes* -- GP path: *Windows Components/App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - -The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - - - - -
    - - -**ApplicationManagement/ScheduleForceRestartForUpdateFailures** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. - -Value type is string. - - - -> [!NOTE] -> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. - - - -Sample SyncML: - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures - - - - xml - - - - - - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableUserControl | +| Friendly Name | Allow user control over installs | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | EnableUserControl | +| ADMX File Name | MSI.admx | + + + + + + + + + +## MSIAlwaysInstallWithElevatedPrivileges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges ``` -XSD: + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges +``` + + + + +This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. + +If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. + +If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. + +Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. + +Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. + +**Note** that the User Configuration version of this policy setting is not guaranteed to be secure. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AlwaysInstallElevated | +| Friendly Name | Always install with elevated privileges | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AlwaysInstallElevated | +| ADMX File Name | MSI.admx | + + + + + + + + + +## RequirePrivateStoreOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly +``` + + + + +Denies access to the retail catalog in the Microsoft Store, but displays the private store. + +If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. + +If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow both public and Private store. | +| 1 | Only Private store is enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RequirePrivateStoreOnly | +| Friendly Name | Only display the private store within the Microsoft Store | +| Location | Computer and User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RequirePrivateStoreOnly | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## RestrictAppDataToSystemVolume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume +``` + + + + +Prevent users' app data from moving to another location when an app is moved or installed on another location. + +If you enable this setting, all users' app data will stay on the system volume, regardless of where the app is installed. + +If you disable or do not configure this setting, then when an app is moved to a different volume, the users' app data will also move to this volume. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictAppDataToSystemVolume | +| Friendly Name | Prevent users' app data from being stored on non-system volumes | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | RestrictAppDataToSystemVolume | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## RestrictAppToSystemVolume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume +``` + + + + +This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. + +If you enable this setting, you can't move or install Windows apps on volumes that are not the system volume. + +If you disable or do not configure this setting, you can move or install Windows apps on other volumes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not restricted. | +| 1 | Restricted. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDeploymentToNonSystemVolumes | +| Friendly Name | Disable installing Windows apps on non-system volumes | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | RestrictAppToSystemVolume | +| ADMX File Name | AppxPackageManager.admx | + + + + + + + + + +## ScheduleForceRestartForUpdateFailures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures +``` + + + + +To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied. Value type is string. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML ```xml - - - - + + + + - - - - - - - - + + + + + ``` - - +
    + - - -
    + + + + - + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From dbdb3372dc685aabf2e0e17e1a63ff1ccbb08639 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 9 Dec 2022 14:14:41 -0500 Subject: [PATCH 016/152] application defaults fix syncml --- windows/client-management/mdm/policy-csp-applicationdefaults.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 7b6088c9a0..9bad1aa522 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -96,7 +96,7 @@ Here's the base64 encoded result: ``` syntax PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= ``` -Here's the SyncMl example: +Here's the SyncML example: ```xml From 67fb27ec1c10e3f81cb31fa707aded68356a20a5 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 9 Dec 2022 14:34:34 -0800 Subject: [PATCH 017/152] add systemservices csp --- .../mdm/policy-csp-systemservices.md | 659 ++++++++++-------- 1 file changed, 359 insertions(+), 300 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index 750cb5bad8..f21931616b 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,308 +1,367 @@ --- -title: Policy CSP - SystemServices -description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4). +title: SystemServices Policy CSP +description: Learn more about the SystemServices Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - SystemServices -
    - - -## SystemServices policies - -
    -
    - SystemServices/ConfigureHomeGroupListenerServiceStartupMode -
    -
    - SystemServices/ConfigureHomeGroupProviderServiceStartupMode -
    -
    - SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode -
    -
    - SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode -
    -
    - - -
    - - -**SystemServices/ConfigureHomeGroupListenerServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *HomeGroup Listener* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureHomeGroupProviderServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *HomeGroup Provider* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Accessory Management Service* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Live Auth Manager* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Live Game Save* -- GP path: *Windows Settings/Security Settings/System Services* - - - - -
    - - -**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). - -Default: Manual. - - - -GP Info: -- GP Friendly name: *Xbox Live Networking Service* -- GP path: *Windows Settings/Security Settings/System Services* - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + +## ConfigureHomeGroupListenerServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupListenerServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-4]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HomeGroup Listener | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureHomeGroupProviderServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupProviderServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-4]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HomeGroup Provider | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxAccessoryManagementServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic | +| 3 (Default) | Manual | +| 4 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Accessory Management Service | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxLiveAuthManagerServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic | +| 3 (Default) | Manual | +| 4 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Live Auth Manager | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxLiveGameSaveServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic | +| 3 (Default) | Manual | +| 4 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Live Game Save | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + +## ConfigureXboxLiveNetworkingServiceStartupMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode +``` + + + + +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Automatic | +| 3 (Default) | Manual | +| 4 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Xbox Live Networking Service | +| Path | Windows Settings > Security Settings > System Services | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 38df9eea88e30dc77e2b412ea080a5f3c425b38f Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 9 Dec 2022 15:40:21 -0800 Subject: [PATCH 018/152] add storage csp --- .../mdm/policy-csp-storage.md | 1533 +++++++++-------- 1 file changed, 770 insertions(+), 763 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 787eee3961..56c09fc0f4 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,928 +1,935 @@ --- -title: Policy CSP - Storage -description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space. +title: Storage Policy CSP +description: Learn more about the Storage Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 03/25/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Storage -
    - - -## Storage policies - -
    -
    - Storage/AllowDiskHealthModelUpdates -
    -
    - Storage/AllowStorageSenseGlobal -
    -
    - Storage/AllowStorageSenseTemporaryFilesCleanup -
    -
    - Storage/ConfigStorageSenseCloudContentDehydrationThreshold -
    -
    - Storage/ConfigStorageSenseDownloadsCleanupThreshold -
    -
    - Storage/ConfigStorageSenseGlobalCadence -
    -
    - Storage/ConfigStorageSenseRecycleBinCleanupThreshold -
    -
    - Storage/EnhancedStorageDevices -
    -
    - Storage/RemovableDiskDenyWriteAccess -
    -
    - Storage/WPDDevicesDenyReadAccessPerDevice -
    -
    - Storage/WPDDevicesDenyReadAccessPerUser -
    -
    - Storage/WPDDevicesDenyWriteAccessPerDevice -
    -
    - Storage/WPDDevicesDenyWriteAccessPerUser -
    -
    - StorageHealthMonitor/DisableStorageHealthMonitor -
    -
    - -
    - - -**Storage/AllowDiskHealthModelUpdates** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows disk health model updates. - -Supported value type is integer. - - - -ADMX Info: -- GP Friendly name: *Allow downloading updates to the Disk Failure Prediction Model* -- GP name: *SH_AllowDiskHealthModelUpdates* -- GP path: *System/Storage Health* -- GP ADMX file name: *StorageHealth.admx* - - - -The following list shows the supported values: - -- 0 - Don't allow -- 1 (default) - Allow - - - - -
    - - -**Storage/AllowStorageSenseGlobal** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space, and it is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy. - -If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy). - -If you disable this policy setting, the machine will turn off Storage Sense. Users can't enable Storage Sense. - -If you don't configure this policy setting, Storage Sense is turned off by default until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. - - -ADMX Info: -- GP Friendly name: *Allow Storage Sense* -- GP name: *SS_AllowStorageSenseGlobal* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/AllowStorageSenseTemporaryFilesCleanup** - - -Versions prior to version 1903 don't support group policy. - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When Storage Sense runs, it can delete the user’s temporary files that aren't in use. - -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, Storage Sense will delete the user’s temporary files that aren't in use. Users can't disable this setting in Storage settings. - -If you disable this policy setting, Storage Sense won't delete the user’s temporary files. Users can't enable this setting in Storage settings. - -If you don't configure this policy setting, Storage Sense will delete the user’s temporary files by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Allow Storage Sense Temporary Files cleanup* -- GP name: *SS_AllowStorageSenseTemporaryFilesCleanup* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/ConfigStorageSenseCloudContentDehydrationThreshold** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain number of days. - -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. - -If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. - -If you set this value to zero, Storage Sense won't dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content. - -If you disable or don't configure this policy setting, then Storage Sense won't dehydrate any cloud-backed content by default. Users can configure this setting in Storage settings. - - - -ADMX Info: -- GP Friendly name: *Configure Storage Sense Cloud Content dehydration threshold* -- GP name: *SS_ConfigStorageSenseCloudContentDehydrationThreshold* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* - - - - - - - - - - - - - -
    - - -**Storage/ConfigStorageSenseDownloadsCleanupThreshold** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## AllowDiskHealthModelUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/AllowDiskHealthModelUpdates +``` + + + + +Allows downloading new updates to ML Model parameters for predicting storage disk failure. + +Enabled: +Updates would be downloaded for the Disk Failure Prediction Failure Model. + +Disabled: +Updates would not be downloaded for the Disk Failure Prediction Failure Model. + +Not configured: +Same as Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Do not allow | +| 1 (Default) | Allow | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SH_AllowDiskHealthModelUpdates | +| Friendly Name | Allow downloading updates to the Disk Failure Prediction Model | +| Location | Computer Configuration | +| Path | System > Storage Health | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageHealth | +| Registry Value Name | AllowDiskHealthModelUpdates | +| ADMX File Name | StorageHealth.admx | + + + + + + + + + +## AllowStorageSenseGlobal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseGlobal +``` + + + + +Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy. + +Enabled: +Storage Sense is turned on for the machine, with the default cadence as ‘during low free disk space’. Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy). + +Disabled: +Storage Sense is turned off the machine. Users cannot enable Storage Sense. + +Not Configured: +By default, Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Allow | +| 0 (Default) | Block | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_AllowStorageSenseGlobal | +| Friendly Name | Allow Storage Sense | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| Registry Value Name | AllowStorageSenseGlobal | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## AllowStorageSenseTemporaryFilesCleanup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/AllowStorageSenseTemporaryFilesCleanup +``` + + + + +When Storage Sense runs, it can delete the user’s temporary files that are not in use. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +Storage Sense will delete the user’s temporary files that are not in use. Users cannot disable this setting in Storage settings. + +Disabled: +Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings. + +Not Configured: +By default, Storage Sense will delete the user’s temporary files. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Block | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_AllowStorageSenseTemporaryFilesCleanup | +| Friendly Name | Allow Storage Sense Temporary Files cleanup | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| Registry Value Name | AllowStorageSenseTemporaryFilesCleanup | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## ConfigStorageSenseCloudContentDehydrationThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseCloudContentDehydrationThreshold +``` + + + + +When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. + +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. + +Enabled: +You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365. +If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, or never dehydrating cloud-backed content. + +Disabled or Not Configured: +By default, Storage Sense will not dehydrate any cloud-backed content. Users can configure this setting in Storage settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseCloudContentDehydrationThreshold | +| Friendly Name | Configure Storage Sense Cloud Content dehydration threshold | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + + + + + + + + + +## ConfigStorageSenseDownloadsCleanupThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseDownloadsCleanupThreshold +``` + + + + When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. -If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. +Enabled: +You must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365. +If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. -If you set this value to zero, Storage Sense won't delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. +Disabled or Not Configured: +By default, Storage Sense will not delete files in the user’s Downloads folder. Users can configure this setting in Storage settings. + -If you disable or don't configure this policy setting, then Storage Sense won't delete files in the user’s Downloads folder by default. Users can configure this setting in Storage settings. + + + - - -ADMX Info: -- GP Friendly name: *Configure Storage Storage Downloads cleanup threshold* -- GP name: *SS_ConfigStorageSenseDownloadsCleanupThreshold* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseDownloadsCleanupThreshold | +| Friendly Name | Configure Storage Storage Downloads cleanup threshold | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + - - + + + -
    + - -**Storage/ConfigStorageSenseGlobalCadence** + +## ConfigStorageSenseGlobalCadence - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseGlobalCadence +``` + -> [!NOTE] -> Versions prior to version 1903 don't support group policy. - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Storage Sense can automatically clean some of the user’s files to free up disk space. -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. -If you enable this policy setting, you must provide the desired Storage Sense cadence. +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. -The following are supported options: +Enabled: +You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space). -- 1 – Daily -- 7 – Weekly -- 30 – Monthly -- 0 – During low free disk space +Disabled or Not Configured: +By default, the Storage Sense cadence is set to “during low free disk space”. Users can configure this setting in Storage settings. + -The default is 0 (during low free disk space). + + -If you don't configure this policy setting, then the Storage Sense cadence is set to “during low free disk space” by default. Users can configure this setting in Storage settings. +Use the following integer values for the supported options: - - -ADMX Info: -- GP Friendly name: *Configure Storage Sense cadence* -- GP name: *SS_ConfigStorageSenseGlobalCadence* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* +- `0`: During low free disk space (default) +- `1`: Daily +- `7`: Weekly +- `30`: Monthly - - + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseGlobalCadence | +| Friendly Name | Configure Storage Sense cadence | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + - -**Storage/ConfigStorageSenseRecycleBinCleanupThreshold** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConfigStorageSenseRecycleBinCleanupThreshold -> [!NOTE] -> Versions prior to version 1903 don't support group policy. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/ConfigStorageSenseRecycleBinCleanupThreshold +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. -> [!div class = "checklist"] -> * Device +If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. -
    +Enabled: +You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0 - 365. +If you set this value to zero, Storage Sense will not delete files in the user’s Recycle Bin. The default is 30 days. - - -When Storage Sense runs, it can delete files in the user’s Recycle Bin if they've been there for over a certain number of days. +Disabled or Not Configured: +By default, Storage Sense will delete files in the user’s Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. + -If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy doesn't have any effect. + + + -If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365. + +**Description framework properties**: -If you set this value to zero, Storage Sense won't delete files in the user’s Recycle Bin. The default is 30 days. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 30 | + -If you disable or don't configure this policy setting, Storage Sense will delete files in the user’s Recycle Bin which have been there for over 30 days by default. Users can configure this setting in Storage settings. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Configure Storage Sense Recycle Bin cleanup threshold* -- GP name: *SS_ConfigStorageSenseRecycleBinCleanupThreshold* -- GP path: *System/Storage Sense* -- GP ADMX file name: *StorageSense.admx* +| Name | Value | +|:--|:--| +| Name | SS_ConfigStorageSenseRecycleBinCleanupThreshold | +| Friendly Name | Configure Storage Sense Recycle Bin cleanup threshold | +| Location | Computer Configuration | +| Path | System > Storage Sense | +| Registry Key Name | Software\Policies\Microsoft\Windows\StorageSense | +| ADMX File Name | StorageSense.admx | + - - + + + - - + - - + +## EnhancedStorageDevices - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/EnhancedStorageDevices +``` + - -**Storage/EnhancedStorageDevices** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures whether or not Windows will activate an Enhanced Storage device. -If you enable this policy setting, Windows won't activate un-activated Enhanced Storage devices. +If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. -If you disable or don't configure this policy setting, Windows will activate un-activated Enhanced Storage devices. +If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Do not allow Windows to activate Enhanced Storage devices* -- GP name: *TCGSecurityActivationDisabled* -- GP path: *System/Enhanced Storage Access* -- GP ADMX file name: *enhancedstorage.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | TCGSecurityActivationDisabled | +| Friendly Name | Do not allow Windows to activate Enhanced Storage devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | TCGSecurityActivationDisabled | +| ADMX File Name | EnhancedStorage.admx | + -
    + + + - -**Storage/RemovableDiskDenyWriteAccess** + - -The table below shows the applicability of Windows: + +## RemovableDiskDenyWriteAccess -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting denies write access to removable disks. -> [!div class = "checklist"] -> * Device +If you enable this policy setting, write access is denied to this removable storage class. -
    +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. - - -If you enable this policy setting, write access is denied to this removable storage class. If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + -> [!Note] -> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + + -Supported values for this policy are: -- 0 - Disable -- 1 - Enable + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny write access* -- GP name: *RemovableDisks_DenyWrite_Access_2* -- GP element: *RemovableDisks_DenyWrite_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - -Example for setting the device custom OMA-URI setting to enable this policy: -To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```./Device/Vendor/MSFT/Policy/Config/Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settings-windows-10) for information on how to create custom profiles. - - + +**Group policy mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyWrite_Access_2 | +| Friendly Name | Removable Disks: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| ADMX File Name | RemovableStorage.admx | + - -**Storage/WPDDevicesDenyReadAccessPerDevice** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## WPDDevicesDenyReadAccessPerDevice - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerDevice +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -
    +If you enable this policy setting, read access is denied to this removable storage class. - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. + >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. -Supported values for this policy are: -- Not configured -- Enabled -- Disabled + - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**Storage/WPDDevicesDenyReadAccessPerUser** +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access | +| Friendly Name | WPD Devices: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## WPDDevicesDenyWriteAccessPerDevice - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerDevice +``` + -
    + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. + >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. -Supported values for this policy are: -- Not configured -- Enabled -- Disabled + - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_1* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**Storage/WPDDevicesDenyWriteAccessPerDevice** +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access | +| Friendly Name | WPD Devices: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## WPDDevicesDenyReadAccessPerUser - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyReadAccessPerUser +``` + -
    + + +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. + >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. -Supported values for this policy are: -- Not configured -- Enabled -- Disabled + - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**Storage/WPDDevicesDenyWriteAccessPerUser** +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access | +| Friendly Name | WPD Devices: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## WPDDevicesDenyWriteAccessPerUser - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerUser +``` + -
    + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. - - -This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. -To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). - -If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. + >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. -Supported values for this policy are: -- Not configured -- Enabled -- Disabled + - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_1* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - - -**StorageHealthMonitor/DisableStorageHealthMonitor** +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access | +| Friendly Name | WPD Devices: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + -> [!NOTE] -> Versions prior to 21H2 will not support this policy + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): +## Related articles -> [!div class = "checklist"] -> * Device - -
    - - - -Allows disable of Storage Health Monitor. - -Supported value type is integer. - - - - -The following list shows the supported values: - -- 0 - Storage Health Monitor is Enabled. -- 1 - Storage Health Monitor is Disabled. - - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 039012e9a6899fa6328f531d6f0bd968723dae5e Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 9 Dec 2022 18:21:36 -0800 Subject: [PATCH 019/152] add start csp --- .../client-management/mdm/policy-csp-start.md | 3812 +++++++++-------- 1 file changed, 2027 insertions(+), 1785 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 92dac37002..d5550661b1 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,1959 +1,2201 @@ --- -title: Policy CSP - Start -description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu. +title: Start Policy CSP +description: Learn more about the Start Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Start -
    - - -## Start policies - -
    -
    - Start/AllowPinnedFolderDocuments -
    -
    - Start/AllowPinnedFolderDownloads -
    -
    - Start/AllowPinnedFolderFileExplorer -
    -
    - Start/AllowPinnedFolderHomeGroup -
    -
    - Start/AllowPinnedFolderMusic -
    -
    - Start/AllowPinnedFolderNetwork -
    -
    - Start/AllowPinnedFolderPersonalFolder -
    -
    - Start/AllowPinnedFolderPictures -
    -
    - Start/AllowPinnedFolderSettings -
    -
    - Start/AllowPinnedFolderVideos -
    -
    - Start/ConfigureStartPins -
    -
    - Start/DisableContextMenus -
    -
    - Start/DisableControlCenter -
    -
    - Start/DisableEditingQuickSettings -
    -
    - Start/ForceStartSize -
    -
    - Start/HideAppList -
    -
    - Start/HideChangeAccountSettings -
    -
    - Start/HideFrequentlyUsedApps -
    -
    - Start/HideHibernate -
    -
    - Start/HideLock -
    -
    - Start/HidePeopleBar -
    -
    - Start/HidePowerButton -
    -
    - Start/HideRecentJumplists -
    -
    - Start/HideRecentlyAddedApps -
    -
    - Start/HideRecommendedSection -
    -
    - Start/HideRestart -
    -
    - Start/HideShutDown -
    -
    - Start/HideSignOut -
    -
    - Start/HideSleep -
    -
    - Start/HideSwitchAccount -
    -
    - Start/HideTaskViewButton -
    -
    - Start/HideUserTile -
    -
    - Start/ImportEdgeAssets -
    -
    - Start/NoPinningToTaskbar -
    -
    - Start/ShowOrHideMostUsedApps -
    -
    - Start/SimplifyQuickSettings -
    -
    - Start/StartLayout -
    -
    - -
    - - -**Start/AllowPinnedFolderDocuments** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Documents shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderDownloads** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Downloads shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderFileExplorer** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the File Explorer shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderHomeGroup** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the HomeGroup shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderMusic** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Music shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderNetwork** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Network shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderPersonalFolder** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the PersonalFolder shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderPictures** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Pictures shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderSettings** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Settings shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/AllowPinnedFolderVideos** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls the visibility of the Videos shortcut on the Start menu. - - - -The following list shows the supported values: - -- 0 – The shortcut is hidden and disables the setting in the Settings app. -- 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. - - - - -
    - - -**Start/ConfigureStartPins** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 11
    HomeNo
    ProYes
    BusinessYes
    EnterpriseYes
    EducationYes
    - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the Windows 11 start menu experience. - -It contains details on how to configure the start menu on Windows 11, see [/windows-hardware/customize/desktop/customize-the-windows-11-start-menu](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu) - - - - - -This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order. - - - - -
    - - - -**Start/DisableContextMenus** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Enabling this policy prevents context menus from being invoked in the Start Menu. - - - -ADMX Info: -- GP Friendly name: *Disable context menus in the Start Menu* -- GP name: *DisableContextMenusInStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (don't disable). -- 1 - True (disable). - - - - - - - - - -
    - - -**Start/DisableControlCenter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume. - -If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled. - ->[!Note] -> A reboot is required for this policy setting to take effect. - - - - -ADMX Info: -- GP Friendly name: *Remove control center* -- GP name: *DisableControlCenter* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* - - - -The following are the supported values: - -- Integer 0 - Disabled/Not configured. -- Integer 1 - Enabled. - - - -
    - - -**Start/DisableEditingQuickSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy will allow admins to indicate whether Quick Actions can be edited by the user. - - - -The following are the supported values: - -- 0: Allow editing Quick Actions (default) -- 1: Disable editing Quick Actions - - - - -
    - - -**Start/ForceStartSize** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -Forces the start screen size. - -If there's policy configuration conflict, the latest configuration request is applied to the device. - - - -The following list shows the supported values: - -- 0 (default) – Don't force size of Start. -- 1 – Force non-fullscreen size of Start. -- 2 - Force a fullscreen size of Start. - - - - -
    - - -**Start/HideAppList** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -> [!NOTE] -> This policy requires reboot to take effect. - -Allows IT Admins to configure Start by collapsing or removing the all apps list. - -> [!Note] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - -To validate on Desktop, do the following steps: - -- 1 - Enable policy and restart explorer.exe. -- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle isn't grayed out. -- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. -- 2c - If set to '3': Verify that there's no way of opening the all apps list from Start, and that the Settings toggle is grayed out. - - - -The following list shows the supported values: - -- 0 (default) – None. -- 1 – Hide all apps list. -- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. -- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. - - - - -
    - - -**Start/HideChangeAccountSettings** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Change account settings" isn't available. - - - - -
    - - -**Start/HideFrequentlyUsedApps** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -> [!NOTE] -> This policy requires reboot to take effect. - -Allows IT Admins to configure Start by hiding most used apps. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable "Show most used apps" in the Settings app. -2. Use some apps to get them into the most used group in Start. -3. Enable policy. -4. Restart explorer.exe. -5. Check that "Show most used apps" Settings toggle is grayed out. -6. Check that most used apps don't appear in Start. - - - - -
    - - -**Start/HideHibernate** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. + + + + + +## AllowPinnedFolderDocuments + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDocuments +``` + + + + +This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderDownloads +``` + + + + +This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderFileExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderFileExplorer +``` + + + + +This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderHomeGroup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderHomeGroup +``` + + + + +This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderMusic + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderMusic +``` + + + + +This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderNetwork +``` + + + + +This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderPersonalFolder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPersonalFolder +``` + + + + +This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderPictures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderPictures +``` + + + + +This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderSettings +``` + + + + +This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## AllowPinnedFolderVideos + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/AllowPinnedFolderVideos +``` + + + + +This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The shortcut is hidden and disables the setting in the Settings app. | +| 1 | The shortcut is visible and disables the setting in the Settings app. | +| 65535 (Default) | There is no enforced configuration and the setting can be changed by the user. | + + + + + + + + + +## ConfigureStartPins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/ConfigureStartPins +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ConfigureStartPins +``` + + + + +Allows admin to override the default items pinned to Start. + + + + + +With this policy you can push a new list of pinned apps to override the default/current list of pinned apps in the Windows Start menu. + +For more information on how to configure the Start menu, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11). + +This string policy takes a JSON file named `LayoutModification.json`. The file enumerates the items to pin and their relative order. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureStartPins | +| Path | StartMenu > AT > StartMenu | + + + + + + + + + +## DisableContextMenus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/DisableContextMenus +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/DisableContextMenus +``` + + + + +This policy allows you to prevent users from being able to open context menus in the Start Menu. + +If you enable this policy, then invocations of context menus within the Start Menu will be ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not disable. | +| 1 | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableContextMenusInStart | +| Friendly Name | Disable context menus in the Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableContextMenusInStart | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## DisableEditingQuickSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/DisableEditingQuickSettings +``` + + + + +If you enable this policy, the user will be unable to modify Quick Settings. + +If you disable or don't configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable editing Quick Settings. | +| 1 | Disable editing Quick Settings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableEditingQuickSettings | +| Friendly Name | Disable Editing Quick Settings | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableEditingQuickSettings | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## ForceStartSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/ForceStartSize +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ForceStartSize +``` + + + + +If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings. + +If you disable or don’t configure this policy setting, Windows will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings. + + + + + +If there's a policy configuration conflict, the latest configuration request is applied to the device. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not force size of Start. | +| 1 | Force non-fullscreen size of Start. | +| 2 | Force a fullscreen size of Start. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ForceStartSize | +| Friendly Name | Force Start to be either full screen size or menu size | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HideAppList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideAppList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideAppList +``` + + + + +Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + > [!NOTE] -> This policy can only be verified on laptops as "Hibernate" doesn't appear on regular PC's. +> This policy requires a reboot to take effect. +> +> There are significant fixes to this policy in Windows 10, version 1709. - - -The following list shows the supported values: +To validate this policy, do the following steps: -- 0 (default) – False (don't hide). -- 1 - True (hide). +1. Enable the policy and restart the explorer.exe process. - - -To validate on Laptop, do the following steps: +2. Verify the behavior based on the configuration. -1. Enable policy. -2. Open Start, click on the Power button, and verify "Hibernate" isn't available. + 1. If set to `1`: Verify that the **All Apps** list is collapsed, and that the **Settings** toggle isn't grayed out. - - + 2. If set to `2`: Verify that the **All Apps** list is collapsed, and that the **Settings** toggle is grayed out. -
    + 3. If set to `3`: Verify that there's no way of opening the **All Apps** list from Start, and that the **Settings** toggle is grayed out. - -**Start/HideLock** + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | None. | +| 1 | Hide all apps list. | +| 2 | Hide all apps list, and Disable "Show app list in Start menu" in Settings app. | +| 3 | Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. + +## HideChangeAccountSettings - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -- 0 (default) – False (don't hide). -- 1 - True (hide). + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideChangeAccountSettings +``` + - - -To validate on Desktop, do the following steps: + + +Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + -1. Enable policy. -2. Open Start, click on the user tile, and verify "Lock" isn't available. + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Start/HidePeopleBar** + +**Allowed values**: - -The table below shows the applicability of Windows: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideFrequentlyUsedApps -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideFrequentlyUsedApps +``` - - -Enabling this policy removes the people icon from the taskbar and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideFrequentlyUsedApps +``` + -Supported value type is integer. + + +If you enable this setting, the frequently used programs list is removed from the Start menu. - - -ADMX Info: -- GP Friendly name: *Remove the People Bar from the taskbar* -- GP name: *HidePeopleBar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu. + - - -The following list shows the supported values: + + -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - - -
    - - -**Start/HidePowerButton** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Allows IT Admins to configure Start by hiding the Power button from appearing. +To validate this policy, do the following steps: - - -The following list shows the supported values: +1. Enable the option to **Show most used apps** in the Settings app. +2. Use some apps to get them into the most used group in Start. +3. Enable this policy. +4. Restart the explorer.exe process, or restart the computer. +5. Check that the **Show most used apps** Settings toggle is grayed out. +6. Check that most used apps don't appear in Start. -- 0 (default) – False (don't hide). -- 1 - True (hide). + - - -To validate on Desktop, do the following steps: + +**Description framework properties**: -1. Enable policy. -2. Open Start, and verify the power button isn't available. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + - -**Start/HideRecentJumplists** + +**Group policy mapping**: - -The table below shows the applicability of Windows: +| Name | Value | +|:--|:--| +| Name | NoFrequentUsedPrograms | +| Friendly Name | Remove frequent programs list from the Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuMFUprogramsList | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideHibernate -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideHibernate +``` + + + + +Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + + + + - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy is only applicable on laptops. The **Hibernate** option doesn't appear on desktop PCs. -Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – False (don't hide). -- 1 - True (hide). +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -To validate on Desktop, do the following steps: + +**Allowed values**: -1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. -2. Pin Photos to the taskbar, and open some images in the photos app. -3. Right click the pinned photos app and verify that a jump list of recently opened items pops up. -4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists. -5. Enable policy. -6. Restart explorer.exe. -7. Check that Settings toggle is grayed out. -8. Repeat Step 2. -9. Right Click pinned photos app and verify that there's no jump list of recent items. +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + - - + + + -
    + - -**Start/HideRecentlyAddedApps** + +## HideLock - -The table below shows the applicability of Windows: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideLock +``` + - -
    + + +Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [Start_HideLock_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Start/HideUserTile`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HidePowerButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HidePowerButton +``` + + + + +Enabling this policy hides the power button from appearing in the start menu. + + + + - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Allows IT Admins to configure Start by hiding recently added apps. + - - -ADMX Info: -- GP Friendly name: *Remove "Recently added" list from Start Menu* -- GP name: *HideRecentlyAddedApps* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) – False (don't hide). -- 1 - True (hide). + +**Allowed values**: - - -To validate on Desktop, do the following steps: +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + -1. Enable "Show recently added apps" in the Settings app. -2. Check if there are recently added apps in Start (if not, install some). -3. Enable policy. -4. Restart explorer.exe. -5. Check that "Show recently added apps" Settings toggle is grayed out. -6. Check that recently added apps don't appear in Start. + + + - - + -
    + +## HideRecentJumplists - -**Start/HideRecommendedSection** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists +``` + - -
    + + +Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy allows you to hide the Start Menu's Recommended section when enabled. - - - -The following are the supported values: - -- 0 (default): Do not hide the Start menu's Recommended section. -- 1: Hide the Start menu's Recommended section. - - - -
    - - -**Start/HideRestart** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" aren't available. - - - - -
    - - -**Start/HideShutDown** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" aren't available. - - - - -
    - - -**Start/HideSignOut** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the user tile, and verify "Sign out" isn't available. - - - - -
    - - -**Start/HideSleep** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the Power button, and verify that "Sleep" isn't available. - - - - -
    - - -**Start/HideSwitchAccount** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. - - - -The following list shows the supported values: - -- 0 (default) – False (don't hide). -- 1 - True (hide). - - - -To validate on Desktop, do the following steps: - -1. Enable policy. -2. Open Start, click on the user tile, and verify that "Switch account" isn't available. - - - - -
    - - -**Start/HideTaskViewButton** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app. - - - -The following are the supported values: - -- 0 (default): Do not hide the Taskbar's Task View button. -- 1: Hide the Taskbar's Task View button. - - - - -
    - - -**Start/HideUserTile** - - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Allows IT Admins to configure Start by hiding the user tile. +To validate this policy, do the following steps: - - -The following list shows the supported values: +1. In Settings, enable the option to **Show recently opened items in Jump Lists on Start of the taskbar**. +2. Pin the Photos app to the taskbar, and open some images in the app. +3. Right-click the pinned Photos app. Verify that a jump list shows recently opened items. +4. Toggle **Show recently opened items in Jump Lists on Start of the taskbar** in Settings to clear jump lists. +5. Enable this policy. +6. Restart the explorer.exe process or restart the computer. +7. Check that the Settings toggle is grayed out. +8. Open some images in the Photos app. +9. Right-click the pinned Photos app. Verify that there's no jump list of recent items. -- 0 (default) – False (don't hide). -- 1 - True (hide). + - - -To validate on Desktop, do the following steps: + +**Description framework properties**: -1. Enable policy. -2. Sign out. -3. Sign in, and verify that the user tile is gone from Start. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + - -**Start/ImportEdgeAssets** + + + - -The table below shows the applicability of Windows: + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## HideRecentlyAddedApps - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps +``` + -
    + + +This policy allows you to prevent the Start Menu from displaying a list of recently installed applications. + +If you enable this policy, the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled in Settings. + + + + - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy requires a reboot to take effect. -Here's more SKU support information: +To validate this policy, do the following steps: -|Release |SKU Supported | -|---------|---------| -|Windows 10, version 1607 and older |Not supported | -|Windows 10, version 1703 and later |Enterprise, Education, Business | -|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | +1. In the Settings app, enable the **Show recently added apps** option. +2. Check if there are recently added apps in Start. If not, install some apps. +3. Enable this policy. +4. Restart the explorer.exe process or restart the computer. +5. Check that the **Show recently added apps** Settings toggle is grayed out. +6. Check that recently added apps don't appear in Start. -This policy imports Edge assets (for example, .png/.jpg files) for secondary tiles into its local app data path, which allows the StartLayout policy to pin Edge secondary tiles as weblink that ties to the image asset files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecentlyAddedApps | +| Friendly Name | Remove "Recently added" list from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideRecentlyAddedApps | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HideRecommendedSection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedSection +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedSection +``` + + + + +This policy allows you to prevent the Start Menu from displaying a list of recommended applications and files. + +If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Recommended section shown. | +| 1 | Recommended section hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecommendedSection | +| Friendly Name | Remove Recommended section from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideRecommendedSection | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HideRestart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRestart +``` + + + + +Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideShutDown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideShutDown +``` + + + + +Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideSignOut + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideSignOut +``` + + + + +Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | +| Dependency [Start_HideSignOut_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Start/HideUserTile`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideSleep + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideSleep +``` + + + + +Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideSwitchAccount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideSwitchAccount +``` + + + + +Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## HideTaskViewButton + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideTaskViewButton +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideTaskViewButton +``` + + + + +This policy setting allows you to hide the TaskView button. + +If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | TaskView button shown. | +| 1 | TaskView button hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideTaskViewButton | +| Friendly Name | Hide the TaskView button | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideTaskViewButton | +| ADMX File Name | Taskbar.admx | + + + + + + + + + +## HideUserTile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideUserTile +``` + + + + +Enabling this policy hides the user tile from appearing in the start menu. + + + + + +> [!NOTE] +> This policy requires a reboot to take effect. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + + + + + + + +## ImportEdgeAssets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets +``` + + + + +This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. + + + + + +> [!NOTE] +> This policy requires a reboot to take effect. + +This policy imports Microsoft Edge assets for secondary tiles into its local app data path. Example assets are images like `.png` or `.jpg` files. This policy allows the [StartLayout policy](#startlayout) to pin Microsoft Edge secondary tiles as weblinks that use the image asset files. > [!IMPORTANT] -> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy, whenever there are Edge secondary tiles to be pinned from StartLayout policy. +> This asset import only happens only when the [StartLayout policy](#startlayout) changes. Change this **ImportEdgeAssets** policy at the same time as the **StartLayout** policy, whenever there are Microsoft Edge secondary tiles to be pinned from the StartLayout policy. -The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). +The value set for this policy is an XML string containing Microsoft Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). - - -To validate on Desktop, do the following steps: +To validate this policy, do the following steps: -1. Set policy with an XML for Edge assets. -2. Set StartLayout policy to anything so that would trigger the Edge assets import. -3. Sign out/in. -4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. +1. Configure this policy with an XML for Microsoft Edge assets. +2. Set the [StartLayout policy](#startlayout) to anything that triggers the Microsoft Edge assets import. +3. Sign out and sign in again. +4. Verify that all Microsoft Edge assets defined in the XML show up in the following path: `%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState`. - - + -
    + +**Description framework properties**: - -**Start/NoPinningToTaskbar** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -The table below shows the applicability of Windows: + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NoPinningToTaskbar - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/NoPinningToTaskbar +``` + -
    + + +This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + - - -Allows IT Admins to configure the taskbar by disabling, pinning, and unpinning apps on the taskbar. + + - - -The following list shows the supported values: +To validate this policy, do the following steps: -- 0 (default) – False (pinning enabled). -- 1 - True (pinning disabled). +1. Enable this policy. +2. Right-click on an app pinned to the taskbar. +3. Verify that the option to **Unpin from taskbar** doesn't show. +4. Open the Start menu and right-click on one of the app list icons. +5. Select **More** and verify that **Pin to taskbar** doesn't show. - - -To validate on Desktop, do the following steps: + -1. Enable policy. -2. Right click on a program pinned to taskbar. -3. Verify that "Unpin from taskbar" menu doesn't show. -4. Open Start and right click on one of the app list icons. -5. Verify that More->Pin to taskbar menu doesn't show. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Start/ShowOrHideMostUsedApps** +| Value | Description | +|:--|:--| +| 0 (Default) | Pinning enabled. | +| 1 | Pinning disabled. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ShowOrHideMostUsedApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/Start/ShowOrHideMostUsedApps +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Start/ShowOrHideMostUsedApps +``` + - - + + +If you enable this policy setting, you can configure Start menu to show or hide the list of user's most used apps, regardless of user settings. - - -The following list shows the supported values: +Selecting "Show" will force the "Most used" list to be shown, and user cannot change to hide it using the Settings app. -- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings. -- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings. -- Not set - User can use Settings to hide or show Most Used Apps in Start Menu. +Selecting "Hide" will force the "Most used" list to be hidden, and user cannot change to show it using the Settings app. -On clean install, the user setting defaults to "hide". +Selecting "Not Configured", or if you disable or do not configure this policy setting, all will allow users to turn on or off the display of "Most used" list using the Settings app. This is default behavior. - +Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of Start menu but with fewer options). + - + + + -
    + +**Description framework properties**: - -**Start/SimplifyQuickSettings** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Do not enforce visibility of list of most used apps in Start; user can control via Settings app (default behavior equivalent to not configuring this policy). | +| 1 | Force showing of list of most used apps in Start; corresponding toggle in Setting app is disabled. | +| 2 | Force hiding of list of most used apps in Start; corresponding toggle in Setting app is disabled. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | ShowOrHideMostUsedApps | +| Friendly Name | Show or hide "Most used" list from Start menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | StartMenu.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded. + +## SimplifyQuickSettings - - -The following are the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -- 0: load regular Quick Actions layout. -- 1: load simplified Quick Actions layout. + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/SimplifyQuickSettings +``` + - - + + +If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. -
    +If you disable or don't configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked. + - -**Start/StartLayout** + + + - -The table below shows the applicability of Windows: + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 (Default) | Load regular Quick Settings layout. | +| 1 | Load simplified Quick Settings layout. | + -> [!div class = "checklist"] -> * User -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | SimplifyQuickSettings | +| Friendly Name | Simplify Quick Settings Layout | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | SimplifyQuickSettings | +| ADMX File Name | StartMenu.admx | + - - -> [!IMPORTANT] -> In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope) + + + -Here's more SKU support information: + -|Release |SKU Supported | -|---------|---------| -|Windows 10, version 1511 and older |Not supported | -|Windows 10, version 1607 and later |Enterprise, Education, Business | -|Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | + +## StartLayout -Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -For more information on how to customize the Start layout, see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar). + +```User +./User/Vendor/MSFT/Policy/Config/Start/StartLayout +``` - - -ADMX Info: -- GP Friendly name: *Start Layout* -- GP name: *LockedStartLayout* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +```Device +./Device/Vendor/MSFT/Policy/Config/Start/StartLayout +``` + - - -
    + + +Specifies the Start layout for users. - +This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. +To use this setting, you must first manually configure a device's Start layout to the desired look and feel. Once you are done, run the Export-StartLayout PowerShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured. -## Related topics +Once the XML file is generated and moved to the desired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file is not available when the user logs on, the layout won't be changed. Users cannot customize their Start screen while this setting is enabled. + +If you disable this setting or do not configure it, the Start screen layout won't be changed and users will be able to customize it. + + + + + +If both user and device policies are set, the user policy is used. You can also use this policy to change apps that are pinned to the taskbar. + +For more information on how to customize the Start layout, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11) and [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LockedStartLayout | +| Friendly Name | Start Layout | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | LockedStartLayout | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## DisableControlCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/DisableControlCenter +``` + + + + +This policy setting removes Quick Settings from the bottom right area on the taskbar. + +The quick settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. + +If this setting is enabled, Quick Settings is not displayed in the quick settings area. + +A reboot is required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Quick Settings. | +| 1 | Disable Quick Settings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableControlCenter | +| Friendly Name | Remove Quick Settings | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableControlCenter | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## HidePeopleBar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar +``` + + + + +This policy allows you to remove the People Bar from the taskbar and disables the My People experience. + +If you enable this policy the people icon will be removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users will not be able to pin people to the taskbar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HidePeopleBar | +| Friendly Name | Remove the People Bar from the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HidePeopleBar | +| ADMX File Name | StartMenu.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 5490e58f20fda2e976b2db124171e5e9c59de05c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 9 Dec 2022 18:23:35 -0800 Subject: [PATCH 020/152] add speech csp --- .../mdm/policy-csp-speech.md | 127 ++++++++++-------- 1 file changed, 71 insertions(+), 56 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 7375101c7d..379b03e5fa 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,83 +1,98 @@ --- -title: Policy CSP - Speech -description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models. +title: Speech Policy CSP +description: Learn more about the Speech Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Speech -
    + + + - -## Speech policies + +## AllowSpeechModelUpdate -
    -
    - Speech/AllowSpeechModelUpdate -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Speech/AllowSpeechModelUpdate +``` + - -**Speech/AllowSpeechModelUpdate** + + +Specifies whether the device will receive updates to the speech recognition and speech synthesis models. - +A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If enabled (default), the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - -ADMX Info: -- GP Friendly name: *Allow Automatic Update of Speech Data* -- GP name: *AllowSpeechModelUpdate* -- GP path: *Windows Components/Speech* -- GP ADMX file name: *Speech.admx* + +**Group policy mapping**: - - -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AllowSpeechModelUpdate | +| Friendly Name | Allow Automatic Update of Speech Data | +| Location | Computer Configuration | +| Path | Windows Components > Speech | +| Registry Key Name | Software\Policies\Microsoft\Speech | +| Registry Value Name | AllowSpeechModelUpdate | +| ADMX File Name | Speech.admx | + -- 0 – Not allowed. -- 1 (default) – Allowed. + + + - - -
    + + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From db89084d7017980e576aa3773db637eee8460e7c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Fri, 9 Dec 2022 18:44:50 -0800 Subject: [PATCH 021/152] add settings csp --- .../mdm/policy-csp-settings.md | 1159 +++++++++-------- 1 file changed, 606 insertions(+), 553 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 10a0628e8d..a285171789 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,706 +1,697 @@ --- -title: Policy CSP - Settings -description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings. +title: Settings Policy CSP +description: Learn more about the Settings Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/09/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Settings -
    + + + - -## Settings policies + +## AllowAutoPlay -
    -
    - Settings/AllowAutoPlay -
    -
    - Settings/AllowDataSense -
    -
    - Settings/AllowDateTime -
    -
    - Settings/AllowEditDeviceName -
    -
    - Settings/AllowLanguage -
    -
    - Settings/AllowOnlineTips -
    -
    - Settings/AllowPowerSleep -
    -
    - Settings/AllowRegion -
    -
    - Settings/AllowSignInOptions -
    -
    - Settings/AllowVPN -
    -
    - Settings/AllowWorkplace -
    -
    - Settings/AllowYourAccount -
    -
    - Settings/ConfigureTaskbarCalendar -
    -
    - Settings/PageVisibilityList -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    - - -**Settings/AllowAutoPlay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowAutoPlay +``` + + + Allows the user to change Auto Play settings. -> [!NOTE] -> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. +**Note**: Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowDataSense** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowDataSense - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowDataSense +``` + -
    - - - + + Allows the user to change Data Sense settings. + + + + > [!NOTE] -> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later. +> The AllowDataSense policy isn't supported on Windows 10, version 2004 and later. - - -The following list shows the supported values: + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowDateTime** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowDateTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowDateTime +``` + -
    - - - + + Allows the user to change date and time settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowEditDeviceName** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEditDeviceName -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowEditDeviceName +``` + - - -This policy disables edit device name option on Settings. + + +Allows the user to edit the device name. + - - + + + -Describes what values are supported in/by this policy and meaning of each value, and default value. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowLanguage** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowLanguage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowLanguage +``` + + + Allows the user to change the language settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowOnlineTips** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowOnlineTips - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowOnlineTips +``` + -
    + + +Enables or disables the retrieval of online tips and help for the Settings app. If disabled, Settings will not contact Microsoft content services to retrieve tips and help content. + - - -Enables or disables the retrieval of online tips and help for the Settings app. + + + -If disabled, Settings won't contact Microsoft content services to retrieve tips and help content. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Allow Online Tips* -- GP name: *AllowOnlineTips* -- GP element: *CheckBox_AllowOnlineTips* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**Settings/AllowPowerSleep** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowOnlineTips | +| Friendly Name | Allow Online Tips | +| Element Name | Allow Settings to retrieve online tips. | +| Location | Computer Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | ControlPanel.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowPowerSleep -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowPowerSleep +``` + + + Allows the user to change power and sleep settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowRegion** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowRegion - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowRegion +``` + + + Allows the user to change the region settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowSignInOptions** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowSignInOptions - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowSignInOptions +``` + -
    + + +Allows the user to change sign-in options. + - - + + + -Allows the user to change sign in options. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - -**Settings/AllowVPN** + - + +## AllowVPN -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowVPN +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Allows the user to change VPN settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowWorkplace** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowWorkplace - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowWorkplace +``` + + + Allows user to change workplace settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/AllowYourAccount** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowYourAccount - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/AllowYourAccount +``` + -
    - - - + + Allows user to change account settings. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Settings/ConfigureTaskbarCalendar** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PageVisibilityList - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList +``` + - - -Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. + + +Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string showonly: or hide:. Pages are identified by a shortened version of their already published URIs, which is the URI minus the ms-settings: prefix. For example, if the URI for a settings page is ms-settings:bluetooth, the page identifier used in the policy will be just bluetooth. Multiple page identifiers are separated by semicolons. The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI ms-settings:about and ms-settings:bluetooth respectively:showonly:about;bluetooth. If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i. e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. - - -ADMX Info: -- GP Friendly name: *Show additional calendar* -- GP name: *ConfigureTaskbarCalendar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* +**Note** that if a page is already hidden for another reason, then it will remain hidden even if it is in a showonly: list. The format of the PageVisibilityList value is as follows: The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. There are two variants: one that shows only the given pages and one which hides the given pages. The first variant starts with the string showonly: and the second with the string hide:. Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI ms-settings:network-wifi would be just network-wifi. The default value for this setting is an empty string, which is interpreted as show everything. Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:network-wifi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:showonly:network-wifi;bluetooth. Example 2, specifies that the wifi page should not be shown:hide:network-wifi + - - -The following list shows the supported values: + + -- 0 (default) – User will be allowed to configure the setting. -- 1 – Don't show more calendars. -- 2 - Simplified Chinese (Lunar). -- 3 - Traditional Chinese (Lunar). +For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). - - +To validate this policy, use the following steps: -
    +1. In the Settings app, open **System** and verify that the **About** page is visible and accessible. +2. Configure this policy with the following string: `hide:about`. +3. Open **System** settings again and verify that the **About** page is hidden. - -**Settings/PageVisibilityList** + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | SettingsPageVisibility | +| Friendly Name | Settings Page Visibility | +| Element Name | Settings Page Visibility | +| Location | Computer and User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | ControlPanel.admx | + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Allows IT Admins to either: - -- Prevent specific pages in the System Settings app from being visible or accessible. - - OR - -- To do so for all pages except the pages you enter. - -The mode will be specified by the policy string beginning with either the string `showonly:` or `hide:`. Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. - -For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). - -The following example shows a policy that allows access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: - -`showonly:about;bluetooth` - -If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable, if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list. - -The format of the PageVisibilityList value is as follows: - -- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. -- There are two variants: one that shows only the given pages and one that hides the given pages. -- The first variant starts with the string `showonly:` and the second with the string "hide:". -- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the `ms-settings:xyz` URI for the page, minus the `ms-settings:` prefix. So the identifier for the page with the `ms-settings:network-wifi` URI would be `network-wifi`. - -The default value for this setting is an empty string, which is interpreted as show everything. + + **Example 1**: Only the wifi and bluetooth pages should be shown. They have URIs `ms-settings:network-wifi` and `ms-settings:bluetooth`. All other pages (and the categories they're in) will be hidden: @@ -710,29 +701,91 @@ The default value for this setting is an empty string, which is interpreted as s `hide:network-wifi` - - -ADMX Info: -- GP Friendly name: *Settings Page Visibility* -- GP name: *SettingsPageVisibility* -- GP element: *SettingsPageVisibilityBox* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +**Example 3**: Allow access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: - - -To validate on Desktop, use the following steps: +`showonly:about;bluetooth` -1. Open System Settings and verify that the About page is visible and accessible. -2. Configure the policy with the following string: "hide:about". -3. Open System Settings again and verify that the About page is no longer accessible. + - - -
    + - + +## ConfigureTaskbarCalendar -## Related topics + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + +```User +./User/Vendor/MSFT/Policy/Config/Settings/ConfigureTaskbarCalendar +``` + + + + +By default, the calendar is set according to the locale of the operating system, and users can show an additional calendar. For zh-CN and zh-SG locales, an additional calendar shows the lunar month and date and holiday names in Simplified Chinese (Lunar) by default. For zh-TW, zh-HK, and zh-MO locales, an additional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default. + +If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale. + +If you disable this policy setting, users cannot show an additional calendar, regardless of the locale. + +If you do not configure this policy setting, the calendar will be set according to the default logic. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User will be allowed to configure the setting. | +| 1 | Don't show additional calendars. | +| 2 | Simplified Chinese (Lunar). | +| 3 | Traditional Chinese (Lunar). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureTaskbarCalendar | +| Friendly Name | Show additional calendar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Settings | +| Registry Value Name | AllowConfigureTaskbarCalendar | +| ADMX File Name | Taskbar.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 61adb8c41421d96adba6613de09054a8025eeaa2 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 13 Dec 2022 20:10:29 -0500 Subject: [PATCH 022/152] applicationmanagement appruntime appvirtualization --- .../mdm/policy-csp-applicationmanagement.md | 51 + .../mdm/policy-csp-appruntime.md | 128 +- .../mdm/policy-csp-appvirtualization.md | 2670 +++++++++-------- .../mdm/policy-csp-attachmentmanager.md | 304 +- 4 files changed, 1732 insertions(+), 1421 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 42280b4c3e..dc202dce19 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -315,6 +315,9 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + @@ -669,6 +672,8 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window +This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. + @@ -683,6 +688,18 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window +For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. +Example of the declaration here: + +**Example**: +```xml + + + +``` + +> [!NOTE] +> This policy only works on modern apps. @@ -1118,6 +1135,40 @@ To ensure apps are up-to-date, this policy allows the admins to set a recurring + +> [!NOTE] +> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. + +**Example**: + + +Sample SyncML: + +```xml + + + + 2 + + + ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures + + + + xml + + + + + + + + +``` diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 2a20687b94..512ee46ca4 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,90 +1,98 @@ --- -title: Policy CSP - AppRuntime -description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. +title: AppRuntime Policy CSP +description: Learn more about the AppRuntime Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/12/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AppRuntime > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowMicrosoftAccountsToBeOptional - -## AppRuntime policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    -
    - AppRuntime/AllowMicrosoftAccountsToBeOptional -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AppRuntime/AllowMicrosoftAccountsToBeOptional +``` + - -
    - - -**AppRuntime/AllowMicrosoftAccountsToBeOptional** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Microsoft accounts to be optional* -- GP name: *AppxRuntimeMicrosoftAccountsOptional* -- GP path: *Windows Components/App runtime* -- GP ADMX file name: *AppXRuntime.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | AppxRuntimeMicrosoftAccountsOptional | +| Friendly Name | Allow Microsoft accounts to be optional | +| Location | Computer Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | MSAOptional | +| ADMX File Name | AppXRuntime.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 9998b990ad..a32944f9f2 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,699 +1,733 @@ --- -title: Policy CSP - AppVirtualization -description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. +title: AppVirtualization Policy CSP +description: Learn more about the AppVirtualization Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/12/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AppVirtualization > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowAppVClient - -## AppVirtualization policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - AppVirtualization/AllowAppVClient -
    -
    - AppVirtualization/AllowDynamicVirtualization -
    -
    - AppVirtualization/AllowPackageCleanup -
    -
    - AppVirtualization/AllowPackageScripts -
    -
    - AppVirtualization/AllowPublishingRefreshUX -
    -
    - AppVirtualization/AllowReportingServer -
    -
    - AppVirtualization/AllowRoamingFileExclusions -
    -
    - AppVirtualization/AllowRoamingRegistryExclusions -
    -
    - AppVirtualization/AllowStreamingAutoload -
    -
    - AppVirtualization/ClientCoexistenceAllowMigrationmode -
    -
    - AppVirtualization/IntegrationAllowRootGlobal -
    -
    - AppVirtualization/IntegrationAllowRootUser -
    -
    - AppVirtualization/PublishingAllowServer1 -
    -
    - AppVirtualization/PublishingAllowServer2 -
    -
    - AppVirtualization/PublishingAllowServer3 -
    -
    - AppVirtualization/PublishingAllowServer4 -
    -
    - AppVirtualization/PublishingAllowServer5 -
    -
    - AppVirtualization/StreamingAllowCertificateFilterForClient_SSL -
    -
    - AppVirtualization/StreamingAllowHighCostLaunch -
    -
    - AppVirtualization/StreamingAllowLocationProvider -
    -
    - AppVirtualization/StreamingAllowPackageInstallationRoot -
    -
    - AppVirtualization/StreamingAllowPackageSourceRoot -
    -
    - AppVirtualization/StreamingAllowReestablishmentInterval -
    -
    - AppVirtualization/StreamingAllowReestablishmentRetries -
    -
    - AppVirtualization/StreamingSharedContentStoreMode -
    -
    - AppVirtualization/StreamingSupportBranchCache -
    -
    - AppVirtualization/StreamingVerifyCertificateRevocationList -
    -
    - AppVirtualization/VirtualComponentsAllowList -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient +``` + - -
    - - -**AppVirtualization/AllowAppVClient** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable App-V Client* -- GP name: *EnableAppV* -- GP path: *System/App-V* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AppVirtualization/AllowDynamicVirtualization** +| Name | Value | +|:--|:--| +| Name | EnableAppV | +| Friendly Name | Enable App-V Client | +| Location | Computer Configuration | +| Path | System > App-V | +| Registry Key Name | Software\Policies\Microsoft\AppV\Client | +| Registry Value Name | Enabled | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowDynamicVirtualization - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowDynamicVirtualization +``` + -
    + + +Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. + - - -This policy enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Enable Dynamic Virtualization* -- GP name: *Virtualization_JITVEnable* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Virtualization_JITVEnable | +| Friendly Name | Enable Dynamic Virtualization | +| Location | Computer Configuration | +| Path | System > App-V > Virtualization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization | +| Registry Value Name | EnableDynamicVirtualization | +| ADMX File Name | appv.admx | + - -**AppVirtualization/AllowPackageCleanup** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowPackageCleanup - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageCleanup +``` + -> [!div class = "checklist"] -> * Device + + +Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. + -
    + + + - - -Enables automatic cleanup of App-v packages that were added after Windows 10 anniversary release. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Enable automatic cleanup of unused appv packages* -- GP name: *PackageManagement_AutoCleanupEnable* -- GP path: *System/App-V/PackageManagement* -- GP ADMX file name: *appv.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | PackageManagement_AutoCleanupEnable | +| Friendly Name | Enable automatic cleanup of unused appv packages | +| Location | Computer Configuration | +| Path | System > App-V > PackageManagement | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\PackageManagement | +| Registry Value Name | AutoCleanupEnabled | +| ADMX File Name | appv.admx | + -
    + + + - -**AppVirtualization/AllowPackageScripts** + - + +## AllowPackageScripts -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Enables scripts defined in the package manifest of configuration files that should run. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy enables scripts defined in the package manifest of configuration files that should run. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Enable Package Scripts* -- GP name: *Scripting_Enable_Package_Scripts* -- GP path: *System/App-V/Scripting* -- GP ADMX file name: *appv.admx* +| Name | Value | +|:--|:--| +| Name | Scripting_Enable_Package_Scripts | +| Friendly Name | Enable Package Scripts | +| Location | Computer Configuration | +| Path | System > App-V > Scripting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Scripting | +| Registry Value Name | EnablePackageScripts | +| ADMX File Name | appv.admx | + - - + + + -
    + - -**AppVirtualization/AllowPublishingRefreshUX** + +## AllowPublishingRefreshUX - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPublishingRefreshUX +``` + - -
    + + +Enables a UX to display to the user when a publishing refresh is performed on the client. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy enables a UX to display to the user when a publishing refresh is performed on the client. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Enable Publishing Refresh UX* -- GP name: *Enable_Publishing_Refresh_UX* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Name | Value | +|:--|:--| +| Name | Publishing_Enable_Refresh_UX | +| Friendly Name | Enable Publishing Refresh UX | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing | +| Registry Value Name | EnablePublishingRefreshUI | +| ADMX File Name | appv.admx | + - - + + + -
    + - -**AppVirtualization/AllowReportingServer** + +## AllowReportingServer - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowReportingServer +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Reporting Server URL: Displays the URL of reporting server. -Reporting Time: When the client data should be reported to the server. Acceptable range is 0 ~ 23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, for example, 9AM. +Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. Repeat reporting for every (days): The periodical interval in days for sending the reporting data. -Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this deletion occurs, and won't be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. - -Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When report data is being transmitted to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these components won't factor into the block size calculations; the potential exists for a large package list to result in transmission failures over low bandwidth or unreliable connections. - - - - - -ADMX Info: -- GP Friendly name: *Reporting Server* -- GP name: *Reporting_Server_Policy* -- GP path: *System/App-V/Reporting* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/AllowRoamingFileExclusions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - - - - -ADMX Info: -- GP Friendly name: *Roaming File Exclusions* -- GP name: *Integration_Roaming_File_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/AllowRoamingRegistryExclusions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - - - - -ADMX Info: -- GP Friendly name: *Roaming Registry Exclusions* -- GP name: *Integration_Roaming_Registry_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/AllowStreamingAutoload** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies how new packages should be loaded automatically by App-V on a specific computer. - - - - - -ADMX Info: -- GP Friendly name: *Specify what to load in background (also known as AutoLoad)* -- GP name: *Steaming_Autoload* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Migration mode allows the App-V client to modify shortcuts and FTAs for packages created using a previous version of App-V. - - - - - -ADMX Info: -- GP Friendly name: *Enable Migration Mode* -- GP name: *Client_Coexistence_Enable_Migration_mode* -- GP path: *System/App-V/Client Coexistence* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/IntegrationAllowRootGlobal** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - - - - - -ADMX Info: -- GP Friendly name: *Integration Root User* -- GP name: *Integration_Root_User* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/IntegrationAllowRootUser** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - - - - -ADMX Info: -- GP Friendly name: *Integration Root Global* -- GP name: *Integration_Root_Global* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/PublishingAllowServer1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. + +Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ReportingServer | +| Friendly Name | Reporting Server | +| Location | Computer Configuration | +| Path | System > App-V > Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Reporting | +| Registry Value Name | ReportingEnabled | +| ADMX File Name | appv.admx | + + + + + + + + + +## AllowRoamingFileExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowRoamingFileExclusions +``` + + + + +Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Roaming_File_Exclusions | +| Friendly Name | Roaming File Exclusions | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## AllowRoamingRegistryExclusions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowRoamingRegistryExclusions +``` + + + + +Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Roaming_Registry_Exclusions | +| Friendly Name | Roaming Registry Exclusions | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## AllowStreamingAutoload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowStreamingAutoload +``` + + + + +Specifies how new packages should be loaded automatically by App-V on a specific computer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Steaming_Autoload | +| Friendly Name | Specify what to load in background (aka AutoLoad) | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## ClientCoexistenceAllowMigrationmode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/ClientCoexistenceAllowMigrationmode +``` + + + + +Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Client_Coexistence_Enable_Migration_mode | +| Friendly Name | Enable Migration Mode | +| Location | Computer Configuration | +| Path | System > App-V > Client Coexistence | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Coexistence | +| Registry Value Name | MigrationMode | +| ADMX File Name | appv.admx | + + + + + + + + + +## IntegrationAllowRootGlobal + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/IntegrationAllowRootGlobal +``` + + + + +Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Root_User | +| Friendly Name | Integration Root User | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## IntegrationAllowRootUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/IntegrationAllowRootUser +``` + + + + +Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Integration_Root_Global | +| Friendly Name | Integration Root Global | +| Location | Computer Configuration | +| Path | System > App-V > Integration | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Integration | +| ADMX File Name | appv.admx | + + + + + + + + + +## PublishingAllowServer1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer1 +``` + + + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in(Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -701,61 +735,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 1 Settings* -- GP name: *Publishing_Server1_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer2** +| Name | Value | +|:--|:--| +| Name | PublishingServer1 | +| Friendly Name | Publishing Server 1 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\1 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -763,61 +808,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on la sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 2 Settings* -- GP name: *Publishing_Server2_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer3** +| Name | Value | +|:--|:--| +| Name | PublishingServer2 | +| Friendly Name | Publishing Server 2 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer3 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer3 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -825,61 +881,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 3 Settings* -- GP name: *Publishing_Server3_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer4** +| Name | Value | +|:--|:--| +| Name | PublishingServer3 | +| Friendly Name | Publishing Server 3 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\3 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer4 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer4 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -887,61 +954,72 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Publishing Server 4 Settings* -- GP name: *Publishing_Server4_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AppVirtualization/PublishingAllowServer5** +| Name | Value | +|:--|:--| +| Name | PublishingServer4 | +| Friendly Name | Publishing Server 4 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\4 | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishingAllowServer5 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer5 +``` + -
    - - - + + Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). -Global Publishing Refresh On Logon: Triggers a global publishing refresh on a sign in (Boolean). +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. @@ -949,512 +1027,664 @@ Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, User Publishing Refresh: Enables user publishing refresh (Boolean). -User Publishing Refresh On Logon: Triggers a user publishing refresh on a sign in (Boolean). +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - -ADMX Info: -- GP Friendly name: *Publishing Server 5 Settings* -- GP name: *Publishing_Server5_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the path to a valid certificate in the certificate store. - - - - - -ADMX Info: -- GP Friendly name: *Certificate Filter For Client SSL* -- GP name: *Streaming_Certificate_Filter_For_Client_SSL* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowHighCostLaunch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (for example, 4G). - - - - - -ADMX Info: -- GP Friendly name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* -- GP name: *Streaming_Allow_High_Cost_Launch* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowLocationProvider** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the CLSID for a compatible implementation of the AppvPackageLocationProvider interface. - - - - - -ADMX Info: -- GP Friendly name: *Location Provider* -- GP name: *Streaming_Location_Provider* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowPackageInstallationRoot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies directory where all new applications and updates will be installed. - - - - - -ADMX Info: -- GP Friendly name: *Package Installation Root* -- GP name: *Streaming_Package_Installation_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowPackageSourceRoot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy overrides source location for downloading package content. - - - - - -ADMX Info: -- GP Friendly name: *Package Source Root* -- GP name: *Streaming_Package_Source_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowReestablishmentInterval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the number of seconds between attempts to reestablish a dropped session. - - - - - -ADMX Info: -- GP Friendly name: *Reestablishment Interval* -- GP name: *Streaming_Reestablishment_Interval* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingAllowReestablishmentRetries** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the number of times to retry a dropped session. - - - - - -ADMX Info: -- GP Friendly name: *Reestablishment Retries* -- GP name: *Streaming_Reestablishment_Retries* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingSharedContentStoreMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy specifies that streamed package contents will be not be saved to the local hard disk. - - - - - -ADMX Info: -- GP Friendly name: *Shared Content Store (SCS) mode* -- GP name: *Streaming_Shared_Content_Store_Mode* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingSupportBranchCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support isn't desired, this setting should be disabled. The client can then apply HTTP optimizations that are incompatible with BranchCache. - - - - - -ADMX Info: -- GP Friendly name: *Enable Support for BranchCache* -- GP name: *Streaming_Support_Branch_Cache* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -
    - - -**AppVirtualization/StreamingVerifyCertificateRevocationList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PublishingServer5 | +| Friendly Name | Publishing Server 5 Settings | +| Location | Computer Configuration | +| Path | System > App-V > Publishing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\5 | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowCertificateFilterForClient_SSL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowCertificateFilterForClient_SSL +``` + + + + +Specifies the path to a valid certificate in the certificate store. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Certificate_Filter_For_Client_SSL | +| Friendly Name | Certificate Filter For Client SSL | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowHighCostLaunch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowHighCostLaunch +``` + + + + +This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Allow_High_Cost_Launch | +| Friendly Name | Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | AllowHighCostLaunch | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowLocationProvider + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowLocationProvider +``` + + + + +Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Location_Provider | +| Friendly Name | Location Provider | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowPackageInstallationRoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowPackageInstallationRoot +``` + + + + +Specifies directory where all new applications and updates will be installed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Package_Installation_Root | +| Friendly Name | Package Installation Root | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowPackageSourceRoot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowPackageSourceRoot +``` + + + + +Overrides source location for downloading package content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Package_Source_Root | +| Friendly Name | Package Source Root | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowReestablishmentInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval +``` + + + + +Specifies the number of seconds between attempts to reestablish a dropped session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Reestablishment_Interval | +| Friendly Name | Reestablishment Interval | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingAllowReestablishmentRetries + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentRetries +``` + + + + +Specifies the number of times to retry a dropped session. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Reestablishment_Retries | +| Friendly Name | Reestablishment Retries | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingSharedContentStoreMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingSharedContentStoreMode +``` + + + + +Specifies that streamed package contents will be not be saved to the local hard disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Shared_Content_Store_Mode | +| Friendly Name | Shared Content Store (SCS) mode | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | SharedContentStoreMode | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingSupportBranchCache + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingSupportBranchCache +``` + + + + +If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Streaming_Support_Branch_Cache | +| Friendly Name | Enable Support for BranchCache | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | SupportBranchCache | +| ADMX File Name | appv.admx | + + + + + + + + + +## StreamingVerifyCertificateRevocationList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingVerifyCertificateRevocationList +``` + + + + Verifies Server certificate revocation status before streaming using HTTPS. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Verify certificate revocation list* -- GP name: *Streaming_Verify_Certificate_Revocation_List* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AppVirtualization/VirtualComponentsAllowList** +| Name | Value | +|:--|:--| +| Name | Streaming_Verify_Certificate_Revocation_List | +| Friendly Name | Verify certificate revocation list | +| Location | Computer Configuration | +| Path | System > App-V > Streaming | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Streaming | +| Registry Value Name | VerifyCertificateRevocationList | +| ADMX File Name | appv.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## VirtualComponentsAllowList - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList +``` + -
    + + +Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. + - - -This policy specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc.). Only processes whose full path matches one of these items can use virtual components. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Virtual Component Process Allow List* -- GP name: *Virtualization_JITVAllowList* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Virtualization_JITVAllowList | +| Friendly Name | Virtual Component Process Allow List | +| Location | Computer Configuration | +| Path | System > App-V > Virtualization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization | +| Registry Value Name | ProcessesUsingVirtualComponents | +| ADMX File Name | appv.admx | + + + + - + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 8b7af20909..60530e3d4e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,202 +1,224 @@ --- -title: Policy CSP - AttachmentManager -description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local. +title: AttachmentManager Policy CSP +description: Learn more about the AttachmentManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/13/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AttachmentManager ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + +## DoNotPreserveZoneInformation -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -## AttachmentManager policies + +```User +./User/Vendor/MSFT/Policy/Config/AttachmentManager/DoNotPreserveZoneInformation +``` + -
    -
    - AttachmentManager/DoNotPreserveZoneInformation -
    -
    - AttachmentManager/HideZoneInfoMechanism -
    -
    - AttachmentManager/NotifyAntivirusPrograms -
    -
    + + +This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. - -
    - - -**AttachmentManager/DoNotPreserveZoneInformation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This feature requires NTFS in order to function correctly, and will fail without notice on FAT32. If the zone information is not preserved, Windows can't make proper risk assessments. - -If you enable this policy setting, Windows doesn't mark file attachments with their zone information. +If you enable this policy setting, Windows does not mark file attachments with their zone information. If you disable this policy setting, Windows marks file attachments with their zone information. -If you don't configure this policy setting, Windows marks file attachments with their zone information. +If you do not configure this policy setting, Windows marks file attachments with their zone information. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not preserve zone information in file attachments* -- GP name: *AM_MarkZoneOnSavedAtttachments* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AttachmentManager/HideZoneInfoMechanism** +| Name | Value | +|:--|:--| +| Name | AM_MarkZoneOnSavedAtttachments | +| Friendly Name | Do not preserve zone information in file attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| Registry Value Name | SaveZoneInformation | +| ADMX File Name | AttachmentManager.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## HideZoneInfoMechanism - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/AttachmentManager/HideZoneInfoMechanism +``` + -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. If you enable this policy setting, Windows hides the check box and Unblock button. If you disable this policy setting, Windows shows the check box and Unblock button. -If you don't configure this policy setting, Windows hides the check box and Unblock button. +If you do not configure this policy setting, Windows hides the check box and Unblock button. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide mechanisms to remove zone information* -- GP name: *AM_RemoveZoneInfo* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**AttachmentManager/NotifyAntivirusPrograms** +| Name | Value | +|:--|:--| +| Name | AM_RemoveZoneInfo | +| Friendly Name | Hide mechanisms to remove zone information | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| Registry Value Name | HideZoneInfoOnProperties | +| ADMX File Name | AttachmentManager.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## NotifyAntivirusPrograms - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/AttachmentManager/NotifyAntivirusPrograms +``` + -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, the subsequent calls would be redundant. + + +This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. -If you disable this policy setting, Windows doesn't call the registered antivirus programs when file attachments are opened. +If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. -If you don't configure this policy setting, Windows doesn't call the registered antivirus programs when file attachments are opened. +If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Notify antivirus programs when opening attachments* -- GP name: *AM_CallIOfficeAntiVirus* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | AM_CallIOfficeAntiVirus | +| Friendly Name | Notify antivirus programs when opening attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| Registry Value Name | ScanWithAntiVirus | +| ADMX File Name | AttachmentManager.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 606753e8a9cd90021f2f842bf143f312ad29feff Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 13 Dec 2022 20:27:36 -0500 Subject: [PATCH 023/152] add **Examples**: --- .../mdm/policy-csp-applicationmanagement.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index dc202dce19..1f070e5704 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1091,7 +1091,7 @@ To ensure apps are up-to-date, this policy allows the admins to set a recurring -**Allowed values**: +https://github.com/vinaypamnani-msft/windows-docs-pr
    @@ -1139,9 +1139,11 @@ To ensure apps are up-to-date, this policy allows the admins to set a recurring > [!NOTE] > The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. -**Example**: + +**Examples**: + Sample SyncML: ```xml From d9fb36ddaf4b4f5c2b6958b11f6b3754f7a17abe Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 19 Dec 2022 16:44:21 -0800 Subject: [PATCH 024/152] add servicecontrolmanager csp --- .../mdm/policy-csp-servicecontrolmanager.md | 148 +++++++++--------- 1 file changed, 77 insertions(+), 71 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 0601509035..36b8570d34 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,100 +1,106 @@ --- -title: Policy CSP - ServiceControlManager -description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes. +title: ServiceControlManager Policy CSP +description: Learn more about the ServiceControlManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/19/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: Heidilohr -ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.topic: reference --- + + + # Policy CSP - ServiceControlManager -
    +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ServiceControlManager policies + + + -
    -
    - ServiceControlManager/SvchostProcessMitigation -
    -
    + +## SvchostProcessMitigation -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -**ServiceControlManager/SvchostProcessMitigation** + +```Device +./Device/Vendor/MSFT/Policy/Config/ServiceControlManager/SvchostProcessMitigation +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. -These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code. +This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. + +If you disable or do not configure this policy setting, these stricter security settings will not be applied. + + + + + +If you enable this policy, it adds code integrity guard (CIG) and arbitrary code guard (ACG) enforcement and other process mitigation/code integrity policies to SVCHOST processes. > [!IMPORTANT] -> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software). +> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software. -If you disable or do not configure this policy setting, the stricter security settings will not be applied. + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Enable svchost.exe mitigation options* -- GP name: *SvchostProcessMitigationEnable* -- GP path: *System/Service Control Manager Settings/Security Settings* -- GP ADMX file name: *ServiceControlManager.admx* +**ADMX mapping**: - - -Supported values: -- Disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. -- Enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. - - +| Name | Value | +|:--|:--| +| Name | SvchostProcessMitigationEnable | +| Friendly Name | Enable svchost.exe mitigation options | +| Location | Computer Configuration | +| Path | System > Service Control Manager Settings > Security Settings | +| Registry Key Name | System\CurrentControlSet\Control\SCMConfig | +| Registry Value Name | EnableSvchostMitigationPolicy | +| ADMX File Name | ServiceControlManager.admx | + - - + + + - - -
    + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 3da3c572298df1a531acc8b81e0db9a86c08678e Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 19 Dec 2022 17:44:39 -0800 Subject: [PATCH 025/152] add security csp --- .../mdm/policy-csp-security.md | 849 ++++++++++-------- 1 file changed, 480 insertions(+), 369 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index f5585b9b4e..546441a436 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,515 +1,626 @@ --- -title: Policy CSP - Security -description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages. +title: Security Policy CSP +description: Learn more about the Security Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/19/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Security -
    + + + - -## Security policies + +## AllowAddProvisioningPackage -
    -
    - Security/AllowAddProvisioningPackage -
    -
    - Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices -
    -
    - Security/AllowRemoveProvisioningPackage -
    -
    - Security/ClearTPMIfNotReady -
    -
    - Security/ConfigureWindowsPasswords -
    -
    - Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices -
    -
    - Security/RecoveryEnvironmentAuthentication -
    -
    - Security/RequireDeviceEncryption -
    -
    - Security/RequireProvisioningPackageSignature -
    -
    - Security/RequireRetrieveHealthCertificateOnBoot -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AllowAddProvisioningPackage +``` + - -**Security/AllowAddProvisioningPackage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies whether to allow the runtime configuration agent to install provisioning packages. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowManualRootCertificateInstallation - > [!NOTE] -> -> - This policy is deprecated in Windows 10, version 1607. +> This policy is deprecated and may be removed in a future release. -Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AllowManualRootCertificateInstallation +``` + -- 0 – Not allowed. -- 1 (default) – Allowed. + + +This policy is deprecated. + - - + + + -
    + +**Description framework properties**: - -**Security/AllowRemoveProvisioningPackage** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowRemoveProvisioningPackage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AllowRemoveProvisioningPackage +``` + + + + Specifies whether to allow the runtime configuration agent to remove provisioning packages. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. -- 1 (default) – Allowed. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Security/ClearTPMIfNotReady** +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home||| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AntiTheftMode - -[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!NOTE] +> This policy is deprecated and may be removed in a future release. -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/AntiTheftMode +``` + - - + + +This policy is deprecated. + -Admin access is required. The prompt will appear on first admin logon after a reboot, when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. + + + - - -ADMX Info: -- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.* -- GP name: *ClearTPMIfNotReady_Name* -- GP path: *System/Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 (default) – Won't force recovery from a non-ready TPM state. -- 1 – Will prompt to clear the TPM, if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + -
    + + + - -**Security/ConfigureWindowsPasswords** + - + +## ClearTPMIfNotReady -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/ClearTPMIfNotReady +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -Configures the use of passwords for Windows features. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!Note] -> This policy is only supported in Windows 10 S. + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Will not force recovery from a non-ready TPM state. | +| 1 | Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. | + -- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features). -- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features). -- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords"). + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ClearTPMIfNotReady_Name | +| Friendly Name | Configure the system to clear the TPM if it is not in a ready state. | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| Registry Value Name | ClearTPMIfNotReadyGP | +| ADMX File Name | TPM.admx | + -
    + + + - -**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** + - + +## ConfigureWindowsPasswords -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/ConfigureWindowsPasswords +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Configures the use of passwords for Windows features + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + -Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. + +**Allowed values**: -Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. +| Value | Description | +|:--|:--| +| 0 | -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features) | +| 1 | Allow passwords (Passwords continue to be allowed to be used for Windows features) | +| 2 (Default) | as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords") | + - - -The following list shows the supported values: + + + -- 0 (default) – Encryption enabled. -- 1 – Encryption disabled. + - - + +## PreventAutomaticDeviceEncryptionForAzureADJoinedDevices -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -**Security/RecoveryEnvironmentAuthentication** + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices +``` + - + + +Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + - -
    +For more information, see [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -This policy controls the Admin Authentication requirement in RecoveryEnvironment. + +**Allowed values**: -Supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Encryption enabled. | +| 1 | Encryption disabled. | + -- 0 - Default: Keep using default(current) behavior. -- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment. -- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment. + + + - - + - - + +## RecoveryEnvironmentAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Security/RecoveryEnvironmentAuthentication +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RecoveryEnvironmentAuthentication +``` + + + + +This policy controls the requirement of Admin Authentication in RecoveryEnvironment. + + + + - - **Validation procedure** -The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE. -The process of starting Push Button Reset (PBR) in WinRE: +To validate this policy, check whether Refresh ("Keep my files") and Reset ("Remove everything") require administraor authentication in Windows Recovery Environment (WinRE). -1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE. -1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything". +1. First, start Push Button Reset (PBR) in WinRE. Open a command prompt as an administrator and run the following command: `reagentc /boottore` +1. The device should restart to WinRE. In the WinRE interface, go to **Troubleshoot** and select **Reset this PC**. You should see two options: **Keep my files** and **Remove everything**. +1. Choose the option to **Keep my files**. View the behavior for authentication. +1. Select the back arrow and choose **Remove everything**. View the behavior for authentication. -If the MDM policy is set to "Default" (0) or doesn't exist, the admin authentication flow should work as default behavior: + Instead of going back, alternatively you can go through the reset options, and select **Cancel** on the final confirmation page. It will then return to the main WinRE interface. -1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. -1. Click "<-" (right arrow) button and choose "Remove everything", it shouldn't pop up admin authentication and just go to PBR options. +The following table shows what behavior is expected for the policy settings with each scenario: -If the MDM policy is set to "RequireAuthentication" (1) +- :heavy_check_mark: It prompts for authentication. +- :x: No authentication required, and it continues with the reset options. -1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. -1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication. +| Policy | **Keep my files** | **Remove everything** | +|--------------------------------|--------------------|-----------------------| +| Default (`0`) | :heavy_check_mark: | :x: | +| RequireAuthentication" (`1`) | :heavy_check_mark: | :heavy_check_mark: | +| NoRequireAuthentication" (`2`) | :x: | :x: | -If the MDM policy is set to "NoRequireAuthentication" (2) + -1. Start PBR in WinRE, choose "Keep my files", it shouldn't pop up admin authentication. -1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back. -1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it shouldn't pop up admin authentication neither. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Security/RequireDeviceEncryption** +| Value | Description | +|:--|:--| +| 0 (Default) | current) behavior | +| 1 | RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment | +| 2 | NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## RequireDeviceEncryption - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption +``` + -
    + + +Allows enterprise to turn on internal storage encryption. Most restricted value is 1. - - -Allows enterprise to turn on internal storage encryption. +**Important**: If encryption has been enabled, it cannot be turned off by using this policy. + -Most restricted value is 1. + + + -> [!IMPORTANT] -> If encryption has been enabled, it cannot be turned off by using this policy. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) – Encryption isn't required. -- 1 – Encryption is required. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Encryption is not required. | +| 1 | Encryption is required. | + -
    + + + - -**Security/RequireProvisioningPackageSignature** + - + +## RequireProvisioningPackageSignature -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RequireProvisioningPackageSignature +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies whether provisioning packages must have a certificate signed by a device trusted authority. + - - -The following list shows the supported values: + + + -- 0 (default) – Not required. -- 1 – Required. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Security/RequireRetrieveHealthCertificateOnBoot** +| Value | Description | +|:--|:--| +| 0 (Default) | Not required. | +| 1 | Required. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## RequireRetrieveHealthCertificateOnBoot - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Security/RequireRetrieveHealthCertificateOnBoot +``` + -
    + + +Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. Setting this policy to 1 (Required):Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2. 0. Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. - - -Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS), when a device boots or reboots. +**Note**: We recommend that this policy is set to Required after MDM enrollment. Most restricted value is 1. + -Setting this policy to 1 (Required): + + + -- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0. -- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. + +**Description framework properties**: -> [!NOTE] -> We recommend that this policy is set to Required after MDM enrollment. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Most restricted value is 1. + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Not required. | +| 1 | Required. | + -- 0 (default) – Not required. -- 1 – Required. + + + - - -
    + + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From c59cbbb1eb3a88f1996a71543058bcbea261db49 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 19 Dec 2022 18:13:56 -0800 Subject: [PATCH 026/152] add search csp --- .../mdm/policy-csp-search.md | 1663 ++++++++++------- 1 file changed, 949 insertions(+), 714 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index e6872c41dc..c3bd4ef159 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,856 +1,1091 @@ --- -title: Policy CSP - Search -description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. +title: Search Policy CSP +description: Learn more about the Search Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/19/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/12/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Search - -
    - - -## Search policies - -
    -
    - Search/AllowCloudSearch -
    -
    - Search/AllowCortanaInAAD -
    -
    - Search/AllowFindMyFiles -
    -
    - Search/AllowIndexingEncryptedStoresOrItems -
    -
    - Search/AllowSearchToUseLocation -
    -
    - Search/AllowSearchHighlights -
    -
    - Search/AllowStoringImagesFromVisionSearch -
    -
    - Search/AllowUsingDiacritics -
    -
    - Search/AllowWindowsIndexer -
    -
    - Search/AlwaysUseAutoLangDetection -
    -
    - Search/DisableBackoff -
    -
    - Search/DisableRemovableDriveIndexing -
    -
    - Search/DisableSearch -
    -
    - Search/DoNotUseWebResults -
    -
    - Search/PreventIndexingLowDiskSpaceMB -
    -
    - Search/PreventRemoteQueries -
    -
    - - -
    - - -**Search/AllowCloudSearch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allow Search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. - - - -ADMX Info: -- GP Friendly name: *Allow Cloud Search* -- GP name: *AllowCloudSearch* -- GP element: *AllowCloudSearch_Dropdown* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Search/AllowCortanaInAAD** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the cortana opt-in page during windows setup out of the box experience. - - - -ADMX Info: -- GP Friendly name: *Allow Cloud Search* -- GP name: *AllowCortanaInAAD* -- GP element: *AllowCloudSearch_Dropdown* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - - -This value is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an Azure Active Directory account. - - - - - -
    - - -**Search/AllowFindMyFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Controls if the user can configure search to Find My Files mode, which searches files in secondary hard drives and also outside of the user profile. Find My Files doesn't allow users to search files or locations to which they don't have access. - - - -ADMX Info: -- GP Friendly name: *Allow Find My Files* -- GP name: *AllowFindMyFiles* -- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 1 (Default) - Find My Files feature can be toggled (still off by default), and the settings UI is present. -- 0 - Find My Files feature is turned off completely, and the settings UI is disabled. - - - - - - - - - - -
    - - -**Search/AllowIndexingEncryptedStoresOrItems** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. - -When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes file path and date modified. - -When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps, if there are many WIP-protected media files on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow indexing of encrypted files* -- GP name: *AllowIndexingEncryptedStoresOrItems* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Search/AllowSearchToUseLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether search can use location information. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow search and Cortana to use location* -- GP name: *AllowSearchToUseLocation* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Search/AllowSearchHighlights** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls whether search highlights are shown in the search box or in search home. - -- If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home. -- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home. - - - -ADMX Info: -- GP Friendly name: *Allow search and highlights* -- GP name: *AllowSearchHighlights* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* - - - -The following list shows the supported values in Windows 10: - -- 1 (default) - Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. -- 0 - Disabling this setting turns off search highlights in the taskbar search box and in search home. - -The following list shows the supported values in Windows 11: - -- 1 (default) - Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. -- 0 - Disabling this setting turns off search highlights in the start menu search box and in search home. - - - - -
    - - -**Search/AllowStoringImagesFromVisionSearch** - - + + + + + +## AllowCloudSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowCloudSearch +``` + + + + +Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCloudSearch | +| Friendly Name | Allow Cloud Search | +| Element Name | Cloud Search Setting | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowCortanaInAAD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowCortanaInAAD +``` + + + + +Allow the cortana opt-in page during windows setup out of the box experience + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. The Cortana consent page will not appear in AAD OOBE during setup. | +| 1 | Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCortanaInAAD | +| Friendly Name | Allow Cortana Page in OOBE on an AAD account | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowCortanaInAAD | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowFindMyFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowFindMyFiles +``` + + + + +This feature allows you to disable find my files completely on the machine + + + + + +This policy controls whether the user can configure search to *Find My Files* mode. This mode searches files in secondary hard drives and also outside of the user profile. Find My Files doesn't allow users to search files or locations to which they don't have access. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Find My Files feature can be toggled (still off by default), and the settings UI is present. | +| 0 | Find My Files feature is turned off completely, and the settings UI is disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFindMyFiles | +| Path | Search > AT > WindowsComponents > Search | + + + + + + + + + +## AllowIndexingEncryptedStoresOrItems + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowIndexingEncryptedStoresOrItems +``` + + + + +This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content. + +When this setting is enabled or disabled, the index is rebuilt completely. + +Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. + + + + + +When the policy is enabled, Windows Information Protection (WIP) protected items are indexed. The metadata about them are stored in an unencrypted location. The metadata includes file path and date modified. + +When the policy is disabled, the WIP protected items aren't indexed. The encrypted items don't show up in the results in Cortana or file explorer. Search performance may also be affected on photos and other media apps, if there are many WIP-protected media files on the device. + +The most restrictive value is `0` to not allow indexing of encrypted items. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowIndexingEncryptedStoresOrItems | +| Friendly Name | Allow indexing of encrypted files | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowIndexingEncryptedStoresOrItems | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowSearchHighlights + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowSearchHighlights +``` + + + + +Disabling this setting turns off search highlights in the start menu search box and in search home. Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. + + + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabling this setting turns off search highlights in search home, and the taskbar search box (Windows 10) or the Start menu search box (Windows 11). | +| 1 (Default) | Enabling or not configuring this setting turns on search highlights in search home, and the taskbar search box (Windows 10) or the Start menu search box (Windows 11). | + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchHighlights | +| Friendly Name | Allow search highlights | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | EnableDynamicContentInWSB | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowSearchToUseLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowSearchToUseLocation +``` + + + + +This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. + +If this is enabled, search and Cortana can access location information. + + + + + +The most restrictive value is `0` to not allow search to use location. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchToUseLocation | +| Friendly Name | Allow search and Cortana to use location | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowSearchToUseLocation | +| ADMX File Name | Search.admx | + + + + + + + + + +## AllowStoringImagesFromVisionSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowStoringImagesFromVisionSearch +``` + + + + This policy has been deprecated. + - - + + + -
    + +**Description framework properties**: - -**Search/AllowUsingDiacritics** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowUsingDiacritics -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -Allows the use of diacritics. + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowUsingDiacritics +``` + -Most restricted value is 0. + + +This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setting, words that only differ in diacritics are treated as different words. If you disable this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. - - -ADMX Info: -- GP Friendly name: *Allow use of diacritics* -- GP name: *AllowUsingDiacritics* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* +**Note**: By default, the Control Panel setting is set to treat words that differ only because of diacritics as the same word. + - - -The following list shows the supported values: + + -- 0 – Not allowed. -- 1 (default) – Allowed. +The most restrictive value is `0` to not allow the use of diacritics. - - + -
    + +**Description framework properties**: - -**Search/AllowWindowsIndexer** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | AllowUsingDiacritics | +| Friendly Name | Allow use of diacritics | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowUsingDiacritics | +| ADMX File Name | Search.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Allow Windows indexer. Supported value type is integer. + +## AllowWindowsIndexer - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AllowWindowsIndexer +``` + - -**Search/AlwaysUseAutoLangDetection** + + +Allow Windows indexer. Value type is integer. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-3]` | +| Default Value | 3 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AlwaysUseAutoLangDetection - - -Specifies whether to always use automatic language detection when indexing content and properties. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -Most restricted value is 0. + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/AlwaysUseAutoLangDetection +``` + - - -ADMX Info: -- GP Friendly name: *Always use automatic language detection when indexing content and properties* -- GP name: *AlwaysUseAutoLangDetection* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + +This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. If you enable this policy setting, Windows will always use automatic language detection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this policy setting only on PCs where documents are stored in many languages. If you disable or do not configure this policy setting, Windows will use automatic language detection only when it can determine the language of a document with high confidence. + - - -The following list shows the supported values: + + -- 0 – Not allowed. -- 1 (default) – Allowed. +The most restrictive value is `0` to now allow automatic language detection. - - + -
    + +**Description framework properties**: - -**Search/DisableBackoff** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | AlwaysUseAutoLangDetection | +| Friendly Name | Always use automatic language detection when indexing content and properties | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AlwaysUseAutoLangDetection | +| ADMX File Name | Search.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## DisableBackoff + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DisableBackoff +``` + + + + If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. + - - -ADMX Info: -- GP Friendly name: *Disable indexer backoff* -- GP name: *DisableBackoff* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disable. -- 1 – Enable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. | +| 1 | Enable. | + - -**Search/DisableRemovableDriveIndexing** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableBackoff | +| Friendly Name | Disable indexer backoff | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | DisableBackoff | +| ADMX File Name | Search.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRemovableDriveIndexing -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DisableRemovableDriveIndexing +``` + - - + + This policy setting configures whether or not locations on removable drives can be added to libraries. -If you enable this policy setting, locations on removable drives can't be added to libraries. In addition, locations on removable drives can't be indexed. +If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. -If you disable or don't configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. +If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. + - - -ADMX Info: -- GP Friendly name: *Do not allow locations on removable drives to be added to libraries* -- GP name: *DisableRemovableDriveIndexing* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disable. -- 1 – Enable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disable. | +| 1 | Enable. | + - -**Search/DisableSearch** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRemovableDriveIndexing | +| Friendly Name | Do not allow locations on removable drives to be added to libraries | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | DisableRemovableDriveIndexing | +| ADMX File Name | Search.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSearch -> [!div class = "checklist"] -> * Device -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - -This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures. + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DisableSearch +``` + -It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box. + + +If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar button will also be hidden. - - -ADMX Info: +If you disable or don't configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown. + -- GP Friendly name: *Fully disable Search UI* -- GP name: *DisableSearch* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Do not disable search. -- 1 – Disable search. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Do not disable. | +| 1 | Disable. | + - -**Search/DoNotUseWebResults** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSearch | +| Friendly Name | Fully disable Search UI | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | DisableSearch | +| ADMX File Name | Search.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotUseWebResults -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/DoNotUseWebResults +``` + - - -Don't search the web or display web results in Search, or show search highlights in the search box or in search home. + + +This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. -This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home. +If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. -- If you enable this policy setting, queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. +If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search. -- If you disable this policy setting, queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. +If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search. + - - -ADMX Info: -- GP Friendly name: *Don't search the web or display web results in Search* -- GP name: *DoNotUseWebResults* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 - Not allowed. Queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. -- 1 (default) - Allowed. Queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. Queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. | +| 1 (Default) | Allowed. Queries will be performed on the web and web results will be displayed when a user performs a query in Search. | + - -**Search/PreventIndexingLowDiskSpaceMB** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DoNotUseWebResults | +| Friendly Name | Don't search the web or display web results in Search | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | ConnectedSearchUseWeb | +| ADMX File Name | Search.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventIndexingLowDiskSpaceMB -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/PreventIndexingLowDiskSpaceMB +``` + - - -Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. + + +Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. -Enable this policy, if computers in your environment have limited hard drive space. +Enable this policy if computers in your environment have extremely limited hard drive space. When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. + - - -ADMX Info: -- GP Friendly name: *Stop indexing in the event of limited hard drive space* -- GP name: *StopIndexingOnLimitedHardDriveSpace* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Disable. -- 1 (default) – Enable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disable. | +| 1 (Default) | Enable. | + - -**Search/PreventRemoteQueries** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | StopIndexingOnLimitedHardDriveSpace | +| Friendly Name | Stop indexing in the event of limited hard drive space | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| ADMX File Name | Search.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventRemoteQueries -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/PreventRemoteQueries +``` + - - -If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index. + + +If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index. Default is disabled. + - - -ADMX Info: -- GP Friendly name: *Prevent clients from querying the index remotely* -- GP name: *PreventRemoteQueries* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Disable. -- 1 (default) – Enable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disable. | +| 1 (Default) | Enable. | + + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventRemoteQueries | +| Friendly Name | Prevent clients from querying the index remotely | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | PreventRemoteQueries | +| ADMX File Name | Search.admx | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + +## SafeSearchPermissions + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Search/SafeSearchPermissions +``` + + + + +This policy is deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable | +| 0 | Disable | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 39dfa51e5c00515261ecfcf7f4def4208c75810b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 19 Dec 2022 18:35:27 -0800 Subject: [PATCH 027/152] add restrictedgroups csp --- .../mdm/policy-csp-restrictedgroups.md | 190 +++++++++++------- 1 file changed, 117 insertions(+), 73 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 7606c9d786..f4da38dfdc 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,74 +1,63 @@ --- -title: Policy CSP - RestrictedGroups -description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. +title: RestrictedGroups Policy CSP +description: Learn more about the RestrictedGroups Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/19/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 04/07/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RestrictedGroups + + + > [!IMPORTANT] -> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy, to configure members (users or Azure Active Directory groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups. +> +> Don't apply both policies to the same device, it's unsupported and may yield unpredictable results. + -
    + +## ConfigureGroupMembership - -## RestrictedGroups policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    -
    - RestrictedGroups/ConfigureGroupMembership -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership +``` + - -
    - - -**RestrictedGroups/ConfigureGroupMembership** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. - -For example, you can create a Restricted Groups policy to allow only specified users. Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group, and all other members will be removed. + + +This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. > [!CAUTION] -> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: +> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. + + + + + +> [!CAUTION] +> You can't remove the built-in Administrator account from the built-in Administrators group. If you try to remove it, the command fails with the following error: > > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------| -> | 0x55b (Hex)
    1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | +> | `0x55b` (Hex)
    `1371` (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group, and should be used with caution. @@ -108,13 +97,67 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and ``` - - + - - + +**Description framework properties**: -Here's an example: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML + +```xml + + + + + + + + + + + + Restricted Group Member + + + + + + + + + + + + + + + Restricted Group + + + + + + +``` + +
    + + + + + +**Example**: ```xml @@ -129,39 +172,40 @@ Here's an example: ``` -where: +Descriptions of the properties: - `` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in AD or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the members to add to the group in ``. A member can be specified as a name or as a SID. For best results, use a SID for ``. The member SID can be a user account or a group in Active Directory, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group. > [!NOTE] -> Currently, the RestrictedGroups/ConfigureGroupMembership policy does not have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in the previous example. +> Currently, the RestrictedGroups/ConfigureGroupMembership policy doesn't have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in this example. - - + -### Policy timeline + -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic. + + + +**Policy timeline**: + +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. The following table describes how this policy setting behaves in different Windows 10 versions: | Windows 10 version | Policy behavior | | ------------------ | --------------- | |Windows 10, version 1803 | Added this policy setting.
    XML accepts group and member only by name.
    Supports configuring the administrators group using the group name.
    Expects member name to be in the account name format. | -| Windows 10, version 1809
    Windows 10, version 1903
    Windows 10, version 1909 | Supports configuring any local group.
    `` accepts only name.
    `` accepts a name or an SID.
    This is useful when you want to ensure a certain local group always has a well-known SID as member. | -| Windows 10, version 2004 | Behaves as described in this topic.
    Accepts name or SID for group and members and translates as appropriate.| +| Windows 10, version 1809
    Windows 10, version 1903
    Windows 10, version 1909 | Supports configuring any local group.
    `` accepts only name.
    `` accepts a name or a SID.
    This behavior is useful when you want to make sure a certain local group always has a well-known SID as member. | +| Windows 10, version 2004 | Behaves as described in this article.
    Accepts name or SID for group and members and translates as appropriate.| + - - -
    + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 2c0420939999747f89c6e41b6e508ed7272c86d2 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 10:15:15 -0800 Subject: [PATCH 028/152] add remoteshell csp --- .../mdm/policy-csp-remoteshell.md | 587 ++++++++++-------- 1 file changed, 326 insertions(+), 261 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index dcb0d50872..857bea7950 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,131 +1,109 @@ --- -title: Policy CSP - RemoteShell -description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells. +title: RemoteShell Policy CSP +description: Learn more about the RemoteShell Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteShell -
    - - -## RemoteShell policies - -
    -
    - RemoteShell/AllowRemoteShellAccess -
    -
    - RemoteShell/MaxConcurrentUsers -
    -
    - RemoteShell/SpecifyIdleTimeout -
    -
    - RemoteShell/SpecifyMaxMemory -
    -
    - RemoteShell/SpecifyMaxProcesses -
    -
    - RemoteShell/SpecifyMaxRemoteShells -
    -
    - RemoteShell/SpecifyShellTimeout -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteShell/AllowRemoteShellAccess** + +## AllowRemoteShellAccess - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/AllowRemoteShellAccess +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures access to remote shells. If you enable or do not configure this policy setting, new remote shell connections are accepted by the server. If you set this policy to ‘disabled’, new remote shell connections are rejected by the server. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Remote Shell Access* -- GP name: *AllowRemoteShellAccess* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteShell/MaxConcurrentUsers** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowRemoteShellAccess | +| Friendly Name | Allow Remote Shell Access | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| Registry Value Name | AllowRemoteShellAccess | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MaxConcurrentUsers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/MaxConcurrentUsers +``` + - - + + This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system. The value can be any number from 1 to 100. @@ -133,97 +111,121 @@ The value can be any number from 1 to 100. If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit. If you disable or do not configure this policy setting, the default number is five users. + - + + + - -ADMX Info: -- GP Friendly name: *MaxConcurrentUsers* -- GP name: *MaxConcurrentUsers* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteShell/SpecifyIdleTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxConcurrentUsers | +| Friendly Name | MaxConcurrentUsers | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyIdleTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyIdleTimeout +``` + - - -This policy setting configures the maximum time in milliseconds, and remote shell will stay open without any user activity until it is automatically deleted. + + +This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted. Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values. If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell. If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used. + - + + + - -ADMX Info: -- GP Friendly name: *Specify idle Timeout* -- GP name: *IdleTimeout* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteShell/SpecifyMaxMemory** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IdleTimeout | +| Friendly Name | Specify idle Timeout | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaxMemory -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxMemory +``` + - - + + This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes. Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory. @@ -231,161 +233,224 @@ Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, whic If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota. If you disable or do not configure this policy setting, the value 150 is used by default. + - + + + - -ADMX Info: -- GP Friendly name: *Specify maximum amount of memory in MB per Shell* -- GP name: *MaxMemoryPerShellMB* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteShell/SpecifyMaxProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxMemoryPerShellMB | +| Friendly Name | Specify maximum amount of memory in MB per Shell | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaxProcesses -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxProcesses +``` + - - + + This policy setting configures the maximum number of processes a remote shell is allowed to launch. If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes. If you disable or do not configure this policy setting, the limit is five processes per shell. + - + + + - -ADMX Info: -- GP Friendly name: *Specify maximum number of processes per Shell* -- GP name: *MaxProcessesPerShell* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteShell/SpecifyMaxRemoteShells** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxProcessesPerShell | +| Friendly Name | Specify maximum number of processes per Shell | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaxRemoteShells -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyMaxRemoteShells +``` + - - -This policy setting configures the maximum number of concurrent shells and any user can remotely open on the same system. + + +This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system. -Any number from 0 to 0x7FFFFFFF can be set, where 0 means unlimited number of shells. +Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells. If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit. If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user. + - + + + - -ADMX Info: -- GP Friendly name: *Specify maximum number of remote shells per user* -- GP name: *MaxShellsPerUser* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteShell/SpecifyShellTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxShellsPerUser | +| Friendly Name | Specify maximum number of remote shells per user | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyShellTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteShell/SpecifyShellTimeout +``` + - - + + This policy setting is deprecated and has no effect when set to any state: Enabled, Disabled, or Not Configured. + - + + + - -ADMX Info: -- GP Friendly name: *Specify Shell Timeout* -- GP name: *ShellTimeOut* -- GP path: *Windows Components/Windows Remote Shell* -- GP ADMX file name: *WindowsRemoteShell.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | ShellTimeOut | +| Friendly Name | Specify Shell Timeout | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Shell | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service\WinRS | +| ADMX File Name | WindowsRemoteShell.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 821e1ad1a7c8c35b227fee60a0f4063a36e3d489 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 11:41:34 -0800 Subject: [PATCH 029/152] add rpc csp --- .../mdm/policy-csp-remoteprocedurecall.md | 266 ++++++++++-------- 1 file changed, 142 insertions(+), 124 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 2b7d68dc7e..07cf2525c0 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,155 +1,173 @@ --- -title: Policy CSP - RemoteProcedureCall -description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information. +title: RemoteProcedureCall Policy CSP +description: Learn more about the RemoteProcedureCall Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteProcedureCall -
    - - -## RemoteProcedureCall policies - -
    -
    - RemoteProcedureCall/RPCEndpointMapperClientAuthentication -
    -
    - RemoteProcedureCall/RestrictUnauthenticatedRPCClients -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** + +## RestrictUnauthenticatedRPCClients - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteProcedureCall/RestrictUnauthenticatedRPCClients +``` + - -
    + + +This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service, when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner. - -If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. - -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service. - -If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service. - -> [!NOTE] -> This policy won't be applied until the system is rebooted. - - - - -ADMX Info: -- GP Friendly name: *Enable RPC Endpoint Mapper Client Authentication* -- GP name: *RpcEnableAuthEpResolution* -- GP path: *System/Remote Procedure Call* -- GP ADMX file name: *rpc.admx* - - - - -
    - - -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls, how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. - -This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. +This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. -If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client, and the value of "None" used for Server SKUs that support this policy setting. +If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. +If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. +-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. +-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. +-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. -> [!NOTE] -> This policy setting won't be applied until the system is rebooted. +Note: This policy setting will not be applied until the system is rebooted. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict Unauthenticated RPC clients* -- GP name: *RpcRestrictRemoteClients* -- GP path: *System/Remote Procedure Call* -- GP ADMX file name: *rpc.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RpcRestrictRemoteClients | +| Friendly Name | Restrict Unauthenticated RPC clients | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + + + + + + + + + +## RPCEndpointMapperClientAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteProcedureCall/RPCEndpointMapperClientAuthentication +``` + + + + +This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. + +If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. + +If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +Note: This policy will not be applied until the system is rebooted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RpcEnableAuthEpResolution | +| Friendly Name | Enable RPC Endpoint Mapper Client Authentication | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| Registry Value Name | EnableAuthEpResolution | +| ADMX File Name | RPC.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 9113ea0c8fba541d2ec80ed46e187803bc5f39dc Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 12:01:13 -0800 Subject: [PATCH 030/152] add remotemanagement csp --- .../mdm/policy-csp-remotemanagement.md | 1249 +++++++++-------- 1 file changed, 700 insertions(+), 549 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 357f2c463f..18ae30618b 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,307 +1,300 @@ --- -title: Policy CSP - RemoteManagement -description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. +title: RemoteManagement Policy CSP +description: Learn more about the RemoteManagement Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteManagement -
    - - -## RemoteManagement policies - -
    -
    - RemoteManagement/AllowBasicAuthentication_Client -
    -
    - RemoteManagement/AllowBasicAuthentication_Service -
    -
    - RemoteManagement/AllowCredSSPAuthenticationClient -
    -
    - RemoteManagement/AllowCredSSPAuthenticationService -
    -
    - RemoteManagement/AllowRemoteServerManagement -
    -
    - RemoteManagement/AllowUnencryptedTraffic_Client -
    -
    - RemoteManagement/AllowUnencryptedTraffic_Service -
    -
    - RemoteManagement/DisallowDigestAuthentication -
    -
    - RemoteManagement/DisallowNegotiateAuthenticationClient -
    -
    - RemoteManagement/DisallowNegotiateAuthenticationService -
    -
    - RemoteManagement/DisallowStoringOfRunAsCredentials -
    -
    - RemoteManagement/SpecifyChannelBindingTokenHardeningLevel -
    -
    - RemoteManagement/TrustedHosts -
    -
    - RemoteManagement/TurnOnCompatibilityHTTPListener -
    -
    - RemoteManagement/TurnOnCompatibilityHTTPSListener -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteManagement/AllowBasicAuthentication_Client** + +## AllowBasicAuthentication_Client - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Client +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. -If you disable or don't configure this policy setting, the WinRM client doesn't use Basic authentication. +If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Basic authentication* -- GP name: *AllowBasic_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/AllowBasicAuthentication_Service** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowBasic | +| Friendly Name | Allow Basic authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowBasic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowBasicAuthentication_Service -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Service +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client. -If you disable or don't configure this policy setting, the WinRM service doesn't accept Basic authentication from a remote client. +If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client. + - + + + - -ADMX Info: -- GP Friendly name: *Allow Basic authentication* -- GP name: *AllowBasic_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/AllowCredSSPAuthenticationClient** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowBasic | +| Friendly Name | Allow Basic authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowBasic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowCredSSPAuthenticationClient -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowCredSSPAuthenticationClient +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication. If you enable this policy setting, the WinRM client uses CredSSP authentication. -If you disable or don't configure this policy setting, the WinRM client doesn't use CredSSP authentication. +If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Allow CredSSP authentication* -- GP name: *AllowCredSSP_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/AllowCredSSPAuthenticationService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCredSSP | +| Friendly Name | Allow CredSSP authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowCredSSP | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowCredSSPAuthenticationService -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowCredSSPAuthenticationService +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client. -If you disable or don't configure this policy setting, the WinRM service doesn't accept CredSSP authentication from a remote client. +If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client. + - + + + - -ADMX Info: -- GP Friendly name: *Allow CredSSP authentication* -- GP name: *AllowCredSSP_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/AllowRemoteServerManagement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCredSSP | +| Friendly Name | Allow CredSSP authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowCredSSP | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowRemoteServerManagement -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowRemoteServerManagement +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP). -If you disable or don't configure this policy setting, the WinRM service won't respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. +If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. -You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service doesn't listen on any addresses. +You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. @@ -309,508 +302,666 @@ Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated usi Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 + - + + + - -ADMX Info: -- GP Friendly name: *Allow remote server management through WinRM* -- GP name: *AllowAutoConfig* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/AllowUnencryptedTraffic_Client** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowAutoConfig | +| Friendly Name | Allow remote server management through WinRM | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowAutoConfig | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowUnencryptedTraffic_Client -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowUnencryptedTraffic_Client +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. + - + + + - -ADMX Info: -- GP Friendly name: *Allow unencrypted traffic* -- GP name: *AllowUnencrypted_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/AllowUnencryptedTraffic_Service** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowUnencrypted | +| Friendly Name | Allow unencrypted traffic | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowUnencryptedTraffic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowUnencryptedTraffic_Service -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowUnencryptedTraffic_Service +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or don't configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. + - + + + - -ADMX Info: -- GP Friendly name: *Allow unencrypted traffic* -- GP name: *AllowUnencrypted_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/DisallowDigestAuthentication** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowUnencrypted | +| Friendly Name | Allow unencrypted traffic | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowUnencryptedTraffic | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowDigestAuthentication -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowDigestAuthentication +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. -If you enable this policy setting, the WinRM client doesn't use Digest authentication. +If you enable this policy setting, the WinRM client does not use Digest authentication. -If you disable or don't configure this policy setting, the WinRM client uses Digest authentication. +If you disable or do not configure this policy setting, the WinRM client uses Digest authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow Digest authentication* -- GP name: *DisallowDigest* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/DisallowNegotiateAuthenticationClient** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowDigest | +| Friendly Name | Disallow Digest authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowDigest | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowNegotiateAuthenticationClient -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowNegotiateAuthenticationClient +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication. -If you enable this policy setting, the WinRM client doesn't use Negotiate authentication. +If you enable this policy setting, the WinRM client does not use Negotiate authentication. -If you disable or don't configure this policy setting, the WinRM client uses Negotiate authentication. +If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow Negotiate authentication* -- GP name: *DisallowNegotiate_2* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/DisallowNegotiateAuthenticationService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowNegotiate | +| Friendly Name | Disallow Negotiate authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowNegotiate | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowNegotiateAuthenticationService -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowNegotiateAuthenticationService +``` + - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client. -If you enable this policy setting, the WinRM service doesn't accept Negotiate authentication from a remote client. +If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client. -If you disable or don't configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. +If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow Negotiate authentication* -- GP name: *DisallowNegotiate_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/DisallowStoringOfRunAsCredentials** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowNegotiate | +| Friendly Name | Disallow Negotiate authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowNegotiate | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowStoringOfRunAsCredentials -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/DisallowStoringOfRunAsCredentials +``` + - - -This policy setting allows you to manage whether the Windows Remote Management (WinRM) service won't allow RunAs credentials to be stored for any plug-ins. + + +This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. -If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. +If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. -If you disable or don't configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. +If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. -If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset. +If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow WinRM from storing RunAs credentials* -- GP name: *DisableRunAs* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRunAs | +| Friendly Name | Disallow WinRM from storing RunAs credentials | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | DisableRunAs | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyChannelBindingTokenHardeningLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/SpecifyChannelBindingTokenHardeningLevel +``` + - - -This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service regarding channel binding tokens. + + +This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens. If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token. -If you disable or don't configure this policy setting, you can configure the hardening level locally on each computer. +If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer. If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected. -If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that doesn't contain a channel binding token is accepted (though it isn't protected from credential-forwarding attacks). +If HardeningLevel is set to Relaxed (default value), any request containing an invalid channel binding token is rejected. However, a request that does not contain a channel binding token is accepted (though it is not protected from credential-forwarding attacks). -If HardeningLevel is set to None, all requests are accepted (though they aren't protected from credential-forwarding attacks). +If HardeningLevel is set to None, all requests are accepted (though they are not protected from credential-forwarding attacks). + - + + + - -ADMX Info: -- GP Friendly name: *Specify channel binding token hardening level* -- GP name: *CBTHardeningLevel_1* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/TrustedHosts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CBTHardeningLevel | +| Friendly Name | Specify channel binding token hardening level | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | CBTHardeningLevelStatus | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedHosts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TrustedHosts +``` + - - -This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. + + +This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. -If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host. +If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host. -If you disable or don't configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. +If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. + - + + + - -ADMX Info: -- GP Friendly name: *Trusted Hosts* -- GP name: *TrustedHosts* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/TurnOnCompatibilityHTTPListener** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TrustedHosts | +| Friendly Name | Trusted Hosts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | TrustedHosts | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOnCompatibilityHTTPListener -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TurnOnCompatibilityHTTPListener +``` + - - + + This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. If you enable this policy setting, the HTTP listener always appears. -If you disable or don't configure this policy setting, the HTTP listener never appears. +If you disable or do not configure this policy setting, the HTTP listener never appears. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. A listener might be automatically created on port 80 to ensure backward compatibility. + - + + + - -ADMX Info: -- GP Friendly name: *Turn On Compatibility HTTP Listener* -- GP name: *HttpCompatibilityListener* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteManagement/TurnOnCompatibilityHTTPSListener** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HttpCompatibilityListener | +| Friendly Name | Turn On Compatibility HTTP Listener | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | HttpCompatibilityListener | +| ADMX File Name | WindowsRemoteManagement.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOnCompatibilityHTTPSListener -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteManagement/TurnOnCompatibilityHTTPSListener +``` + - - + + This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. If you enable this policy setting, the HTTPS listener always appears. -If you disable or don't configure this policy setting, the HTTPS listener never appears. +If you disable or do not configure this policy setting, the HTTPS listener never appears. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. A listener might be automatically created on port 443 to ensure backward compatibility. + - + + + - -ADMX Info: -- GP Friendly name: *Turn On Compatibility HTTPS Listener* -- GP name: *HttpsCompatibilityListener* -- GP path: *Windows Components/Windows Remote Management (WinRM)/WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | HttpsCompatibilityListener | +| Friendly Name | Turn On Compatibility HTTPS Listener | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | HttpsCompatibilityListener | +| ADMX File Name | WindowsRemoteManagement.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From b87428f5579dac9cfc46aef6da51f4109abe3a62 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 12:41:21 -0800 Subject: [PATCH 031/152] add remotedesktopservices csp --- .../mdm/policy-csp-remotedesktopservices.md | 629 ++++++++++-------- 1 file changed, 348 insertions(+), 281 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 20e9afc122..b3089679b1 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,423 +1,490 @@ --- -title: Policy CSP - RemoteDesktopServices -description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services. +title: RemoteDesktopServices Policy CSP +description: Learn more about the RemoteDesktopServices Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteDesktopServices -
    - - -## RemoteDesktopServices policies - -
    -
    - RemoteDesktopServices/AllowUsersToConnectRemotely -
    -
    - RemoteDesktopServices/ClientConnectionEncryptionLevel -
    -
    - RemoteDesktopServices/DoNotAllowDriveRedirection -
    -
    - RemoteDesktopServices/DoNotAllowPasswordSaving -
    -
    -
    - RemoteDesktopServices/DoNotAllowWebAuthnRedirection -
    - RemoteDesktopServices/PromptForPasswordUponConnection - -
    - RemoteDesktopServices/RequireSecureRPCCommunication -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteDesktopServices/AllowUsersToConnectRemotely** + +## AllowUsersToConnectRemotely - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/AllowUsersToConnectRemotely +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. -If you disable this policy setting, users can't connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but won't accept any new incoming connections. +If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. -If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed. +If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. -> [!NOTE] -> You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. +Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. + - + + + - -ADMX Info: -- GP Friendly name: *Allow users to connect remotely by using Remote Desktop Services* -- GP name: *TS_DISABLE_CONNECTIONS* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteDesktopServices/ClientConnectionEncryptionLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_DISABLE_CONNECTIONS | +| Friendly Name | Allow users to connect remotely by using Remote Desktop Services | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClientConnectionEncryptionLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel +``` + - - -Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. + + +Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: -* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that don't support this encryption level can't connect to RD Session Host servers. +* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. -* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that don't support 128-bit encryption. +* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. -If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy. +If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. -> [!IMPORTANT] -> FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level, when communications between clients and RD Session Host servers requires the highest level of encryption. +Important - +FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. + - -ADMX Info: -- GP Friendly name: *Set client connection encryption level* -- GP name: *TS_ENCRYPTION_POLICY* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**RemoteDesktopServices/DoNotAllowDriveRedirection** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_ENCRYPTION_POLICY | +| Friendly Name | Set client connection encryption level | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DoNotAllowDriveRedirection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection +``` + + + + This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format `` on ``. You can use this policy setting to override this behavior. -If you enable this policy setting, client drive redirection isn't allowed in Remote Desktop Services sessions, and Clipboard file copy redirection isn't allowed on computers running Windows Server 2019 and Windows 10. +If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later). If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. -If you don't configure this policy setting, client drive redirection and Clipboard file copy redirection aren't specified at the Group Policy level. +If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow drive redirection* -- GP name: *TS_CLIENT_DRIVE_M* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteDesktopServices/DoNotAllowPasswordSaving** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DRIVE_M | +| Friendly Name | Do not allow drive redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCdm | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowPasswordSaving -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowPasswordSaving +``` + - - + + Controls whether passwords can be saved on this computer from Remote Desktop Connection. -If you enable this setting, the password-saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves their settings, any password that previously existed in the RDP file will be deleted. +If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow passwords to be saved* -- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteDesktopServices/DoNotAllowWebAuthnRedirection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING | +| Friendly Name | Do not allow passwords to be saved | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DisablePasswordSaving | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowWebAuthnRedirection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowWebAuthnRedirection +``` + - - -This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). + + +This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). By default, Remote Desktop allows redirection of WebAuthn requests. -If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session. +If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. + -If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session. - + + + - -ADMX Info: -- GP Friendly name: *Do not allow WebAuthn redirection* -- GP name: *TS_WEBAUTHN* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteDesktopServices/PromptForPasswordUponConnection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_WEBAUTHN | +| Friendly Name | Do not allow WebAuthn redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableWebAuthn | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PromptForPasswordUponConnection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection +``` + - - + + This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. -By default, Remote Desktop Services allows users to automatically sign in by entering a password in the Remote Desktop Connection client. +By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. -If you enable this policy setting, users can't automatically sign in to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They're prompted for a password to sign in. +If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. -If you disable this policy setting, users can always sign in to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. +If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. -If you don't configure this policy setting, automatic logon isn't specified at the Group Policy level. +If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Always prompt for password upon connection* -- GP name: *TS_PASSWORD* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteDesktopServices/RequireSecureRPCCommunication** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_PASSWORD | +| Friendly Name | Always prompt for password upon connection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fPromptForPassword | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequireSecureRPCCommunication -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication +``` + - - + + Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. -If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and doesn't allow unsecured communication with untrusted clients. +If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. -If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that don't respond to the request. +If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. If the status is set to Not Configured, unsecured communication is allowed. -> [!NOTE] -> The RPC interface is used for administering and configuring Remote Desktop Services. +Note: The RPC interface is used for administering and configuring Remote Desktop Services. + - + + + - -ADMX Info: -- GP Friendly name: *Require secure RPC communication* -- GP name: *TS_RPC_ENCRYPTION* -- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* -- GP ADMX file name: *terminalserver.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RPC_ENCRYPTION | +| Friendly Name | Require secure RPC communication | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEncryptRPCTraffic | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From e8617233dd02213d2b14cc5a36348171088ff666 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 12:48:57 -0800 Subject: [PATCH 032/152] add remotedesktop csp --- .../mdm/policy-csp-remotedesktop.md | 183 ++++++++++-------- 1 file changed, 103 insertions(+), 80 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 364443eae5..6a4a8f629e 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,119 +1,142 @@ --- -title: Policy CSP - RemoteDesktop -description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display. +title: RemoteDesktop Policy CSP +description: Learn more about the RemoteDesktop Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteDesktop -
    + + + - -## RemoteDesktop policies -> [!Warning] -> Some information relates to prerelease products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +## LoadAadCredKeyFromProfile -
    -
    - RemoteDesktop/AutoSubscription -
    -
    - RemoteDesktop/LoadAadCredKeyFromProfile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktop/LoadAadCredKeyFromProfile +``` + - -**RemoteDesktop/AutoSubscription** + + +Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs. - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + -This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. + + + - + - + +## AutoSubscription -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1370] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1370] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1370] and later
    :heavy_check_mark: Windows 10, version 21H2 [10.0.19044.1370] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**RemoteDesktop/LoadAadCredKeyFromProfile** + +```User +./User/Vendor/MSFT/Policy/Config/RemoteDesktop/AutoSubscription +``` + - + + +Controls the list of URLs that the user should be auto-subscribed to + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + - -
    +This policy lets you enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the client uses the specified URL to subscribe the signed-in user and retrieve the remote resources assigned to them. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/overview) in the Azure public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. -> [!div class = "checklist"] -> * Device + -
    + +**Description framework properties**: - - -This policy allows the user to load the DPAPI cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + - + +**Group policy mapping**: - -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AutoSubscription | +| Friendly Name | Enable auto-subscription | +| Location | User Configuration | +| Path | AutoSubscription | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AutoSubscription | +| ADMX File Name | TerminalServer.admx | + -- 0 (default) - Disabled. -- 1 - Enabled. + + + - + - + + + -
    + +## Related articles - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 2b38bb1e0fb60ffc6fbc855b87855f9f6f0ed678 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 12:52:47 -0800 Subject: [PATCH 033/152] add remoteassistance csp --- .../mdm/policy-csp-remoteassistance.md | 410 ++++++++++-------- 1 file changed, 225 insertions(+), 185 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 28e5beb835..ac016afb26 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,289 +1,329 @@ --- -title: Policy CSP - RemoteAssistance -description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display. +title: RemoteAssistance Policy CSP +description: Learn more about the RemoteAssistance Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - RemoteAssistance -
    - - -## RemoteAssistance policies - -
    -
    - RemoteAssistance/CustomizeWarningMessages -
    -
    - RemoteAssistance/SessionLogging -
    -
    - RemoteAssistance/SolicitedRemoteAssistance -
    -
    - RemoteAssistance/UnsolicitedRemoteAssistance -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**RemoteAssistance/CustomizeWarningMessages** + +## CustomizeWarningMessages - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/CustomizeWarningMessages +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you customize warning messages. -The "Display warning message before sharing control" policy setting allows you to specify a custom message, to display before users share control of their computers. +The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. -The "Display warning message before connecting" policy setting allows you to specify a custom message, to display before users allow a connection to their computers. +The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. If you disable this policy setting, the user sees the default warning message. -If you don't configure this policy setting, the user sees the default warning message. +If you do not configure this policy setting, the user sees the default warning message. + - + + + - -ADMX Info: -- GP Friendly name: *Customize warning messages* -- GP name: *RA_Options* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteAssistance/SessionLogging** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Options | +| Friendly Name | Customize warning messages | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseCustomMessages | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SessionLogging -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SessionLogging +``` + - - + + This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. If you enable this policy setting, log files are generated. -If you disable this policy setting, log files aren't generated. +If you disable this policy setting, log files are not generated. -If you don't configure this setting, application-based settings are used. +If you do not configure this setting, application-based settings are used. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on session logging* -- GP name: *RA_Logging* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteAssistance/SolicitedRemoteAssistance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Logging | +| Friendly Name | Turn on session logging | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | LoggingEnabled | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SolicitedRemoteAssistance -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance +``` + - - + + This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure more Remote Assistance settings. +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. -If you disable this policy setting, users on this computer can't use email or file transfer to ask someone for help. Also, users can't use instant messaging programs to allow connections to this computer. +If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. -If you don't configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. +If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. -The "Select the method for sending email invitations" setting specifies which email standard to use, to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista, since SMAPI is the only method supported. +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. -If you enable this policy setting, you should also enable appropriate firewall exceptions to allow Remote Assistance communications. +If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Solicited Remote Assistance* -- GP name: *RA_Solicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**RemoteAssistance/UnsolicitedRemoteAssistance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Solicit | +| Friendly Name | Configure Solicited Remote Assistance | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fAllowToGetHelp | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## UnsolicitedRemoteAssistance -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance +``` + - - + + This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you disable this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you don't configure this policy setting, users on this computer can't get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: -`\` or +``\\`` or -`\` +``\\`` -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you're running. +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. Windows Vista and later Enable the Remote Assistance exception for the domain profile. The exception must contain: - -- Port 135:TCP -- %WINDIR%\System32\msra.exe -- %WINDIR%\System32\raserver.exe +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) -- Port 135:TCP -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -- %WINDIR%\System32\Sessmgr.exe +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe For computers running Windows Server 2003 with Service Pack 1 (SP1) -- Port 135:TCP -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -- Allow Remote Desktop Exception +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + - + + + - -ADMX Info: -- GP Friendly name: *Configure Offer Remote Assistance* -- GP name: *RA_Unsolicit* -- GP path: *System/Remote Assistance* -- GP ADMX file name: *remoteassistance.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RA_Unsolicit | +| Friendly Name | Configure Offer Remote Assistance | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fAllowUnsolicited | +| ADMX File Name | RemoteAssistance.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 7f95f2c44d0522c51e922d1946b3e0d25ac8a37f Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 13:42:31 -0800 Subject: [PATCH 034/152] add privacy csp --- .../mdm/policy-csp-privacy.md | 8309 ++++++++++------- 1 file changed, 4712 insertions(+), 3597 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 124dfb9fc1..e3eda63ea8 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,4418 +1,5533 @@ --- -title: Policy CSP - Privacy -description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. +title: Privacy Policy CSP +description: Learn more about the Privacy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Privacy + + + -
    + +## AllowAutoAcceptPairingAndPrivacyConsentPrompts - -## Privacy policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    -
    - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
    -
    - Privacy/AllowCrossDeviceClipboard -
    -
    - Privacy/AllowInputPersonalization -
    -
    - Privacy/DisableAdvertisingId -
    -
    - Privacy/DisablePrivacyExperience -
    -
    - Privacy/EnableActivityFeed -
    -
    - Privacy/LetAppsAccessAccountInfo -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCalendar -
    -
    - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory -
    -
    - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessCamera -
    -
    - Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessContacts -
    -
    - Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessEmail -
    -
    - Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput -
    -
    - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessLocation -
    -
    - Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMessaging -
    -
    - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone -
    -
    - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessMotion -
    -
    - Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessNotifications -
    -
    - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessPhone -
    -
    - Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessRadios -
    -
    - Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTasks -
    -
    - Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsActivateWithVoice -
    -
    - Privacy/LetAppsActivateWithVoiceAboveLock -
    -
    - Privacy/LetAppsGetDiagnosticInfo -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
    -
    - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsRunInBackground -
    -
    - Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
    -
    - Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
    -
    - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices -
    -
    - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
    -
    - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
    -
    - Privacy/PublishUserActivities -
    -
    - Privacy/UploadUserActivities -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +``` + - -
    - - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. -> [!NOTE] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. +**Note**: There were issues reported with the previous release of this policy and a fix was Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + + +## AllowCrossDeviceClipboard -Most restricted value is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/AllowCrossDeviceClipboard +``` + -- 0 (default)– Not allowed. -- 1 – Allowed. + + +This policy setting determines whether Clipboard contents can be synchronized across devices. +If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. +If you disable this policy setting, Clipboard contents cannot be shared to other devices. +Policy change takes effect immediately. + - - + + -
    +Most restrictive value is `0` to not allow cross-device clipboard. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCrossDeviceClipboard | +| Friendly Name | Allow Clipboard synchronization across devices | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowCrossDeviceClipboard | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + +## AllowInputPersonalization + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/AllowInputPersonalization +``` + + + + +This policy specifies whether users on the device have the option to enable online speech recognition services. + +If this policy is enabled or not configured, control is deferred to users, and users may choose whether to enable speech services via settings. + +If this policy is disabled, speech services will be disabled, and users cannot enable speech services via settings. + + + + + +Updated in Windows 10, version 1809. + +When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft uses voice input to help improve speech services. + +The most restrictive value is `0` to not allow speech services. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Choice deferred to user's preference. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowInputPersonalization | +| Friendly Name | Allow users to enable online speech recognition services | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\InputPersonalization | +| Registry Value Name | AllowInputPersonalization | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## DisableAdvertisingId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/DisableAdvertisingId +``` + + + + +This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. - -**Privacy/AllowCrossDeviceClipboard** +If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. + +If you disable or do not configure this policy setting, users can control whether apps can use the advertising ID for experiences across apps. + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow Clipboard synchronization across devices* -- GP name: *AllowCrossDeviceClipboard* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -0 – Not allowed. -1 (default) – Allowed. - - - - -
    - - -**Privacy/AllowInputPersonalization** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Allow input personalization* -- GP name: *AllowInputPersonalization* -- GP path: *Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Choice deferred to user's preference. - - - - -
    - - -**Privacy/DisableAdvertisingId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enables or disables the Advertising ID. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off the advertising ID* -- GP name: *DisableAdvertisingId* -- GP path: *System/User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - - - - -
    - - -**Privacy/DisablePrivacyExperience** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - -Supported value type is integer. - -- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. -- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. - -In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. - - - -ADMX Info: -- GP Friendly name: *Don't launch privacy settings experience on user logon* -- GP name: *DisablePrivacyExperience* -- GP path: *Windows Components/OOBE* -- GP ADMX file name: *OOBE.admx* - - - - - - - - - - - - - -
    - - -**Privacy/EnableActivityFeed** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to allow Apps/OS to publish to the activity feed. - - - -ADMX Info: -- GP Friendly name: *Enables Activity Feed* -- GP name: *EnableActivityFeed* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled (not published to the cloud). -- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether Windows apps can access account information. - -Most restricted value is 2. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 | Enabled. | +| 65535 (Default) | Not configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAdvertisingId | +| Friendly Name | Turn off the advertising ID | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\AdvertisingInfo | +| Registry Value Name | DisabledByGroupPolicy | +| ADMX File Name | UserProfiles.admx | + + + + + + + + + +## DisablePrivacyExperience + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Privacy/DisablePrivacyExperience +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/DisablePrivacyExperience +``` + + + + +When logging into a new user account for the first time or after an upgrade in some scenarios, that user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this policy to prevent this experience from launching. + +If this policy is enabled, the privacy experience will not launch for newly-created user accounts or for accounts that would have been prompted to choose their privacy settings after an upgrade. + +If this policy is disabled or not configured, then the privacy experience may launch for newly-created user accounts or for accounts that should be prompted to choose their privacy settings after an upgrade. + + + + + +In some managed environments, the privacy settings may be set by other policies. In this case, enable this policy to not show a screen for users to change these privacy settings. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow the 'choose privacy settings for your device' screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. | +| 1 | Do not allow the 'choose privacy settings for your device' screen when a new user logs in or an existing user logs in for the first time after an upgrade. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisablePrivacyExperience | +| Friendly Name | Don't launch privacy settings experience on user logon | +| Location | Computer and User Configuration | +| Path | Windows Components > OOBE | +| Registry Key Name | Software\Policies\Microsoft\Windows\OOBE | +| Registry Value Name | DisablePrivacyExperience | +| ADMX File Name | OOBE.admx | + + + + + + + + + +## EnableActivityFeed + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/EnableActivityFeed +``` + + + + +This policy setting determines whether ActivityFeed is enabled. +If you enable this policy setting, all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user. +If you disable this policy setting, activities can't be published and ActivityFeed shall disable cloud sync. +Policy change takes effect immediately. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). | +| 1 (Default) | Enabled. Apps/OS can publish the activities and will be roamed across device graph. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableActivityFeed | +| Friendly Name | Enables Activity Feed | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableActivityFeed | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + +## LetAppsAccessAccountInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo +``` + + + + +This policy setting specifies whether Windows apps can access account information. + + + + + +The most restrictive value is `2` to deny apps access to account information. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessAccountInfo_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessAccountInfo_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessAccountInfo_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessBackgroundSpatialPerception** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessAccountInfo | +| Friendly Name | Let Windows apps access account information | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessBackgroundSpatialPerception -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception +``` + + + + +This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. + + + + - - > [!NOTE] -> Currently, this policy is supported only in HoloLens 2. +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). -Specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. + -Supported value type is integer. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Allowed values**: -- 0 (default) – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - - + + + -
    + - -**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps** + +## LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> Currently, this policy is supported only in HoloLens 2. + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps +``` + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + -Supported value type is chr. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - - - - -
    - - -**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> Currently, this policy is supported only in HoloLens 2. +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + + + + + + + +## LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + -Supported value type is chr. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - - - - -
    - - -**Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - > [!NOTE] -> Currently, this policy is supported only in HoloLens 2. +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). -List of semi-colon delimited Package Family Names of Windows Store Apps. -The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + -Supported value type is chr. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access background spatial perception* -- GP name: *LetAppsAccessBackgroundSpatialPerception* -- GP element: *LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - + + + - - + -
    + +## LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - -**Privacy/LetAppsAccessCalendar** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. + - -
    + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!NOTE] +> Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). -> [!div class = "checklist"] -> * Device + -
    + +**Description framework properties**: - - -Specifies whether Windows apps can access the calendar. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -Most restricted value is 2. + + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + - - -The following list shows the supported values: + +## LetAppsAccessCalendar -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar +``` + -
    + + +This policy setting specifies whether Windows apps can access the calendar. + - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + - +The most restrictive value is `2` to deny apps access to the calendar. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessCalendar_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCalendar_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCalendar_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCallHistory** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCalendar | +| Friendly Name | Let Windows apps access the calendar | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory +``` + - - -Specifies whether Windows apps can access call history. + + +This policy setting specifies whether Windows apps can access call history. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to call history. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessCallHistory_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCallHistory_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCamera** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCallHistory | +| Friendly Name | Let Windows apps access call history | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCameras -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera +``` + - - -Specifies whether Windows apps can access the camera. + + +This policy setting specifies whether Windows apps can access the camera. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to the camera. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessCamera_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCamera_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessCamera_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessContacts** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCamera | +| Friendly Name | Let Windows apps access the camera | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts +``` + - - -Specifies whether Windows apps can access contacts. + + +This policy setting specifies whether Windows apps can access contacts. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to contacts. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessContacts_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessContacts_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessEmail** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessContacts | +| Friendly Name | Let Windows apps access contacts | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail +``` + - - -Specifies whether Windows apps can access email. + + +This policy setting specifies whether Windows apps can access email. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to email. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessEmail_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessEmail_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessGazeInput** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessEmail | +| Friendly Name | Let Windows apps access email | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessGazeInput -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput +``` + - - + + This policy setting specifies whether Windows apps can access the eye tracker. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGazeInput_ForceAllowTheseApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps +``` + -
    - - - + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGazeInput_ForceDenyTheseApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps +``` + -
    - - - + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGazeInput_UserInControlOfTheseApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps +``` + -
    - - - + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + - - + + + -
    + +**Description framework properties**: - -**Privacy/LetAppsAccessLocation** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## LetAppsAccessGraphicsCaptureProgrammatic - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic +``` + -
    + + +This policy setting specifies whether Windows apps can use screen capture on arbitrary windows or displays. + - - -Specifies whether Windows apps can access location. + + + -Most restricted value is 2. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - - -The following list shows the supported values: + +**Group policy mapping**: -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - - + + + -
    + - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + +## LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps +``` + - -
    + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to use screen capture on arbitrary windows or displays. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the use of screen capture on arbitrary windows or displays. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the programmatic screen capture setting for the listed apps. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureProgrammatic | +| Friendly Name | Let Windows apps take screenshots of various windows or displays | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder +``` + + + + +This policy setting specifies whether Windows apps can disable the screen capture border. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to disable the screen capture border. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied configuration access to the screen capture border. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the screen capture border privacy setting for the listed apps. This setting overrides the default LetAppsAccessGraphicsCaptureWithoutBorder policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessGraphicsCaptureWithoutBorder | +| Friendly Name | Let Windows apps turn off the screenshot border | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation +``` + + + + +This policy setting specifies whether Windows apps can access location. + + + + + +The most restrictive value is `2` to deny apps access to the device's location. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsAccessLocation_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessLocation_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessLocation_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMessaging** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessLocation | +| Friendly Name | Let Windows apps access location | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging +``` + - - -Specifies whether Windows apps can read or send messages (text or MMS). + + +This policy setting specifies whether Windows apps can read or send messages (text or MMS). + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to messaging. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessMessaging_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMessaging_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMicrophone** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMessaging | +| Friendly Name | Let Windows apps access messaging | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone +``` + - - -Specifies whether Windows apps can access the microphone. + + +This policy setting specifies whether Windows apps can access the microphone. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to the microphone. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessMicrophone_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMicrophone_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMotion** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMicrophone | +| Friendly Name | Let Windows apps access the microphone | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion +``` + - - -Specifies whether Windows apps can access motion data. + + +This policy setting specifies whether Windows apps can access motion data. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to motion data. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessMotion_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessMotion_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessNotifications** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessMotion | +| Friendly Name | Let Windows apps access motion | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications +``` + - - -Specifies whether Windows apps can access notifications. + + +This policy setting specifies whether Windows apps can access notifications. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to notifications. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessNotifications_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessNotifications_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessPhone** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessNotifications | +| Friendly Name | Let Windows apps access notifications | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone +``` + - - -Specifies whether Windows apps can make phone calls. + + +This policy setting specifies whether Windows apps can make phone calls + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to make phone calls. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessPhone_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessPhone_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessRadios** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessPhone | +| Friendly Name | Let Windows apps make phone calls | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios +``` + - - -Specifies whether Windows apps have access to control radios. + + +This policy setting specifies whether Windows apps have access to control radios. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access to control radios. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessRadios_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessRadios_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTasks** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessRadios | +| Friendly Name | Let Windows apps control radios | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks +``` + - - -Specifies whether Windows apps can access tasks. + + +This policy setting specifies whether Windows apps can access tasks. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2]` | +| Default Value | 0 | + - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks_ForceAllowTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_ForceAllowTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTasks_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTrustedDevices** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTasks | +| Friendly Name | Let Windows apps access Tasks | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices +``` + - - -Specifies whether Windows apps can access trusted devices. + + +This policy setting specifies whether Windows apps can access trusted devices. + -Most restricted value is 2. + + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* +The most restrictive value is `2` to deny apps access trusted devices. - - -The following list shows the supported values: + -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LetAppsAccessTrustedDevices_ForceAllowTheseApps -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +``` + + + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices_ForceDenyTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LetAppsAccessTrustedDevices_UserInControlOfTheseApps -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +``` + - - + + List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsActivateWithVoice** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies if Windows apps can be activated by voice. - - - -ADMX Info: -- GP Friendly name: *Allow voice activation* -- GP name: *LetAppsActivateWithVoice* -- GP element: *LetAppsActivateWithVoice_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 (default) – User in control. Users can decide if Windows apps can be activated by voice using Settings > Privacy options on the device. -- 1 – Force allow. Windows apps can be activated by voice and users cannot change it. -- 2 - Force deny. Windows apps cannot be activated by voice and users cannot change it. - - - - -
    - - -**Privacy/LetAppsActivateWithVoiceAboveLock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies if Windows apps can be activated by voice while the screen is locked. - - - -ADMX Info: -- GP Friendly name: *Allow voice activation above locked screen* -- GP name: *LetAppsActivateWithVoiceAboveLock* -- GP element: *LetAppsActivateWithVoiceAboveLock_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 (default) – User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device. -- 1 – Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it. -- 2 - Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it. - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - -Most restricted value is 2. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether Windows apps can run in the background. - -Most restricted value is 2. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsAccessTrustedDevices | +| Friendly Name | Let Windows apps access trusted devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsActivateWithVoice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsActivateWithVoice +``` + + + + +This policy setting specifies whether Windows apps can be activated by voice. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. Users can decide if Windows apps can be activated by voice using Settings > Privacy options on the device. | +| 1 | Force allow. Windows apps can be activated by voice and users cannot change it. | +| 2 | Force deny. Windows apps cannot be activated by voice and users cannot change it. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsActivateWithVoice | +| Friendly Name | Let Windows apps activate with voice | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsActivateWithVoiceAboveLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsActivateWithVoiceAboveLock +``` + + + + +This policy setting specifies whether Windows apps can be activated by voice while the system is locked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device. | +| 1 | Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it. | +| 2 | Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsActivateWithVoiceAboveLock | +| Friendly Name | Let Windows apps activate with voice while the system is locked | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo +``` + + + + +This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. + + + + + +The most restrictive value is `2` to deny apps access to diagnostic data. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsGetDiagnosticInfo | +| Friendly Name | Let Windows apps access diagnostic information about other apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground +``` + + + + +This policy setting specifies whether Windows apps can run in the background. + + + + + +The most restrictive value is `2` to deny apps from running in the background. > [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability, to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether Windows apps can sync with devices. - -Most restricted value is 2. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP Friendly name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
    - - -**Privacy/PublishUserActivities** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows IT Admins to enable publishing of user activities to the activity feed. - - - -ADMX Info: -- GP Friendly name: *Allow publishing of User Activities* -- GP name: *PublishUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the *user activities*. -- 1 – (default) Enabled. Apps/OS can publish the *user activities*. - - - - -
    - - -**Privacy/UploadUserActivities** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows ActivityFeed to upload published 'User Activities'. - - - -ADMX Info: -- GP Friendly name: *Allow upload of User Activities* -- GP name: *UploadUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +> Be careful when you determine which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. If you turn off background activity for these types of apps, it could cause text message, email, and voicemail notifications to not function. This policy could also cause background email syncing to not function properly. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | . | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsRunInBackground_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsRunInBackground | +| Friendly Name | Let Windows apps run in the background | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices +``` + + + + +This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. + + + + + +The most restrictive value is `2` to deny apps syncing with devices. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User in control. | +| 1 | Force allow. | +| 2 | Force deny. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices_ForceAllowTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices_ForceDenyTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## LetAppsSyncWithDevices_UserInControlOfTheseApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +``` + + + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LetAppsSyncWithDevices | +| Friendly Name | Let Windows apps communicate with unpaired devices | +| Location | Computer Configuration | +| Path | Windows Components > App Privacy | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy | +| ADMX File Name | AppPrivacy.admx | + + + + + + + + + +## PublishUserActivities + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/PublishUserActivities +``` + + + + +This policy setting determines whether User Activities can be published. +If you enable this policy setting, activities of type User Activity are allowed to be published. +If you disable this policy setting, activities of type User Activity are not allowed to be published. +Policy change takes effect immediately. + + + + + +For more information, see [Windows activity history and your privacy](https://support.microsoft.com/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd). + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. Apps/OS can't publish the user activities. | +| 1 (Default) | Enabled. Apps/OS can publish the user activities. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PublishUserActivities | +| Friendly Name | Allow publishing of User Activities | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | PublishUserActivities | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + +## UploadUserActivities + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Privacy/UploadUserActivities +``` + + + + +This policy setting determines whether published User Activities can be uploaded. +If you enable this policy setting, activities of type User Activity are allowed to be uploaded. +If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. +Deletion of activities of type User Activity are independent of this setting. +Policy change takes effect immediately. + + + + + +For more information, see [Windows activity history and your privacy](https://support.microsoft.com/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd). + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UploadUserActivities | +| Friendly Name | Allow upload of User Activities | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | UploadUserActivities | +| ADMX File Name | OSPolicy.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From c1d2e8f6d49499f37e830701ce318580cbe867b3 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 14:25:44 -0800 Subject: [PATCH 035/152] add power csp --- .../client-management/mdm/policy-csp-power.md | 2310 +++++++++-------- 1 file changed, 1184 insertions(+), 1126 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 03b40b79a6..3853306b49 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,1379 +1,1437 @@ --- -title: Policy CSP - Power -description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. +title: Power Policy CSP +description: Learn more about the Power Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Power -
    - - - -## Power policies - -
    -
    - Power/AllowHibernate -
    -
    - Power/AllowStandbyStatesWhenSleepingOnBattery -
    -
    - Power/AllowStandbyWhenSleepingPluggedIn -
    -
    - Power/DisplayOffTimeoutOnBattery -
    -
    - Power/DisplayOffTimeoutPluggedIn -
    -
    - Power/EnergySaverBatteryThresholdOnBattery -
    -
    - Power/EnergySaverBatteryThresholdPluggedIn -
    -
    - Power/HibernateTimeoutOnBattery -
    -
    - Power/HibernateTimeoutPluggedIn -
    -
    - Power/RequirePasswordWhenComputerWakesOnBattery -
    -
    - Power/RequirePasswordWhenComputerWakesPluggedIn -
    -
    - Power/SelectLidCloseActionOnBattery -
    -
    - Power/SelectLidCloseActionPluggedIn -
    -
    - Power/SelectPowerButtonActionOnBattery -
    -
    - Power/SelectPowerButtonActionPluggedIn -
    -
    - Power/SelectSleepButtonActionOnBattery -
    -
    - Power/SelectSleepButtonActionPluggedIn -
    -
    - Power/StandbyTimeoutOnBattery -
    -
    - Power/StandbyTimeoutPluggedIn -
    -
    - Power/TurnOffHybridSleepOnBattery -
    -
    - Power/TurnOffHybridSleepPluggedIn -
    -
    - Power/UnattendedSleepTimeoutOnBattery -
    -
    - Power/UnattendedSleepTimeoutPluggedIn -
    -
    - > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowHibernate - -**Power/AllowHibernate** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProNoYes
    BusinessNoYes
    EnterpriseNoYes
    EducationNoYes
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate +``` + - -
    + + +This policy setting decides if hibernate on the machine is allowed or not. Supported values: 0 – Disable hibernate. 1 (default) - Allow hibernate. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Disable hibernate. | +| 1 (Default) | Allow hibernate. | + - -ADMX Info: -- GP Friendly name: *Decides if hibernate on the machine is allowed or not* -- GP name: *AllowHibernate* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - + -
    + +## AllowStandbyStatesWhenSleepingOnBattery - -**Power/AllowStandbyStatesWhenSleepingOnBattery** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyStatesWhenSleepingOnBattery +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or don't configure this policy setting, Windows uses standby states to put the computer in a sleep state. +If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) aren't allowed. +If you disable this policy setting, standby states (S1-S3) are not allowed. + - + + + - -ADMX Info: -- GP Friendly name: *Allow standby states (S1-S3) when sleeping (on battery)* -- GP name: *AllowStandbyStatesDC_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/AllowStandbyWhenSleepingPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowStandbyStatesDC | +| Friendly Name | Allow standby states (S1-S3) when sleeping (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowStandbyWhenSleepingPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyWhenSleepingPluggedIn +``` + - - + + This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or don't configure this policy setting, Windows uses standby states to put the computer in a sleep state. +If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) aren't allowed. +If you disable this policy setting, standby states (S1-S3) are not allowed. + - + + + - -ADMX Info: -- GP Friendly name: *Allow standby states (S1-S3) when sleeping (plugged in)* -- GP name: *AllowStandbyStatesAC_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/DisplayOffTimeoutOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowStandbyStatesAC | +| Friendly Name | Allow standby states (S1-S3) when sleeping (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + -Added to HoloLens 2 in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2). + - -
    + +## DisplayOffTimeoutOnBattery - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/DisplayOffTimeoutOnBattery +``` + -
    - - - + + This policy setting allows you to specify the period of inactivity before Windows turns off the display. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display (on battery)* -- GP name: *VideoPowerDownTimeOutDC_2* -- GP path: *System/Power Management/Video and Display Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/DisplayOffTimeoutPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VideoPowerDownTimeOutDC | +| Friendly Name | Turn off the display (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisplayOffTimeoutPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/DisplayOffTimeoutPluggedIn +``` + - - + + This policy setting allows you to specify the period of inactivity before Windows turns off the display. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display (plugged in)* -- GP name: *VideoPowerDownTimeOutAC_2* -- GP path: *System/Power Management/Video and Display Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/EnergySaverBatteryThresholdOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VideoPowerDownTimeOutAC | +| Friendly Name | Turn off the display (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnergySaverBatteryThresholdOnBattery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/EnergySaverBatteryThresholdOnBattery +``` + - - + + +This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. + -This policy setting allows you to specify battery charge level at which Energy Saver is turned on. + + + -If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + +**Description framework properties**: -If you disable or don't configure this policy setting, users control this setting. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Energy Saver Battery Threshold (on battery)* -- GP name: *EsBattThresholdDC* -- GP element: *EnterEsBattThreshold* -- GP path: *System/Power Management/Energy Saver Settings* -- GP ADMX file name: *power.admx* + +**Group policy mapping**: - - -Supported values: 0-100. The default is 70. - - +| Name | Value | +|:--|:--| +| Name | EsBattThresholdDC | +| Friendly Name | Energy Saver Battery Threshold (on battery) | +| Element Name | Energy Saver Battery Threshold (percent) | +| Location | Computer Configuration | +| Path | System > Power Management > Energy Saver Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD4 | +| ADMX File Name | Power.admx | + - - + + + - - + -
    + +## EnergySaverBatteryThresholdPluggedIn - -**Power/EnergySaverBatteryThresholdPluggedIn** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/EnergySaverBatteryThresholdPluggedIn +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - - -This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +| Name | Value | +|:--|:--| +| Name | EsBattThresholdAC | +| Friendly Name | Energy Saver Battery Threshold (plugged in) | +| Element Name | Energy Saver Battery Threshold (percent) | +| Location | Computer Configuration | +| Path | System > Power Management > Energy Saver Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD4 | +| ADMX File Name | Power.admx | + -If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level. + + + -If you disable or don't configure this policy setting, users control this setting. + - - -ADMX Info: -- GP Friendly name: *Energy Saver Battery Threshold (plugged in)* -- GP name: *EsBattThresholdAC* -- GP element: *EnterEsBattThreshold* -- GP path: *System/Power Management/Energy Saver Settings* -- GP ADMX file name: *power.admx* + +## HibernateTimeoutOnBattery - - -Supported values: 0-100. The default is 70. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutOnBattery +``` + - - - -
    - - -**Power/HibernateTimeoutOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system hibernate timeout (on battery)* -- GP name: *DCHibernateTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/HibernateTimeoutPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCHibernateTimeOut | +| Friendly Name | Specify the system hibernate timeout (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364 | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HibernateTimeoutPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn +``` + - - + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system hibernate timeout (plugged in)* -- GP name: *ACHibernateTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/RequirePasswordWhenComputerWakesOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACHibernateTimeOut | +| Friendly Name | Specify the system hibernate timeout (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364 | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequirePasswordWhenComputerWakesOnBattery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesOnBattery +``` + - - + + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or don't configure this policy setting, the user is prompted for a password when the system resumes from sleep. +If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. -If you disable this policy setting, the user isn't prompted for a password when the system resumes from sleep. +If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + - + + + - -ADMX Info: -- GP Friendly name: *Require a password when a computer wakes (on battery)* -- GP name: *DCPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/RequirePasswordWhenComputerWakesPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCPromptForPasswordOnResume | +| Friendly Name | Require a password when a computer wakes (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequirePasswordWhenComputerWakesPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesPluggedIn +``` + - - + + This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or don't configure this policy setting, the user is prompted for a password when the system resumes from sleep. - -If you disable this policy setting, the user isn't prompted for a password when the system resumes from sleep. - - - - -ADMX Info: -- GP Friendly name: *Require a password when a computer wakes (plugged in)* -- GP name: *ACPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - -
    - - -**Power/SelectLidCloseActionOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the lid switch action (on battery)* -- GP name: *DCSystemLidAction_2* -- GP element: *SelectDCSystemLidAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported lid close switch actions (on battery): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectLidCloseActionPluggedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the lid switch action (plugged in)* -- GP name: *ACSystemLidAction_2* -- GP element: *SelectACSystemLidAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported lid close switch actions (plugged in): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectPowerButtonActionOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Power button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Power button action (on battery)* -- GP name: *DCPowerButtonAction_2* -- GP element: *SelectDCPowerButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Power button actions (on battery): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectPowerButtonActionPluggedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Power button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Power button action (plugged in)* -- GP name: *ACPowerButtonAction_2* -- GP element: *SelectACPowerButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Power button actions (plugged in): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectSleepButtonActionOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Sleep button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Sleep button action (on battery)* -- GP name: *DCSleepButtonAction_2* -- GP element: *SelectDCSleepButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Sleep button actions (on battery): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/SelectSleepButtonActionPluggedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the action that Windows takes when a user presses the Sleep button. - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or don't configure it, users can see and change this setting. - - - -ADMX Info: -- GP Friendly name: *Select the Sleep button action (plugged in)* -- GP name: *ACSleepButtonAction_2* -- GP element: *SelectACSleepButtonAction* -- GP path: *System/Power Management/Button Settings* -- GP ADMX file name: *power.admx* - - - - -The following are the supported Sleep button actions (plugged in): -- 0 - Take no action -- 1 - Sleep -- 2 - System hibernate sleep state -- 3 - System shutdown - - - - - - - - - - -
    - - -**Power/StandbyTimeoutOnBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. + +If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ACPromptForPasswordOnResume | +| Friendly Name | Require a password when a computer wakes (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectLidCloseActionOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectLidCloseActionOnBattery +``` + + + + +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action | +| 1 (Default) | Sleep | +| 2 | System hibernate sleep state | +| 3 | System shutdown | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DCSystemLidAction_2 | +| Friendly Name | Select the lid switch action (on battery) | +| Element Name | Lid Switch Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectLidCloseActionPluggedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectLidCloseActionPluggedIn +``` + + + + +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action | +| 1 (Default) | Sleep | +| 2 | System hibernate sleep state | +| 3 | System shutdown | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ACSystemLidAction_2 | +| Friendly Name | Select the lid switch action (plugged in) | +| Element Name | Lid Switch Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectPowerButtonActionOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectPowerButtonActionOnBattery +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action | +| 1 (Default) | Sleep | +| 2 | System hibernate sleep state | +| 3 | System shutdown | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DCPowerButtonAction_2 | +| Friendly Name | Select the Power button action (on battery) | +| Element Name | Power Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectPowerButtonActionPluggedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectPowerButtonActionPluggedIn +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action | +| 1 (Default) | Sleep | +| 2 | System hibernate sleep state | +| 3 | System shutdown | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ACPowerButtonAction_2 | +| Friendly Name | Select the Power button action (plugged in) | +| Element Name | Power Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280 | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectSleepButtonActionOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectSleepButtonActionOnBattery +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action | +| 1 (Default) | Sleep | +| 2 | System hibernate sleep state | +| 3 | System shutdown | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DCSleepButtonAction_2 | +| Friendly Name | Select the Sleep button action (on battery) | +| Element Name | Sleep Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9EB | +| ADMX File Name | Power.admx | + + + + + + + + + +## SelectSleepButtonActionPluggedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/SelectSleepButtonActionPluggedIn +``` + + + + +This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Take no action | +| 1 (Default) | Sleep | +| 2 | System hibernate sleep state | +| 3 | System shutdown | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ACSleepButtonAction_2 | +| Friendly Name | Select the Sleep button action (plugged in) | +| Element Name | Sleep Button Action | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9EB | +| ADMX File Name | Power.admx | + + + + + + + + + +## StandbyTimeoutOnBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutOnBattery +``` + + + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system sleep timeout (on battery)* -- GP name: *DCStandbyTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/StandbyTimeoutPluggedIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCStandbyTimeOut | +| Friendly Name | Specify the system sleep timeout (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## StandbyTimeoutPluggedIn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn +``` + - - + + This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the system sleep timeout (plugged in)* -- GP name: *ACStandbyTimeOut_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Power/TurnOffHybridSleepOnBattery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACStandbyTimeOut | +| Friendly Name | Specify the system sleep timeout (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44DA | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffHybridSleepOnBattery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/TurnOffHybridSleepOnBattery +``` + - - + + This policy setting allows you to turn off hybrid sleep. -If you set this policy setting to 0, a hiberfile isn't generated when the system transitions to sleep (Stand By). +If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). -If you set this policy setting to 1 or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - - -ADMX Info: -- GP Friendly name: *Turn off hybrid sleep (on battery)* -- GP name: *DCStandbyWithHiberfileEnable_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - + +**Description framework properties**: -The following are the supported values for Hybrid sleep (on battery): -- 0 - no hibernation file for sleep (default). -- 1 - hybrid sleep. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | | +| 1 | hybrid sleep | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DCStandbyWithHiberfileEnable_2 | +| Friendly Name | Turn off hybrid sleep (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + - -**Power/TurnOffHybridSleepPluggedIn** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TurnOffHybridSleepPluggedIn - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/TurnOffHybridSleepPluggedIn +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off hybrid sleep. -If you set this policy setting to 0, a hiberfile isn't generated when the system transitions to sleep (Stand By). +If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). -If you set this policy setting to 1 or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - - -ADMX Info: -- GP Friendly name: *Turn off hybrid sleep (plugged in)* -- GP name: *ACStandbyWithHiberfileEnable_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - + +**Description framework properties**: -The following are the supported values for Hybrid sleep (plugged in): -- 0 - no hibernation file for sleep (default). -- 1 - hybrid sleep. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | | +| 1 | hybrid sleep | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | ACStandbyWithHiberfileEnable_2 | +| Friendly Name | Turn off hybrid sleep (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + - -**Power/UnattendedSleepTimeoutOnBattery** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## UnattendedSleepTimeoutOnBattery - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/UnattendedSleepTimeoutOnBattery +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + -
    + + + - - -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user isn't present at the computer. + +**Description framework properties**: -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows doesn't automatically transition to sleep. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + -If you disable or don't configure this policy setting, users control this setting. + +**Group policy mapping**: -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +| Name | Value | +|:--|:--| +| Name | UnattendedSleepTimeOutDC | +| Friendly Name | Specify the unattended sleep timeout (on battery) | +| Element Name | Unattended Sleep Timeout (seconds) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 | +| ADMX File Name | Power.admx | + - - -ADMX Info: -- GP Friendly name: *Specify the unattended sleep timeout (on battery)* -- GP name: *UnattendedSleepTimeOutDC* -- GP element: *EnterUnattendedSleepTimeOut* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* + + + - - -Default value for unattended sleep timeout (on battery): -300 - - + - - + +## UnattendedSleepTimeoutPluggedIn - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Power/UnattendedSleepTimeoutPluggedIn +``` + - -**Power/UnattendedSleepTimeoutPluggedIn** + + +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | UnattendedSleepTimeOutAC | +| Friendly Name | Specify the unattended sleep timeout (plugged in) | +| Element Name | Unattended Sleep Timeout (seconds) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0 | +| ADMX File Name | Power.admx | + -
    + + + - - -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user isn't present at the computer. + -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows doesn't automatically transition to sleep. + + + -If you disable or don't configure this policy setting, users control this setting. + -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - -ADMX Info: -- GP Friendly name: *Specify the unattended sleep timeout (plugged in)* -- GP name: *UnattendedSleepTimeOutAC* -- GP element: *EnterUnattendedSleepTimeOut* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - -Default value for unattended sleep timeout (plugged in): -300 - - - - - - - - -
    - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 7e7a66abfd189d6c4caa629c043b57979a0933b3 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 14:40:40 -0800 Subject: [PATCH 036/152] add notifications csp --- .../mdm/policy-csp-notifications.md | 515 +++++++++--------- 1 file changed, 269 insertions(+), 246 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3025afae1b..033b7c0132 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,293 +1,316 @@ --- -title: Policy CSP - Notifications -description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. +title: Notifications Policy CSP +description: Learn more about the Notifications Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Notifications -
    + + + - -## Notifications policies + +## DisallowCloudNotification -
    -
    - Notifications/DisallowCloudNotification -
    -
    - Notifications/DisallowNotificationMirroring -
    -
    - Notifications/DisallowTileNotification -
    -
    - Notifications/WnsEndpoint -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Notifications/DisallowCloudNotification +``` + -
    + + +This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. - -**Notifications/DisallowCloudNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting blocks application from using the network to send tile, badge, toast, and raw notifications. Specifically, this policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to use [periodic (polling) notifications](/windows/uwp/design/shell/tiles-and-notifications/periodic-notification-overview). - -If you enable this policy setting, applications and system features won't be able to receive notifications from the network from WNS or via notification polling APIs. +If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. -If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in, and applications will be allowed to use periodic (polling) notifications. +If you disable or do not configure this policy setting, the client computer will connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. No reboots or service restarts are required for this policy setting to take effect. + + + + + +For more information on application services to update tiles, see [Periodic notification overview](/windows/apps/design/shell/tiles-and-notifications/periodic-notification-overview). > [!WARNING] -> This policy is designed for zero exhaust. This policy may cause some MDM processes to break because WNS notification is used by the MDM server to send real time tasks to the device, such as remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work and some time-sensitive actions such as remote wipe when the device is stolen or unenrollment when the device is compromised will not work. +> This policy is designed for zero exhaust. This policy may cause some MDM processes to break. The MDM server uses WNS notifications to send real time tasks to the device. Some example tasks include remote wipe, unenroll, remote find, and mandatory app installation. When this policy is set to disallow WNS, those real time processes will no longer work. Some time-sensitive actions also won't work, such as remote wipe or unenrollment. You would use these time-sensitive actions when the device is stolen or compromised. - - -ADMX Info: -- GP Friendly name: *Turn off notifications network usage* -- GP name: *NoCloudNotification* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* +To validate the configuration: - - -This setting supports a range of values between 0 and 1. +1. Enable this policy. +1. Restart the computer. +1. Make sure that you can't receive a notification from an app like Facebook when the app isn't running. - - -Validation: -1. Enable policy. -2. Reboot machine. -3. Ensure that you can't receive a notification from Facebook app while FB app isn't running. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Notifications/DisallowNotificationMirroring** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Enable cloud notification. | +| 1 | Disable cloud notification. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoCloudNotification | +| Friendly Name | Turn off notifications network usage | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoCloudApplicationNotification | +| ADMX File Name | WPN.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## WnsEndpoint - - -Boolean value that turns off notification mirroring. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -For each user signed in to the device, if you enable this policy (set value to 1), the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. + +```Device +./Device/Vendor/MSFT/Policy/Config/Notifications/WnsEndpoint +``` + -No reboot or service restart is required for this policy to take effect. + + +FQDN for the WNS endpoint + - - -ADMX Info: -- GP Friendly name: *Turn off notification mirroring* -- GP name: *NoNotificationMirroring* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* + + - - -The following list shows the supported values: +This policy setting determines which Windows Notification Service (WNS) endpoint will be used to connect for Windows push notifications. -- 0 (default) – enable notification mirroring. -- 1 - disable notification mirroring. - - - - -
    - - -**Notifications/DisallowTileNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off tile notifications. - -If you enable this policy setting, applications and system features won't be able to update their tiles and tile badges in the Start screen. - -If you disable or don't configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. - -No reboots or service restarts are required for this policy setting to take effect. - - - -ADMX Info: -- GP Friendly name: *Turn off tile notifications* -- GP name: *NoTileNotification* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* - - - -This setting supports a range of values between 0 and 1. - - - -Validation: -1. Enable policy. -2. Reboot machine. -3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile). - - - -
    - - -**Notifications/WnsEndpoint** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EditionWindows 10Windows 11
    HomeNoNo
    ProYesYes
    BusinessYesYes
    EnterpriseYesYes
    EducationYesYes
    - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - -This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. - -If you disable or don't configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. +If you disable or don't configure this setting, the push notifications will connect to the default endpoint of `client.wns.windows.com`. > [!NOTE] -> Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. +> Make sure the proper WNS FQDNs, VIPs, IPs and ports are also allowed through the firewall. - - -ADMX Info: -- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint* -- GP name: *WnsEndpoint* -- GP path: *Start Menu and Taskbar/Notifications* -- GP ADMX file name: *WPN.admx* + - - -If the policy isn't specified, we'll default our connection to client.wns.windows.com. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | WnsEndpoint_Policy | +| Friendly Name | Enables group policy for the WNS FQDN | +| Element Name | FQDN for WNS | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| ADMX File Name | WPN.admx | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + +## DisallowNotificationMirroring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring +``` + + + + +This policy setting turns off notification mirroring. + +If you enable this policy setting, notifications from applications and system will not be mirrored to your other devices. + +If you disable or do not configure this policy setting, notifications will be mirrored, and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + + + + +This feature can be turned off by apps that don't want to participate in notification mirroring. This feature can also be turned off by the user in the Cortana settings page. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enable notification mirroring. | +| 1 | Disable notification mirroring. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NoNotificationMirroring | +| Friendly Name | Turn off notification mirroring | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | DisallowNotificationMirroring | +| ADMX File Name | WPN.admx | + + + + + + + + + +## DisallowTileNotification + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Notifications/DisallowTileNotification +``` + + + + +This policy setting turns off tile notifications. + +If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. + +If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | NoTileNotification | +| Friendly Name | Turn off tile notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoTileApplicationNotification | +| ADMX File Name | WPN.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From ec9b1e778709d3729d0c9f7ef1e44fb0c917f166 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 14:42:43 -0800 Subject: [PATCH 037/152] add newsandinterests csp --- .../mdm/policy-csp-newsandinterests.md | 129 ++++++++++-------- 1 file changed, 71 insertions(+), 58 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 280fdbcd41..53d736c546 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,86 +1,99 @@ --- -title: Policy CSP - NewsAndInterests -description: Learn how Policy CSP - NewsandInterests contains a list of news and interests. +title: NewsAndInterests Policy CSP +description: Learn more about the NewsAndInterests Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - NewsAndInterests -
    + + + - -## NewsAndInterests policies + +## AllowNewsAndInterests -
    -
    - NewsAndInterests/AllowNewsAndInterests -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/AllowNewsAndInterests +``` + - -**NewsAndInterests/AllowNewsAndInterests** + + +This policy specifies whether the widgets feature is allowed on the device. +Widgets will be turned on by default unless you change this in your settings. +If you turned this feature on before, it will stay on automatically unless you turn it off. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| +This policy applies to the entire widgets experience, including content on the taskbar. - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -This policy specifies whether to allow the entire widgets experience, including the content on taskbar. + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowNewsAndInterests | +| Friendly Name | Allow widgets | +| Location | Computer Configuration | +| Path | Windows Components > Widgets | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Dsh | +| Registry Value Name | AllowNewsAndInterests | +| ADMX File Name | NewsAndInterests.admx | + - + + + -The following are the supported values: + -- 1 - Default - Allowed. -- 0 - Not allowed. + + + - + - -ADMX Info: -- GP Friendly name: *Specifies whether to allow the entire widgets experience, including the content on taskbar*. -- GP name: *AllowNewsAndInterests* -- GP path: *Network/NewsandInterests* -- GP ADMX file name: *NewsandInterests.admx* - - - - -
    - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 2c4ef999a6ecd4ffb96df3fd48a3c323489b9783 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 14:48:16 -0800 Subject: [PATCH 038/152] add networklistmanager csp --- .../mdm/policy-csp-networklistmanager.md | 164 ++++++++++-------- 1 file changed, 89 insertions(+), 75 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 27b86f10fb..1639be5edb 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,112 +1,126 @@ --- -title: Policy CSP - NetworkListManager -description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. +title: NetworkListManager Policy CSP +description: Learn more about the NetworkListManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 12/16/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - NetworkListManager -
    + + + - -## NetworkListManager policies + +## AllowedTlsAuthenticationEndpoints -
    -
    - NetworkListManager/AllowedTlsAuthenticationEndpoints -
    -
    - NetworkListManager/ConfiguredTLSAuthenticationNetworkName -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkListManager/AllowedTlsAuthenticationEndpoints +``` + - -**NetworkListManager/AllowedTlsAuthenticationEndpoints** + + +List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - -This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. - -When entering a list of TLS endpoints in Microsoft Intune, you must follow this format, even in the UI: +When entering a list of TLS endpoints in Microsoft Intune, use the following format, even in the UI: `` -- The HTTPS endpoint must not have any more authentication checks, such as login or multi-factor authentication. +- The HTTPS endpoint must not have any more authentication checks, such as sign-in or multi-factor authentication. -- The HTTPS endpoint must be an internal address not accessible from outside the corporate network. +- The HTTPS endpoint must be an internal address not accessible from outside the organizational network. - The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. - A certificate shouldn't be a public certificate. + -
    + +**Description framework properties**: - -**NetworkListManager/ConfiguredTLSAuthenticationNetworkName** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ConfiguredTlsAuthenticationNetworkName - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -> [!div class = "checklist"] -> * Machine + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkListManager/ConfiguredTlsAuthenticationNetworkName +``` + -
    + + +The string will be used to name the network authenticated against one of the endpoints listed in AllowedTlsAuthenticationEndpoints policy + - - -This policy setting provides the string that is to be used to name a network. That network is authenticated against one of the endpoints that are listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an _Always On_ VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute. + + -
    +This policy setting provides the string that names a network. If this setting is used for Trusted Network Detection in an Always On VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute. - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + ## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From f538ea853e4385322206174b6dd04e34caab5695 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 16:22:22 -0800 Subject: [PATCH 039/152] add networkisolation csp --- .../mdm/policy-csp-networkisolation.md | 796 ++++++++++-------- 1 file changed, 444 insertions(+), 352 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 9acf0b9394..38259aea5f 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,410 +1,502 @@ --- -title: Policy CSP - NetworkIsolation -description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected. +title: NetworkIsolation Policy CSP +description: Learn more about the NetworkIsolation Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - NetworkIsolation -
    + + + - -## NetworkIsolation policies + +## EnterpriseCloudResources -
    -
    - NetworkIsolation/EnterpriseCloudResources -
    -
    - NetworkIsolation/EnterpriseIPRange -
    -
    - NetworkIsolation/EnterpriseIPRangesAreAuthoritative -
    -
    - NetworkIsolation/EnterpriseInternalProxyServers -
    -
    - NetworkIsolation/EnterpriseNetworkDomainNames -
    -
    - NetworkIsolation/EnterpriseProxyServers -
    -
    - NetworkIsolation/EnterpriseProxyServersAreAuthoritative -
    -
    - NetworkIsolation/NeutralResources -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseCloudResources +``` + - -**NetworkIsolation/EnterpriseCloudResources** + + +Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, ``|``|``,``|``|``,``|. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `|`) | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_EnterpriseCloudResources | +| Friendly Name | Enterprise resource domains hosted in the cloud | +| Element Name | Enterprise cloud resources | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + -
    + + + - - -Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. + - - -ADMX Info: -- GP Friendly name: *Enterprise resource domains hosted in the cloud* -- GP name: *WF_NetIsolation_EnterpriseCloudResources* -- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + +## EnterpriseInternalProxyServers - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseInternalProxyServers +``` + - -**NetworkIsolation/EnterpriseIPRange** + + +This is the comma-separated list of internal proxy servers. For example 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59. These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseCloudResources policy to force traffic to the matched cloud resources through these proxies. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Intranet_Proxies | +| Friendly Name | Intranet proxy servers for apps | +| Element Name | Type a proxy server IP address for the intranet | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + -
    + + + - - -Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. These ranges are a comma-separated list of IPv4 and IPv6 ranges. + - - -ADMX Info: -- GP Friendly name: *Private network ranges for apps* -- GP name: *WF_NetIsolation_PrivateSubnet* -- GP element: *WF_NetIsolation_PrivateSubnetBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + +## EnterpriseIPRange - - -For example: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -``` syntax + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRange +``` + + + + +Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_PrivateSubnet | +| Friendly Name | Private network ranges for apps | +| Element Name | Private subnets | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + + + + + +**Example of IP ranges**: + +```syntax 10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, 192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff, 2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ``` - - + -
    + - -**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + +## EnterpriseIPRangesAreAuthoritative - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative +``` + - -
    + + +This setting does not apply to desktop apps. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. -> [!div class = "checklist"] -> * Device +If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private. -
    +If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment. - - -Integer value that tells the client to accept the configured list and not to use heuristics to attempt and find other subnets. +For more information see: + - - -ADMX Info: -- GP Friendly name: *Subnet definitions are authoritative* -- GP name: *WF_NetIsolation_Authoritative_Subnet* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**NetworkIsolation/EnterpriseInternalProxyServers** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Authoritative_Subnet | +| Friendly Name | Subnet definitions are authoritative | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| Registry Value Name | DSubnetsAuthoritive | +| ADMX File Name | NetworkIsolation.admx | + + + + + + + + + +## EnterpriseNetworkDomainNames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseNetworkDomainNames +``` + + + + +This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example contoso. sharepoint. com, Fabrikam. com. + +**Note**: The client requires domain name to be canonical, otherwise the setting will be rejected by the client. Here are the steps to create canonical domain names:Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft. COM -> microsoft. com. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags. Call IdnToUnicode with no flags set (dwFlags = 0). + + + + + +For more information, see the following APIs: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- [IdnToAscii function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntoascii) +- [IdnToUnicode function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntounicode) + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + + + + + -> [!div class = "checklist"] -> * Device - -
    - - - -This list is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They're considered to be enterprise network locations. The proxies are only used in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. - - - -ADMX Info: -- GP Friendly name: *Intranet proxy servers for apps* -- GP name: *WF_NetIsolation_Intranet_Proxies* -- GP element: *WF_NetIsolation_Intranet_ProxiesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* - - - - -
    - - -**NetworkIsolation/EnterpriseNetworkDomainNames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This is a list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". - -> [!NOTE] -> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. - -Here are the steps to create canonical domain names: - -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0). - - - - -
    - - -**NetworkIsolation/EnterpriseProxyServers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This list is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". - - - -ADMX Info: -- GP Friendly name: *Internet proxy servers for apps* -- GP name: *WF_NetIsolation_Domain_Proxies* -- GP element: *WF_NetIsolation_Domain_ProxiesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* - - - - -
    - - -**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Integer value that tells the client to accept the configured list of proxies and not try to detect other work proxies. - - - -ADMX Info: -- GP Friendly name: *Proxy definitions are authoritative* -- GP name: *WF_NetIsolation_Authoritative_Proxies* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* - - - - -
    - - -**NetworkIsolation/NeutralResources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of domain names that can be used for work or personal resource. - - - -ADMX Info: -- GP Friendly name: *Domains categorized as both work and personal* -- GP name: *WF_NetIsolation_NeutralResources* -- GP element: *WF_NetIsolation_NeutralResourcesBox* -- GP path: *Network/Network Isolation* -- GP ADMX file name: *NetworkIsolation.admx* - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + +## EnterpriseProxyServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServers +``` + + + + +This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Domain_Proxies | +| Friendly Name | Internet proxy servers for apps | +| Element Name | Domain Proxies | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + + + + + + + + + +## EnterpriseProxyServersAreAuthoritative + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative +``` + + + + +This setting does not apply to desktop apps. + +Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. + +If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies. + +If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses. + +For more information see: + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_Authoritative_Proxies | +| Friendly Name | Proxy definitions are authoritative | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| Registry Value Name | DProxiesAuthoritive | +| ADMX File Name | NetworkIsolation.admx | + + + + + + + + + +## NeutralResources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/NeutralResources +``` + + + + +List of domain names that can used for work or personal resource. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WF_NetIsolation_NeutralResources | +| Friendly Name | Domains categorized as both work and personal | +| Element Name | Neutral resources | +| Location | Computer Configuration | +| Path | Network > Network Isolation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation | +| ADMX File Name | NetworkIsolation.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 24d714ff025b156becd08bc80a53cbe2a0a4224f Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 20 Dec 2022 16:26:56 -0800 Subject: [PATCH 040/152] add multitasking csp --- .../mdm/policy-csp-multitasking.md | 147 +++++++++--------- 1 file changed, 73 insertions(+), 74 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 8893e13ac4..c4ca1c6ea5 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,101 +1,100 @@ --- -title: Policy CSP - Multitasking -description: Policy CSP - Multitasking +title: Multitasking Policy CSP +description: Learn more about the Multitasking Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/30/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Multitasking -
    + + + - -## Multitasking policies + +## BrowserAltTabBlowout -
    -
    - Multitasking/BrowserAltTabBlowout -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/Multitasking/BrowserAltTabBlowout +``` + - -**Multitasking/BrowserAltTabBlowout** + + +Configures the inclusion of Microsoft Edge tabs into Alt-Tab. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +> [!WARNING] +> This policy is currently in preview mode only. It may be used for testing purposes, but shouldn't be used in a production environment at this time. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -> [!Warning] -> This policy is currently in preview mode only and will be supported in future releases. It may be used for testing purposes, but should not be used in a production environment at this time. - -This policy controls the inclusion of Edge tabs into Alt+Tab. - -Enabling this policy restricts the number of Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Edge tabs, only the five most recent tabs, only the three most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior. +Enabling this policy restricts the number of Microsoft Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Microsoft Edge tabs, only the five most recent tabs, only the three most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior. This policy only applies to the Alt+Tab switcher. When the policy isn't enabled, the feature respects the user's setting in the Settings app. - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + - -ADMX Info: -- GP Friendly name: *Configure the inclusion of Edge tabs into Alt-Tab* -- GP name: *BrowserAltTabBlowout* -- GP path: *Windows Components/Multitasking* -- GP ADMX file name: *Multitasking.admx* + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -The following list shows the supported values: + +**Allowed values**: -- 1 - Open windows and all tabs in Edge. -- 2 - Open windows and five most recent tabs in Edge. -- 3 - Open windows and three most recent tabs in Edge. -- 4 - Open windows only. +| Value | Description | +|:--|:--| +| 1 (Default) | Open windows and all tabs in Microsoft Edge | +| 2 | Open windows and 5 most recent tabs in Microsoft Edge | +| 3 | Open windows and 3 most recent tabs in Microsoft Edge | +| 4 | Open windows only | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | MultiTaskingAltTabFilter | +| Path | multitasking > AT > WindowsComponents > MULTITASKING | +| Element Name | AltTabFilterDropdown | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 71a26ee85287973957dafa549d290765d584aeb1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:12:18 -0800 Subject: [PATCH 041/152] add mixedreality csp --- .../mdm/policy-csp-mixedreality.md | 1375 ++++++++++------- 1 file changed, 843 insertions(+), 532 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index dc083daf3c..a998ae7b42 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,782 +1,1093 @@ --- -title: Policy CSP - MixedReality -description: Policy CSP - MixedReality +title: MixedReality Policy CSP +description: Learn more about the MixedReality Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - MixedReality -
    +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## MixedReality policies + + -
    -
    - MixedReality/AADGroupMembershipCacheValidityInDays -
    -
    - MixedReality/AllowCaptivePortalBeforeLogon -
    -
    - MixedReality/AllowLaunchUriInSingleAppKiosk -
    -
    - MixedReality/AutoLogonUser -
    -
    - MixedReality/BrightnessButtonDisabled -
    -
    - MixedReality/ConfigureMovingPlatform -
    -
    - MixedReality/ConfigureNtpClient -
    -
    - MixedReality/DisallowNetworkConnectivityPassivePolling -
    -
    - MixedReality/FallbackDiagnostics -
    -
    - MixedReality/HeadTrackingMode -
    -
    - MixedReality/ManualDownDirectionDisabled -
    -
    - MixedReality/MicrophoneDisabled -
    -
    - MixedReality/NtpClientEnabled -
    -
    - MixedReality/SkipCalibrationDuringSetup -
    -
    - MixedReality/SkipTrainingDuringSetup -
    -
    - MixedReality/VisitorAutoLogon -
    -
    - MixedReality/VolumeButtonDisabled -
    -
    +These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices. -
    + - -**MixedReality/AADGroupMembershipCacheValidityInDays** + +## AADGroupMembershipCacheValidityInDays - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays +``` + + + + +This policy controls for how many days, AAD group membership cache is allowed to be used for Assigned Access configurations targeting AAD groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions. + + + + Steps to use this policy correctly: -1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s). -1. Create a custom OMA URI-based device configuration that sets this policy value to chosen number of days (> 0) and assign it to HoloLens devices. - 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays - 1. The value can be between min / max allowed. -1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in, when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. -1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. -1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they're a member of Azure AD group to which Kiosk configuration is targeted. +1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices. +1. Create a custom OMA URI-based device configuration. Set this policy value to the chosen number of days greater than zero (`0`). Then assign the configuration to the HoloLens devices. + - The URI value should be entered in OMA-URI text box as `./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays` + - The value can be any integer in the allowed range. +1. Enroll the HoloLens devices. Verify that both configurations apply to the device. +1. When internet is available, sign in as an Azure AD user. Once the user signs-in, and Azure AD group membership is confirmed successfully, the cache will be created. +1. You can now take the HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. +1. Steps 4 and 5 can be repeated for any other Azure AD user. The key point is that any Azure AD user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of an Azure AD group to which the kiosk configuration is targeted. > [!NOTE] -> Until step 4 is performed for a Azure AD, user will experience failure behavior mentioned similar to “disconnected” environments. +> Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment. - -
    + - -**MixedReality/AllowCaptivePortalBeforeLogon** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-60]` | +| Default Value | 0 | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + + + + +## AllowCaptivePortalBeforeLogon - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon +``` + -
    + + +This policy controls whether the device will display the captive portal flow on the HoloLens sign in screen's network selection page when a captive portal network is detected. Displaying the captive portal flow is disabled by default to reduce the potential of gaining unauthorized access to the device through the browser. + - -This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. + + -MixedReality/AllowCaptivePortalBeforeLogon +This opt-in policy can help with the setup of new devices in new areas or new users. The captive portal allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeLogon` + -Int value + +**Description framework properties**: -- 0: (Default) Off -- 1: On +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Displaying captive portal is not allowed. | +| 1 | Displaying captive portal is allowed. | + - -**MixedReality/AllowLaunchUriInSingleAppKiosk** + + + - + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +## AllowLaunchUriInSingleAppKiosk - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk +``` + -
    + + +By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. + - -This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-Fi. + + -By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. +Enable this policy to allow for other apps to be launched within a single app kiosk. This behavior may be useful if you want to launch the Settings app to calibrate your device or change your Wi-Fi. -The OMA-URI of policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk` +For more information on the Launcher API, see [Launcher Class (Windows.System) - Windows UWP applications](/uwp/api/windows.system.launcher). -Bool value + - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**MixedReality/AutoLogonUser** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Applications are not allowed to be launched with Launcher API, when in single app kiosk mode. | +| 1 | Applications are allowed to be launched with Launcher API, when in single app kiosk mode. | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + + + - -This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign-in. + -When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon. + +## AutoLogonUser -The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser` + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -Supported value is String. + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser +``` + -- User with the same email address will have autologon enabled. + + +This policy controls whether a user will be automatically logged on. When the policy is set to a non-empty value, it specifies the email address of the auto-logon user. The specified user must logon to the device at least once to enable auto-logon. + -On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign-in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled. + + + +Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. In this case, you can pick up a device and immediately use remote assist. It also allows you to rapidly distribute HoloLens devices and have users speed up sign-in. + +The string value is the email address of the user to automatically sign in. + +On a device where you configure this policy, the user specified in the policy needs to sign in at least once. Subsequent reboots of the device after the first sign-in will have the specified user automatically signed in. Only a single auto-logon user is supported. Once enabled, the automatically signed-in user can't manually sign out. To sign in as a different user, first disable this policy. > [!NOTE] > -> - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior. -> - Auto-logon is only supported for Microsoft account and Azure Active Directory users. +> - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior. +> - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users. - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + + + - - -This policy setting controls, for how many days Azure AD group membership cache is allowed to be used for the Assigned Access configurations, targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions. + - + +## AutomaticDisplayAdjustment - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -Supported value is Integer. + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AutomaticDisplayAdjustment +``` + -Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days). + + +This policy controls if the HoloLens displays will be automatically adjusted for your eyes to improve hologram visual quality when an user wears the device. When this feature is enabled, a new user upon wearing the device will not be prompted to calibrate and yet the displays will be adjusted to suite them automatically. However if an immersive application is launched that depends on eye tracking interactions, the user will be prompted to perform the calibration. + - - -
    + + + - -**MixedReality/BrightnessButtonDisabled** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## BrightnessButtonDisabled - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/BrightnessButtonDisabled +``` + + + + This policy setting controls if pressing the brightness button changes the brightness or not. It only impacts brightness on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes. + - + + + - - + +**Description framework properties**: - -Supported values is Boolean. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The following list shows the supported values: + +**Allowed values**: -- 0 - False (Default) -- 1 - True +| Value | Description | +|:--|:--| +| 0 (Default) | Brightness can be changed with press of brightness button. | +| 1 | Brightness cannot be changed with press of brightness button. | + - - -
    + + + - -**MixedReality/ConfigureMovingPlatform** + - + +## ConfigureMovingPlatform -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureMovingPlatform +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it’s turned off / on or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. Please refer to HoloLens 2 Moving Platform Mode for background information. + -> [!div class = "checklist"] -> * Device + + -
    +For more information, see [Moving platform mode on low dynamic motion moving platforms](/hololens/hololens2-moving-platform). - - -This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). + - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -Supported value is Integer. + +**Allowed values**: -- 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system. -- 1 Force off - Moving platform is disabled and can't be changed by user. -- 2 Force on - Moving platform is enabled and can't be changed by user. +| Value | Description | +|:--|:--| +| 0 (Default) | Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system. | +| 1 | Moving platform is disabled and cannot be changed by user. | +| 2 | Moving platform is enabled and cannot be changed by user. | + - - -
    + + + - -**MixedReality/ConfigureNtpClient** + - + +## ConfigureNtpClient -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting specifies a set of parameters for controlling the Windows NTP Client. -> [!div class = "checklist"] -> * Device +If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. -
    +If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. - - +NtpServer +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". -You may want to configure a different time server for your device fleet. IT admins can use this policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy. +Type +This value controls the authentication that W32time uses. The default value is NT5DS. -This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters. +CrossSiteSyncFlags +This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). + +ResolvePeerBackoffMinutes +This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. + +ResolvePeerBackoffMaxTimes +This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. + +SpecialPollInterval +This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. + +EventLogFlags +This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. + + + + + +**More information**: + +You may want to configure a different time server for your device fleet. You can use this policy to configure certain aspects of the NTP client. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. + +For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NTPClient](policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient). > [!NOTE] -> This feature requires enabling[NtpClientEnabled](#mixedreality-ntpclientenabled) as well. +> This policy also requires enabling [NtpClientEnabled](#ntpclientenabled). +> +> After you enable this policy, restart the device for the changes to apply. -- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureNtpClient` + -> [!NOTE] -> Reboot is required for these policies to take effect. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -- Data Type: String -- Value: +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_CONFIGURE_NTPCLIENT | +| Friendly Name | Configure Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| ADMX File Name | W32Time.admx | + -``` - + +\ + +**Example**: + +The following XML string is an example of the value for this policy: + +```xml + + + + + + + + ``` - - -
    + - -**MixedReality/DisallowNetworkConnectivityPassivePolling** + - + +## DisallowNetworkConnectivityPassivePolling -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. This policy allows IT admins to disable NCSI passive polling. Value type is integer. + -> [!div class = "checklist"] -> * Device + + -
    +Windows Network Connectivity Status Indicator may get a false positive internet-capable signal from passive polling. That behavior may result in the Wi-Fi adapter unexpectedly resetting when the device connects to an intranet-only access point. When you enable this policy, you can avoid unexpected network interruptions caused by false positive NCSI passive polling. - -Windows Network Connectivity Status Indicator may get false positive Internet capable signal from passive polling. That may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point. Enabling this policy would avoid unexpected network interruptions caused by false positive NCSI passive polling. + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling` + +**Description framework properties**: -- Bool value +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. | +| 1 | Not allowed. | + - -**MixedReality/FallbackDiagnostics** + + + - + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +## EyeTrackingCalibrationPrompt - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/EyeTrackingCalibrationPrompt +``` + -> [!div class = "checklist"] -> * Device + + +This policy controls when a new person uses Hololens device, if Hololens should automatically ask to run eye calibration. + -
    + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + + + + + + + +## FallbackDiagnostics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/FallbackDiagnostics +``` + + + + This policy setting controls, when and if diagnostic logs can be collected using specific button combination on HoloLens. + - + + + - - + +**Description framework properties**: - -Supporting value is Integer. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + -The following list shows the supported values: + +**Allowed values**: -- 0 - Disabled. -- 1 - Enabled for device owners. -- 2 - Enabled for all (Default). +| Value | Description | +|:--|:--| +| 0 | Not allowed. Diagnostic logs cannot be collected by pressing the button combination. | +| 1 | Allowed for device owners only. Diagnostics logs can be collected by pressing the button combination only if signed-in user is considered as device owner. | +| 2 (Default) | Allowed for all users. Diagnostic logs can be collected by pressing the button combination. | + - - -
    + + + - -**MixedReality/HeadTrackingMode** + - + +## HeadTrackingMode -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/HeadTrackingMode +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy configures behavior of HUP to determine, which algorithm to use for head tracking. It requires a reboot for the policy to take effect. + - + + - - +**Allowed values**: - -Supporting value is Boolean. +| Value | Description | +|:--|:--| +| `0` (Default) | Feature - Default feature based / SLAM-based tracker. | +| `1` | Constellation - LR constellation based tracker. | -The following list shows the supported values: + -- 0 - Feature – Default feature based / SLAM-based tracker (Default). -- 1 - Constellation – LR constellation based tracker. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 0 | + - -**MixedReality/ManualDownDirectionDisabled** + + + - + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +## ManualDownDirectionDisabled - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/ManualDownDirectionDisabled +``` + + + This policy controls whether the user can change down direction manually or not. If no down direction is set by the user, then an automatically calculated down direction is used by the system. This policy has no dependency on ConfigureMovingPlatform policy and they can be set independently. + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ManualDownDirectionDisabled` + + - +When the system automatically determines the down direction, it's using the measured gravity vector. - + -Supported values: + +**Description framework properties**: -- **False (Default)** - User can manually change down direction if they desire, otherwise down direction will be determined automatically based on the measured gravity vector. -- **True** - User can’t manually change down direction and down direction will be always determined automatically based on the measured gravity vector. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - -**MixedReality/MicrophoneDisabled** +| Value | Description | +|:--|:--| +| 0 (Default) | User is allowed to manually change down direction. | +| 1 | User is not allowed to manually change down direction. | + - + + + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + - -
    + +## MicrophoneDisabled - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/MicrophoneDisabled +``` + -
    - - - + + This policy setting controls whether microphone on HoloLens 2 is disabled or not. + - + + + - - + +**Description framework properties**: - -Supporting value is Boolean. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The following list shows the supported values: + +**Allowed values**: -- 0 - False (Default) -- 1 - True +| Value | Description | +|:--|:--| +| 0 (Default) | Microphone can be used for voice. | +| 1 | Microphone cannot be used for voice. | + - + + + - -**MixedReality/NtpClientEnabled** + - + +## NtpClientEnabled -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled +``` + + + This policy setting specifies whether the Windows NTP Client is enabled. -- OMA-URI: `./Device/Vendor/MSFT/Policy/Config/MixedReality/NtpClientEnabled` - +Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. - - +If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. - -- Data Type: String -- Value `` +If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. + - + + - -
    +For more information, see the [ConfigureNtpClient](#configurentpclient) policy. - -**MixedReality/SkipCalibrationDuringSetup** + - + +**Description framework properties**: -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_ENABLE_NTPCLIENT | +| Friendly Name | Enable Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| Registry Value Name | Enabled | +| ADMX File Name | W32Time.admx | + -
    + + - -Skips the calibration experience on HoloLens 2 devices when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to calibrate their device from the Settings app. +**Example**: -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringSetup` +The following example XML string shows the value to enable this policy: -- Bool value +```xml + +``` - + - -
    + - -**MixedReality/SkipTrainingDuringSetup** + +## SkipCalibrationDuringSetup - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringSetup +``` + - + + +This policy configures whether the device will take the user through the eye tracking calibration process during device setup and first time user setup. If this policy is enabled, the device will not show the eye tracking calibration process during device setup and first time user setup. +**Note** that until the user goes through the calibration process, eye tracking will not work on the device. If an app requires eye tracking and the user has not gone through the calibration process, the user will be prompted to do so. + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!NOTE] +> The user will still be able to calibrate their device from the Settings app. -> [!div class = "checklist"] -> * Device + -
    + +**Description framework properties**: - -On HoloLens 2 devices, skips the training experience of interactions with the humming bird and start menu training when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to learn these movement controls from the Tips app. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringSetup` + +**Allowed values**: -- Bool value +| Value | Description | +|:--|:--| +| 0 (Default) | Eye tracking calibration process will be shown during device setup and first time user setup. | +| 1 | Eye tracking calibration process will not be shown during device setup and first time user setup. | + - + + + - -
    + - -**MixedReality/VolumeButtonDisabled** + +## SkipTrainingDuringSetup - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringSetup +``` + - -
    + + +This policy configures whether the device will take the user through a training process during device setup and first time user setup. If this policy is enabled, the device will not show the training process during device setup and first time user setup. If the user wishes to go through that training process, the user can launch the Tips app. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + -> [!div class = "checklist"] -> * Device +It skips the training experience of interactions with the hummingbird and Start menu training. The user will still be able to learn these movement controls from the Tips app. -
    + - - -This policy setting controls if pressing the volume button changes the volume or not. It only impacts volume on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - -Supporting value is Boolean. +| Value | Description | +|:--|:--| +| 0 (Default) | Training process will be shown during device setup and first time user setup. | +| 1 | Training process will not be shown during device setup and first time user setup. | + -The following list shows the supported values: + + + -- 0 - False (Default) -- 1 - True + - - -
    + +## VisitorAutoLogon - -**MixedReality/VisitorAutoLogon** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/VisitorAutoLogon +``` + -|Windows Edition|Supported| -|--- |--- | -|HoloLens (first gen) Development Edition|No| -|HoloLens (first gen) Commercial Suite|No| -|HoloLens 2|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in, if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in, if no other user has logged in on the device before. + - + + + - - + +**Description framework properties**: - -Supported value is Boolean. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -The following list shows the supported values: + +**Allowed values**: -- 0 Disabled (Default) -- 1 Enabled +| Value | Description | +|:--|:--| +| 0 (Default) | Visitor user will not be signed in automatically. | +| 1 | Visitor user will be signed in automatically. | + - - -
    + + + - + -## Related topics + +## VolumeButtonDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/VolumeButtonDisabled +``` + + + + +This policy setting controls if pressing the volume button changes the volume or not. It only impacts volume on HoloLens and not the functionality of the button when it's used with other buttons as combination for other purposes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Volume can be changed with press of the volume button. | +| 1 | Volume cannot be changed with press of the volume button. | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 85c5f59bc5e842d0306262ea4c09d84813ce31e5 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:27:46 -0800 Subject: [PATCH 042/152] add messaging csp --- .../mdm/policy-csp-messaging.md | 222 +++++++++++++----- 1 file changed, 167 insertions(+), 55 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index 167c581829..85a71cbbec 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,83 +1,195 @@ --- -title: Policy CSP - Messaging -description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging. +title: Messaging Policy CSP +description: Learn more about the Messaging Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/21/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Messaging -
    + + + - -## Messaging policies + +## AllowMessageSync -
    -
    - Messaging/AllowMessageSync -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Messaging/AllowMessageSync +``` + - -**Messaging/AllowMessageSync** + + +This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. + - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Disable this feature to avoid information being stored on servers outside of your organization's control. - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Enables text message backup and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. +| Value | Description | +|:--|:--| +| 0 | message sync is not allowed and cannot be changed by the user. | +| 1 (Default) | message sync is allowed. The user can change this setting. | + - - -ADMX Info: -- GP Friendly name: *Allow Message Service Cloud Sync* -- GP name: *AllowMessageSync* -- GP path: *Windows Components/Messaging* -- GP ADMX file name: *messaging.admx* + +**Group policy mapping**: - - -The following list shows the supported values: +| Name | Value | +|:--|:--| +| Name | AllowMessageSync | +| Friendly Name | Allow Message Service Cloud Sync | +| Location | Computer Configuration | +| Path | Windows Components > Messaging | +| Registry Key Name | Software\Policies\Microsoft\Windows\Messaging | +| Registry Value Name | AllowMessageSync | +| ADMX File Name | messaging.admx | + -- 0 - message sync isn't allowed and can't be changed by the user. -- 1 - message sync is allowed. The user can change this setting. + + + - - + -
    + +## AllowMMS - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/Policy/Config/Messaging/AllowMMS +``` + + + + +This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Block | + + + + + + + + + +## AllowRCS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Messaging/AllowRCS +``` + + + + +This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Block | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 3c543f57df344428b3907899aef83481d5e134b1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:32:29 -0800 Subject: [PATCH 043/152] add memorydump csp --- .../mdm/policy-csp-memorydump.md | 180 +++++++++--------- 1 file changed, 95 insertions(+), 85 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index a1ced538a9..2311cd2deb 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,119 +1,129 @@ --- -title: Policy CSP - MemoryDump -description: Use the Policy CSP +title: MemoryDump Policy CSP +description: Learn more about the MemoryDump Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/21/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - MemoryDump -
    + + + - -## MemoryDump policies + +## AllowCrashDump -
    -
    - MemoryDump/AllowCrashDump -
    -
    - MemoryDump/AllowLiveDump -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump +``` + - -**MemoryDump/AllowCrashDump** + + +This policy setting decides if crash dump collection on the machine is allowed or not. Supported values: 0 - Disable crash dump collection. 1 (default) - Allow crash dump collection. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disable crash dump collection. | +| 1 (Default) | Allow crash dump collection. | + -
    + + + - - -This policy setting decides if crash dump collection on the machine is allowed or not. + - - -The following list shows the supported values: + +## AllowLiveDump -- 0 - Disable crash dump collection. -- 1 (default) - Allow crash dump collection. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump +``` + -
    + + +This policy setting decides if live dump collection on the machine is allowed or not. Supported values: 0 - Disable live dump collection. 1 (default) - Allow live dump collection. + - -**MemoryDump/AllowLiveDump** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Disable live dump collection. | +| 1 (Default) | Allow live dump collection. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting decides if crash dump collection on the machine is allowed or not. + + + - + - -The following list shows the supported values: +## Related articles -- 0 - Disable crash dump collection. -- 1 (default) - Allow crash dump collection. - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From fd5050b03d93d0957e86235dc72de9704cfcf94f Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Wed, 21 Dec 2022 14:34:55 -0500 Subject: [PATCH 044/152] CSP review --- .../mdm/policy-csp-abovelock.md | 243 +- .../mdm/policy-csp-accounts.md | 526 ++-- .../mdm/policy-csp-activexcontrols.md | 134 +- .../policy-csp-admx-activexinstallservice.md | 136 +- .../mdm/policy-csp-admx-addremoveprograms.md | 1163 +++---- .../mdm/policy-csp-admx-admpwd.md | 354 ++- .../mdm/policy-csp-admx-appcompat.md | 959 +++--- .../mdm/policy-csp-admx-appxpackagemanager.md | 140 +- .../mdm/policy-csp-admx-appxruntime.md | 393 ++- .../mdm/policy-csp-admx-attachmentmanager.md | 459 +-- .../mdm/policy-csp-admx-auditsettings.md | 132 +- .../mdm/policy-csp-admx-bits.md | 1199 +++---- .../mdm/policy-csp-admx-ciphersuiteorder.md | 221 +- .../mdm/policy-csp-admx-com.md | 218 +- .../mdm/policy-csp-admx-controlpanel.md | 405 +-- .../policy-csp-admx-controlpaneldisplay.md | 2379 +++++++------- .../mdm/policy-csp-admx-cpls.md | 130 +- .../policy-csp-admx-credentialproviders.md | 300 +- .../mdm/policy-csp-admx-credssp.md | 1140 ++++--- .../mdm/policy-csp-admx-credui.md | 217 +- .../mdm/policy-csp-admx-ctrlaltdel.md | 384 ++- .../mdm/policy-csp-admx-datacollection.md | 127 +- .../mdm/policy-csp-admx-dcom.md | 236 +- .../mdm/policy-csp-admx-desktop.md | 2635 +++++++++------- .../mdm/policy-csp-admx-devicecompat.md | 207 +- .../mdm/policy-csp-admx-deviceguard.md | 144 +- .../mdm/policy-csp-admx-deviceinstallation.md | 689 ++-- .../mdm/policy-csp-admx-devicesetup.md | 216 +- .../mdm/policy-csp-admx-dfs.md | 133 +- .../mdm/policy-csp-admx-digitallocker.md | 215 +- .../mdm/policy-csp-admx-diskdiagnostic.md | 224 +- ...policy-csp-admx-distributedlinktracking.md | 128 +- .../mdm/policy-csp-admx-dnsclient.md | 2473 ++++++++------- .../mdm/policy-csp-admx-dwm.md | 598 ++-- .../mdm/policy-csp-admx-eaime.md | 1024 +++--- .../mdm/policy-csp-admx-encryptfilesonmove.md | 132 +- .../mdm/policy-csp-admx-enhancedstorage.md | 538 ++-- .../mdm/policy-csp-admx-errorreporting.md | 2799 +++++++++-------- .../mdm/policy-csp-admx-eventforwarding.md | 214 +- .../mdm/policy-csp-admx-eventlog.md | 1926 +++++++----- .../mdm/policy-csp-admx-eventlogging.md | 131 +- .../mdm/policy-csp-admx-eventviewer.md | 273 +- .../mdm/policy-csp-admx-explorer.md | 460 +-- .../mdm/policy-csp-admx-externalboot.md | 313 +- .../mdm/policy-csp-admx-filerecovery.md | 129 +- .../mdm/policy-csp-admx-filerevocation.md | 131 +- .../policy-csp-admx-fileservervssprovider.md | 134 +- .../mdm/policy-csp-admx-filesys.md | 692 ++-- .../mdm/policy-csp-admx-folderredirection.md | 680 ++-- 49 files changed, 15781 insertions(+), 13052 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index d0febc03b7..5adb27e901 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,127 +1,200 @@ --- -title: Policy CSP - AboveLock -description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. +title: AboveLock Policy CSP +description: Learn more about the AboveLock Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/09/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - AboveLock -
    + + + - -## AboveLock policies + +## AllowActionCenterNotifications -
    -
    - AboveLock/AllowCortanaAboveLock -
    -
    - AboveLock/AllowToasts -
    -
    +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/AllowActionCenterNotifications +``` + + + +This policy is deprecated + - -**AboveLock/AllowCortanaAboveLock** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. + +## AllowCortanaAboveLock - - -ADMX Info: -- GP Friendly name: *Allow Cortana above lock screen* -- GP name: *AllowCortanaAboveLock* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/AllowCortanaAboveLock +``` + -- 0 - Not allowed. -- 1 (default) - Allowed. + + +This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. - - +If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. -
    +If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. + - -**AboveLock/AllowToasts** + + +Added in Windows 10, version 1607. + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes, starting in Windows 10, version 1607|Yes| -|Enterprise|Yes, starting in Windows 10, version 1607|Yes| -|Education|Yes, starting in Windows 10, version 1607|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | AllowCortanaAboveLock | +| Friendly Name | Allow Cortana above lock screen | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowCortanaAboveLock | +| ADMX File Name | Search.admx | + - - -Specifies whether to allow toast notifications above the device lock screen. + + + -Most restricted value is 0. + - - -The following list shows the supported values: + +## AllowToasts -- 0 - Not allowed. -- 1 (default) - Allowed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/AboveLock/AllowToasts +``` + - + + +Specifies whether to allow toast notifications above the device lock screen. Most restricted value is 0. + -## Related topics + + + -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index c4579bded6..59adf963ba 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,266 +1,282 @@ --- -title: Policy CSP - Accounts -description: Learn about the Accounts policy configuration service provider (CSP). This article describes account policies. +title: Accounts Policy CSP +description: Learn more about the Accounts Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/13/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/27/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Accounts + + + + + +## AllowAddingNonMicrosoftAccountsManually + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/AllowAddingNonMicrosoftAccountsManually +``` + + + + +Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0. + +**Note**: This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowMicrosoftAccountConnection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/AllowMicrosoftAccountConnection +``` + + + + +Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowMicrosoftAccountSignInAssistant + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/AllowMicrosoftAccountSignInAssistant +``` + + + + +Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service. + +**Note**: If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are. + +**Note**: If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. + + + + +Added in Windows 10, version 1703. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Manual start. | + + + + + + + + + +## DomainNamesForEmailSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/DomainNamesForEmailSync +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## RestrictToEnterpriseDeviceAuthenticationOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Accounts/RestrictToEnterpriseDeviceAuthenticationOnly +``` + + + + +This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, only allow device authentication, and block user authentication. + + + + +Added in Windows 11, version 22H2. Most restricted value is 1. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow both device and user authentication. Do not block user authentication. | +| 1 | Only allow device authentication. Block user authentication. | + + + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | MicrosoftAccount_RestrictToDeviceAuthenticationOnly | +| Path | MSAPolicy > AT > WindowsComponents > MicrosoftAccountCategory | + + + + + + + -
    - - -## Accounts policies - -
    -
    - Accounts/AllowAddingNonMicrosoftAccountsManually -
    -
    - Accounts/AllowMicrosoftAccountConnection -
    -
    - Accounts/AllowMicrosoftAccountSignInAssistant -
    -
    - Accounts/DomainNamesForEmailSync -
    -
    - Accounts/RestrictToEnterpriseDeviceAuthenticationOnly -
    -
    - - -
    - - -**Accounts/AllowAddingNonMicrosoftAccountsManually** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether user is allowed to add email accounts other than Microsoft account. - -Most restricted value is 0. - -> [!NOTE] -> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. - - - -The following list shows the supported values: - -- 0 - Not allowed. -- 1 (default) - Allowed. - - - - -
    - - -**Accounts/AllowMicrosoftAccountConnection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 - Not allowed. -- 1 (default) - Allowed. - - - - -
    - - -**Accounts/AllowMicrosoftAccountSignInAssistant** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. - -> [!NOTE] -> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). - -> [!NOTE] -> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. - - - -The following list shows the supported values: - -- 0 - Disabled. -- 1 (default) - Manual start. - - - -
    - - - -**Accounts/DomainNamesForEmailSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - -The following list shows the supported values: - - - - -
    - - -**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Added in Windows 11, version 22H2. This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, we only allow device authentication and block user authentication. - -Most restricted value is 1. - - - -The following list shows the supported values: - -- 0 (default) - Allow both device and user authentication. -- 1 - Only allow device authentication. Block user authentication. - - - -
    - - - - - -## Related topics - -[Policy CSP](policy-configuration-service-provider.md) - + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 02246616a5..a7412e45a0 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,92 +1,100 @@ --- -title: Policy CSP - ActiveXControls -description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10. +title: ActiveXControls Policy CSP +description: Learn more about the ActiveXControls Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/13/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ActiveXControls > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## ApprovedInstallationSites - -## ActiveXControls policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - ActiveXControls/ApprovedInstallationSites -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ActiveXControls/ApprovedInstallationSites +``` + - -
    - - -**ActiveXControls/ApprovedInstallationSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved ActiveX Install sites specified by host URL. + + +This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. -If you disable or don't configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. +If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. -> [!Note] -> Wild card characters can't be used when specifying the host URLs. +Note: Wild card characters cannot be used when specifying the host URLs. + - + + + - -ADMX Info: -- GP Friendly name: *Approved Installation Sites for ActiveX Controls* -- GP name: *ApprovedActiveXInstallSites* -- GP path: *Windows Components/ActiveX Installer Service* -- GP ADMX file name: *ActiveXInstallService.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | ApprovedActiveXInstallSites | +| Friendly Name | Approved Installation Sites for ActiveX Controls | +| Location | Computer Configuration | +| Path | Windows Components > ActiveX Installer Service | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\AxInstaller | +| Registry Value Name | ApprovedList | +| ADMX File Name | ActiveXInstallService.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index b22227cbb1..1d15012471 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,95 +1,101 @@ --- -title: Policy CSP - ADMX_ActiveXInstallService -description: Learn about the Policy CSP - ADMX_ActiveXInstallService. +title: ADMX_ActiveXInstallService Policy CSP +description: Learn more about the ADMX_ActiveXInstallService Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/13/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ActiveXInstallService > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AxISURLZonePolicies - -## ADMX_ActiveXInstallService policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_ActiveXInstallService/AxISURLZonePolicies -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ActiveXInstallService/AxISURLZonePolicies +``` + - -
    - - -**ADMX_ActiveXInstallService/AxISURLZonePolicies** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. -If you disable or don't configure this policy setting, ActiveX controls prompt the user before installation. +If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. -If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If a trusted site has a certificate error but you want to trust it anyway, you can select the certificate errors that you want to ignore. +If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. +Note: This policy setting applies to all sites in Trusted zones. + - + + + - -ADMX Info: -- GP Friendly name: *Establish ActiveX installation policy for sites in Trusted zones* -- GP name: *AxISURLZonePolicies* -- GP path: *Windows Components\ActiveX Installer Service* -- GP ADMX file name: *ActiveXInstallService.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | AxISURLZonePolicies | +| Friendly Name | Establish ActiveX installation policy for sites in Trusted zones | +| Location | Computer Configuration | +| Path | Windows Components > ActiveX Installer Service | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\AxInstaller\AxISURLZonePolicies | +| ADMX File Name | ActiveXInstallService.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index ea465b599b..c722d8e379 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,702 +1,737 @@ --- -title: Policy CSP - ADMX_AddRemovePrograms -description: Learn about the Policy CSP - ADMX_AddRemovePrograms. +title: ADMX_AddRemovePrograms Policy CSP +description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/13/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AddRemovePrograms > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DefaultCategory - -## Policy CSP - ADMX_AddRemovePrograms + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_AddRemovePrograms/DefaultCategory -
    -
    - ADMX_AddRemovePrograms/NoAddFromCDorFloppy -
    -
    - ADMX_AddRemovePrograms/NoAddFromInternet -
    -
    - ADMX_AddRemovePrograms/NoAddFromNetwork -
    -
    - ADMX_AddRemovePrograms/NoAddPage -
    -
    - ADMX_AddRemovePrograms/NoAddRemovePrograms -
    -
    - ADMX_AddRemovePrograms/NoChooseProgramsPage -
    -
    - ADMX_AddRemovePrograms/NoRemovePage -
    -
    - ADMX_AddRemovePrograms/NoServices -
    -
    - ADMX_AddRemovePrograms/NoSupportInfo -
    -
    - ADMX_AddRemovePrograms/NoWindowsSetupPage -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/DefaultCategory +``` + + + +Specifies the category of programs that appears when users open the "Add New Programs" page. -
    - - -**ADMX_AddRemovePrograms/DefaultCategory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. -If you disable this setting or don't configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they're most likely to need. +If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. -> [!NOTE] -> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. +You can use this setting to direct users to the programs they are most likely to need. - +Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. + - -ADMX Info: -- GP Friendly name: *Specify default category for Add New Programs* -- GP name: *DefaultCategory* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | DefaultCategory | +| Friendly Name | Specify default category for Add New Programs | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| ADMX File Name | AddRemovePrograms.admx | + - - + + + -
    + - -**ADMX_AddRemovePrograms/NoAddFromCDorFloppy** + +## NoAddFromCDorFloppy - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddFromCDorFloppy +``` + + + + +Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. + +If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. + +This setting does not prevent users from using other tools and methods to add or remove program components. + +Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. + + + + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoAddFromCDorFloppy | +| Friendly Name | Hide the "Add a program from CD-ROM or floppy disk" option | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddFromCDorFloppy | +| ADMX File Name | AddRemovePrograms.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## NoAddFromInternet -This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This feature removal prevents users from using Add or Remove Programs to install programs from removable media. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable this setting or don't configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting doesn't prevent users from using other tools and methods to add or remove program components. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddFromInternet +``` + -> [!NOTE] -> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users can't add programs from removable media, regardless of this setting. + + +Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. + +If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. + +This setting does not prevent users from using other tools and methods to connect to Windows Update. + +Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the "Add a program from CD-ROM or floppy disk" option* -- GP name: *NoAddFromCDorFloppy* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoAddFromInternet | +| Friendly Name | Hide the "Add programs from Microsoft" option | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddFromInternet | +| ADMX File Name | AddRemovePrograms.admx | + - - + + + - - + - - + +## NoAddFromNetwork + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddFromNetwork +``` + -
    + + +Prevents users from viewing or installing published programs. + +This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. + +Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. + +If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. + +If you disable this setting or do not configure it, "Add programs from your network" is available to all users. + +Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + - -**ADMX_AddRemovePrograms/NoAddFromInternet** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoAddFromNetwork | +| Friendly Name | Hide the "Add programs from your network" option | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddFromNetwork | +| ADMX File Name | AddRemovePrograms.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## NoAddPage -This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable this setting or don't configure it, "Add programs from Microsoft" is available to all users. This setting doesn't prevent users from using other tools and methods to connect to Windows Update. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddPage +``` + -> [!NOTE] -> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + +Removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. + +The Add New Programs button lets users install programs published or assigned by a system administrator. + +If you disable this setting or do not configure it, the Add New Programs button is available to all users. - +This setting does not prevent users from using other tools and methods to install programs. + + + + - -ADMX Info: -- GP Friendly name: *Hide the "Add programs from Microsoft" option* -- GP name: *NoAddFromInternet* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoAddPage | +| Friendly Name | Hide Add New Programs page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddPage | +| ADMX File Name | AddRemovePrograms.admx | + -
    + + + - -**ADMX_AddRemovePrograms/NoAddFromNetwork** + - + +## NoAddRemovePrograms -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoAddRemovePrograms +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Prevents users from using Add or Remove Programs. -> [!div class = "checklist"] -> * User +This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. + +Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. + +If you disable this setting or do not configure it, Add or Remove Programs is available to all users. + +When enabled, this setting takes precedence over the other settings in this folder. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + -
    + + + - - + +**Description framework properties**: -This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you enable this setting, users can't tell which programs have been published by the system administrator, and they can't use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. +**ADMX mapping**: -If you disable this setting or don't configure it, "Add programs from your network" is available to all users. +| Name | Value | +|:--|:--| +| Name | NoAddRemovePrograms | +| Friendly Name | Remove Add or Remove Programs | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoAddRemovePrograms | +| ADMX File Name | AddRemovePrograms.admx | + -> [!NOTE] -> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + + - + + +## NoChooseProgramsPage - -ADMX Info: -- GP Friendly name: *Hide the "Add programs from your network" option* -- GP name: *NoAddFromNetwork* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoChooseProgramsPage +``` + - - + + +Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. + +The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. + +If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. + +This setting does not prevent users from using other tools and methods to change program access or defaults. - - +This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. + - - -
    + + + - -**ADMX_AddRemovePrograms/NoAddPage** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoChooseProgramsPage | +| Friendly Name | Hide the Set Program Access and Defaults page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoChooseProgramsPage | +| ADMX File Name | AddRemovePrograms.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## NoRemovePage -This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable this setting or don't configure it, the Add New Programs button is available to all users. This setting doesn't prevent users from using other tools and methods to install programs. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoRemovePage +``` + - + + +Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. + +The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. + +If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. + +This setting does not prevent users from using other tools and methods to delete or uninstall programs. + + + + - -ADMX Info: -- GP Friendly name: *Hide Add New Programs page* -- GP name: *NoAddPage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoRemovePage | +| Friendly Name | Hide Change or Remove Programs page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoRemovePage | +| ADMX File Name | AddRemovePrograms.admx | + -
    + + + - -**ADMX_AddRemovePrograms/NoAddRemovePrograms** + - + +## NoServices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoServices +``` + - -
    + + +Prevents users from using Add or Remove Programs to configure installed services. + +This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. + +If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. + +This setting does not prevent users from using other methods to configure services. + +Note: When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. + +To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +| Name | Value | +|:--|:--| +| Name | NoServices | +| Friendly Name | Go directly to Components Wizard | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoServices | +| ADMX File Name | AddRemovePrograms.admx | + -If you disable this setting or don't configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting doesn't prevent users from using other tools and methods to install or uninstall programs. + + + - + + + +## NoSupportInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoSupportInfo +``` + + + + +Removes links to the Support Info dialog box from programs on the Change or Remove Programs page. + +Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. + +If you disable this setting or do not configure it, the Support Info hyperlink appears. + +Note: Not all programs provide a support information hyperlink. + - -ADMX Info: -- GP Friendly name: *Remove Add or Remove Programs* -- GP name: *NoAddRemovePrograms* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | NoSupportInfo | +| Friendly Name | Remove Support Information | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoSupportInfo | +| ADMX File Name | AddRemovePrograms.admx | + - -**ADMX_AddRemovePrograms/NoChooseProgramsPage** + + + - + + + +## NoWindowsSetupPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AddRemovePrograms/NoWindowsSetupPage +``` + - -
    + + +Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. -> [!div class = "checklist"] -> * User +If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. + +This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. + -
    + + + - - + +**Description framework properties**: -This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this setting or don't configure it, the **Set Program Access and Defaults** button is available to all users. This setting doesn't prevent users from using other tools and methods to change program access or defaults. This setting doesn't prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWindowsSetupPage | +| Friendly Name | Hide Add/Remove Windows Components page | +| Location | User Configuration | +| Path | Control Panel > Add or Remove Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall | +| Registry Value Name | NoWindowsSetupPage | +| ADMX File Name | AddRemovePrograms.admx | + + + + - -ADMX Info: -- GP Friendly name: *Hide the Set Program Access and Defaults page* -- GP name: *NoChooseProgramsPage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* + - - + + + - - + - - +## Related articles - - - -
    - - -**ADMX_AddRemovePrograms/NoRemovePage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users can't view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. - -If you disable this setting or don't configure it, the Change or Remove Programs page is available to all users. This setting doesn't prevent users from using other tools and methods to delete or uninstall programs. - - - - - -ADMX Info: -- GP Friendly name: *Hide Change or Remove Programs page* -- GP name: *NoRemovePage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* - - - - - - - - - - - - - -
    - - -**ADMX_AddRemovePrograms/NoServices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that haven't been configured and offers users easy access to the configuration tools. - -If you disable this setting or don't configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting doesn't prevent users from using other methods to configure services. - -> [!NOTE] -> When "Set up services" doesn't appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. - - - - - -ADMX Info: -- GP Friendly name: *Go directly to Components Wizard* -- GP name: *NoServices* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* - - - - - - - - - - - - - -
    - - -**ADMX_AddRemovePrograms/NoSupportInfo** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. - -If you disable this setting or don't configure it, the Support Info hyperlink appears. - -> [!NOTE] -> Not all programs provide a support information hyperlink. - - - - -ADMX Info: -- GP Friendly name: *Remove Support Information* -- GP name: *NoSupportInfo* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* - - - - - - - - - - - - - -
    - - -**ADMX_AddRemovePrograms/NoWindowsSetupPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users can't view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. - -If you disable this setting or don't configure it, the Add/Remove Windows Components button is available to all users. This setting doesn't prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. - - - - - -ADMX Info: -- GP Friendly name: *Hide Add/Remove Windows Components page* -- GP name: *NoWindowsSetupPage* -- GP path: *Control Panel/Add or Remove Programs* -- GP ADMX file name: *addremoveprograms.admx* - - - - - - - - - - - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index 10d49435e9..587000d7af 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,234 +1,232 @@ --- -title: Policy CSP - ADMX_AdmPwd -description: Learn about the Policy CSP - ADMX_AdmPwd. +title: ADMX_AdmPwd Policy CSP +description: Learn more about the ADMX_AdmPwd Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AdmPwd > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## POL_AdmPwd - -## ADMX_AdmPwd policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy -
    -
    - ADMX_AdmPwd/POL_AdmPwd_Enabled -
    -
    - ADMX_AdmPwd/POL_AdmPwd_AdminName -
    -
    - ADMX_AdmPwd/POL_AdmPwd -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd +``` + + + + -
    + + +This policy setting enables management of password for local administrator account. +If you enable this setting, local administrator password is managed. +If you disable or not configure this setting, local administrator password is NOT managed. + - -**ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## POL_AdmPwd_AdminName - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd_AdminName +``` + + + + + + + + When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. - + - -ADMX Info: -- GP Friendly name: *Do not allow password expiration time longer than required by policy* -- GP name: *POL_AdmPwd_DontAllowPwdExpirationBehindPolicy* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AdmPwd/POL_AdmPwd_Enabled** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## POL_AdmPwd_DontAllowPwdExpirationBehindPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy +``` + - - + + + + + +When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. + +When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + + + + + + + + + + + +## POL_AdmPwd_Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AdmPwd/POL_AdmPwd_Enabled +``` + + + + + + + + This policy enables the management of password for local administrator account If you enable this setting, local administrator password is managed. If you disable or not configure this setting, local administrator password is NOT managed. - + - -ADMX Info: -- GP Friendly name: *Enable local admin password management* -- GP name: *POL_AdmPwd_Enabled* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_AdmPwd/POL_AdmPwd_AdminName** + + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device +## Related articles -
    - - - - -When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. - -When you disable or don't configure this setting, password expiration time may be longer than required by "Password Settings" policy. - - - - -ADMX Info: -- GP Friendly name: *Name of administrator account to manage* -- GP name: *POL_AdmPwd_AdminName* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* - - - - - -
    - - -**ADMX_AdmPwd/POL_AdmPwd** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting enables management of password for local administrator account - -If you enable this setting, local administrator password is managed - -If you disable or not configure this setting, local administrator password is NOT managed. - - - - - -ADMX Info: -- GP Friendly name: *Password Settings* -- GP name: *POL_AdmPwd* -- GP path: *Windows Components\AdmPwd* -- GP ADMX file name: *AdmPwd.admx* - - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 0bb445f4ed..6f07ebd2bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,533 +1,604 @@ --- -title: Policy CSP - ADMX_AppCompat -description: Policy CSP - ADMX_AppCompat +title: ADMX_AppCompat Policy CSP +description: Learn more about the ADMX_AppCompat Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/20/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 08/20/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AppCompat > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## Policy CSP - ADMX_AppCompat + +## AppCompatPrevent16BitMach -
    -
    - ADMX_AppCompat/AppCompatPrevent16BitMach - -
    -
    - ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage - -
    -
    - ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry - -
    -
    - ADMX_AppCompat/AppCompatTurnOffSwitchBack - -
    -
    - ADMX_AppCompat/AppCompatTurnOffEngine - -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 - -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 - -
    -
    - ADMX_AppCompat/AppCompatTurnOffUserActionRecord - -
    -
    - ADMX_AppCompat/AppCompatTurnOffProgramInventory - -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatPrevent16BitMach +``` + -
    + + +Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. - -**ADMX_AppCompat/AppCompatPrevent16BitMach** +You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, ntvdm.exe must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. - -You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. - -If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components can't run. +If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run. If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer. -If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this setting prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run. +If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to run. -> [!NOTE] -> This setting appears only in Computer Configuration. - +Note: This setting appears in only Computer Configuration. + + + + - -ADMX Info: -- GP Friendly name: *Prevent access to 16-bit applications* -- GP name: *AppCompatPrevent16BitMach* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppCompatPrevent16BitMach | +| Friendly Name | Prevent access to 16-bit applications | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | VDMDisallowed | +| ADMX File Name | AppCompat.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AppCompatRemoveProgramCompatPropPage -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage +``` + - - -This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. + + +This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. -The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. +The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. + -Enabling this policy setting removes the property page from the context-menus, but doesn't affect previous compatibility settings applied to application using this interface. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Remove Program Compatibility Property Page* -- GP name: *AppCompatRemoveProgramCompatPropPage* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | AppCompatRemoveProgramCompatPropPage | +| Friendly Name | Remove Program Compatibility Property Page | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePropPage | +| ADMX File Name | AppCompat.admx | + - -**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AppCompatTurnOffApplicationImpactTelemetry - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -The policy setting controls the state of the Application Telemetry engine in the system. + + +The policy controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. -Turning off Application Telemetry by selecting "enable" will stop the collection of usage data. +Turning Application Telemetry off by selecting "enable" will stop the collection of usage data. If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set. -Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, reboot your machine. +Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Application Telemetry* -- GP name: *AppCompatTurnOffApplicationImpactTelemetry* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffApplicationImpactTelemetry | +| Friendly Name | Turn off Application Telemetry | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | AITEnable | +| ADMX File Name | AppCompat.admx | + - - + + + -
    + - -**ADMX_AppCompat/AppCompatTurnOffSwitchBack** + +## AppCompatTurnOffEngine - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffEngine +``` + - -
    + + +This policy controls the state of the application compatibility engine in the system. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. + +Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old anti-virus application is installed.) + +The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. + +This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. + +NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffEngine | +| Friendly Name | Turn off Application Compatibility Engine | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisableEngine | +| ADMX File Name | AppCompat.admx | + + + + + + + + + +## AppCompatTurnOffProgramCompatibilityAssistant_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 +``` + - - -The policy setting controls the state of the Switchback compatibility engine in the system. + + +This policy setting controls the state of the Program Compatibility Assistant (PCA). + +The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. + +If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. -Switchback is a mechanism that provides generic compatibility mitigation to older applications by providing older behavior to old applications and new behavior to new applications. +If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. -Switchback is on by default. +Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + -If you enable this policy setting, Switchback will be turned off. Turning off Switchback may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they're using. + + + -If you disable or don't configure this policy setting, the Switchback will be turned on. + +**Description framework properties**: -Reboot the system after changing the setting to ensure that your system accurately reflects those changes. - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Turn off SwitchBack Compatibility Engine* -- GP name: *AppCompatTurnOffSwitchBack* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +**ADMX mapping**: - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffEngine** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the state of the application compatibility engine in the system. - -The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a known problem. - -Turning off the application compatibility engine will boost system performance. However, this turn-off will degrade the compatibility of many popular legacy applications, and won't block known incompatible applications from installing. For example, this prevention of blocking may result in a blue screen if an old anti-virus application is installed. - -The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations won't be applied to applications and their installers and these applications may fail to install or run properly. - -This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they're using. It's useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. - -> [!NOTE] -> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Application Compatibility Engine* -- GP name: *AppCompatTurnOffEngine* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* - - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Program Compatibility Assistant* -- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* - - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. - -If you enable this policy setting, the PCA will be turned off. The user won't be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. - -If you disable or don't configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. - -> [!NOTE] -> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Program Compatibility Assistant* -- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* - - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffUserActionRecord** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the state of Steps Recorder. - -Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. - -If you enable this policy setting, Steps Recorder will be disabled. - -If you disable or don't configure this policy setting, Steps Recorder will be enabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Steps Recorder* -- GP name: *AppCompatTurnOffUserActionRecord* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* - - - - -
    - - -**ADMX_AppCompat/AppCompatTurnOffProgramInventory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramCompatibilityAssistant | +| Friendly Name | Turn off Program Compatibility Assistant | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePCA | +| ADMX File Name | AppCompat.admx | + + + + + + + + + +## AppCompatTurnOffProgramInventory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramInventory +``` + + + + This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. -If you enable this policy setting, the Inventory Collector will be turned off and data won't be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. +If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. -If you disable or don't configure this policy setting, the Inventory Collector will be turned on. +If you disable or do not configure this policy setting, the Inventory Collector will be turned on. -> [!NOTE] -> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. +Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Inventory Collector* -- GP name: *AppCompatTurnOffProgramInventory* -- GP path: *Windows Components/Application Compatibility* -- GP ADMX file name: *AppCompat.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramInventory | +| Friendly Name | Turn off Inventory Collector | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisableInventory | +| ADMX File Name | AppCompat.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + +## AppCompatTurnOffSwitchBack + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffSwitchBack +``` + + + + +The policy controls the state of the Switchback compatibility engine in the system. + +Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. + +Switchback is on by default. + +If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. + +If you disable or do not configure this policy setting, the Switchback will be turned on. + +Please reboot the system after changing the setting to ensure that your system accurately reflects those changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffSwitchBack | +| Friendly Name | Turn off SwitchBack Compatibility Engine | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | SbEnable | +| ADMX File Name | AppCompat.admx | + + + + + + + + + +## AppCompatTurnOffUserActionRecord + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffUserActionRecord +``` + + + + +This policy setting controls the state of Steps Recorder. + +Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screen shots. Steps Recorder includes an option to turn on and off data collection. + +If you enable this policy setting, Steps Recorder will be disabled. + +If you disable or do not configure this policy setting, Steps Recorder will be enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffUserActionRecord | +| Friendly Name | Turn off Steps Recorder | +| Location | Computer Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisableUAR | +| ADMX File Name | AppCompat.admx | + + + + + + + + + +## AppCompatTurnOffProgramCompatibilityAssistant_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramCompatibilityAssistant | +| Friendly Name | Turn off Program Compatibility Assistant | +| Location | User Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePCA | +| ADMX File Name | AppCompat.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 5659355a4b..1e4e2605cd 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,97 +1,107 @@ --- -title: Policy CSP - ADMX_AppxPackageManager -description: Learn about the Policy CSP - ADMX_AppxPackageManager. +title: ADMX_AppxPackageManager Policy CSP +description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AppxPackageManager - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AppxPackageManager policies + +## AllowDeploymentInSpecialProfiles -
    -
    - ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles +``` + -
    + + +This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: - -**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** +Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies - +Mandatory user profiles and super-mandatory profiles, which are created by an administrator -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Temporary user profiles, which are created when an error prevents the correct profile from loading - -
    +User profiles for the Guest account and members of the Guests group - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. - -Special profiles are the following user profiles where changes are discarded after the user signs off: - -- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies. -- Mandatory user profiles and super-mandatory profiles, which are created by an administrator. -- Temporary user profiles, which are created when an error prevents the correct profile from loading. -- User profiles for the Guest account and members of the Guests group. If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. -If you disable or don't configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. +If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow deployment operations in special profiles* -- GP name: *AllowDeploymentInSpecialProfiles* -- GP path: *Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowDeploymentInSpecialProfiles | +| Friendly Name | Allow deployment operations in special profiles | +| Location | Computer Configuration | +| Path | Windows Components > App Package Deployment | +| Registry Key Name | Software\Policies\Microsoft\Windows\Appx | +| Registry Value Name | AllowDeploymentInSpecialProfiles | +| ADMX File Name | AppxPackageManager.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index e021af18bf..7186767005 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,245 +1,290 @@ --- -title: Policy CSP - ADMX_AppXRuntime -description: Learn about the Policy CSP - ADMX_AppXRuntime. +title: ADMX_AppXRuntime Policy CSP +description: Learn more about the ADMX_AppXRuntime Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AppXRuntime > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AppXRuntime policies + +## AppxRuntimeApplicationContentUriRules -
    -
    - ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockFileElevation -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT -
    -
    - ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules +``` + -
    - - -**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. -If you enable this policy setting, you can define more Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. +If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on dynamic Content URI Rules for Windows store apps* -- GP name: *AppxRuntimeApplicationContentUriRules* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AppxRuntimeApplicationContentUriRules | +| Friendly Name | Turn on dynamic Content URI Rules for Windows store apps | +| Location | Computer Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications | +| Registry Value Name | EnableDynamicContentUriRules | +| ADMX File Name | AppXRuntime.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AppxRuntimeBlockFileElevation -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +``` - - -This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockFileElevation +``` + -If you enable this policy setting, Windows Store apps can't open files in the default desktop app for a file type; they can open files only in other Windows Store apps. + + +This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. -If you disable or don't configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. +If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. - +If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. + - -ADMX Info: -- GP Friendly name: *Block launching desktop apps associated with a file.* -- GP name: *AppxRuntimeBlockFileElevation* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AppxRuntimeBlockFileElevation | +| Friendly Name | Block launching desktop apps associated with a file. | +| Location | Computer and User Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| Registry Value Name | BlockFileElevation | +| ADMX File Name | AppXRuntime.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AppxRuntimeBlockHostedAppAccessWinRT - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT +``` + + + + This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. -If you enable this policy setting, Universal Windows apps that declare Windows Runtime API access in ApplicationContentUriRules section of the manifest can't be launched; Universal Windows apps that haven't declared Windows Runtime API access in the manifest aren't affected. +If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. -If you disable or don't configure this policy setting, all Universal Windows apps can be launched. +If you disable or do not configure this policy setting, all Universal Windows apps can be launched. -> [!WARNING] -> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. +This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. + - + + + - -ADMX Info: -- GP Friendly name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.* -- GP name: *AppxRuntimeBlockHostedAppAccessWinRT* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AppxRuntimeBlockHostedAppAccessWinRT | +| Friendly Name | Block launching Universal Windows apps with Windows Runtime API access from hosted content. | +| Location | Computer Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | BlockHostedAppAccessWinRT | +| ADMX File Name | AppXRuntime.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## AppxRuntimeBlockProtocolElevation -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there's a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +``` -If you enable this policy setting, Windows Store apps can't open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation +``` + -If you disable or don't configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. + + +This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. -> [!NOTE] -> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. +If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. - +If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. - -ADMX Info: -- GP Friendly name: *Block launching desktop apps associated with a URI scheme* -- GP name: *AppxRuntimeBlockProtocolElevation* -- GP path: *Windows Components\App runtime* -- GP ADMX file name: *AppXRuntime.admx* +Note: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. + - - -
    + + + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppxRuntimeBlockProtocolElevation | +| Friendly Name | Block launching desktop apps associated with a URI scheme | +| Location | Computer and User Configuration | +| Path | Windows Components > App runtime | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| Registry Value Name | BlockProtocolElevation | +| ADMX File Name | AppXRuntime.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index f495e736eb..d770e120ae 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,302 +1,355 @@ --- -title: Policy CSP - ADMX_AttachmentManager -description: Learn about the Policy CSP - ADMX_AttachmentManager. +title: ADMX_AttachmentManager Policy CSP +description: Learn more about the ADMX_AttachmentManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_AttachmentManager > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AttachmentManager policies + +## AM_EstimateFileHandlerRisk -
    -
    - ADMX_AttachmentManager/AM_EstimateFileHandlerRisk -
    -
    - ADMX_AttachmentManager/AM_SetFileRiskLevel -
    -
    - ADMX_AttachmentManager/AM_SetHighRiskInclusion -
    -
    - ADMX_AttachmentManager/AM_SetLowRiskInclusion -
    -
    - ADMX_AttachmentManager/AM_SetModRiskInclusion -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_EstimateFileHandlerRisk +``` + -
    - - -**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files. -Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation that will cause users to see more trust prompts than choosing the other options. +Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. + +Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -If you don't configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. + - + + + - -ADMX Info: -- GP Friendly name: *Trust logic for file attachments* -- GP name: *AM_EstimateFileHandlerRisk* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AttachmentManager/AM_SetFileRiskLevel** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes +| Name | Value | +|:--|:--| +| Name | AM_EstimateFileHandlerRisk | +| Friendly Name | Trust logic for file attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Attachments | +| ADMX File Name | AttachmentManager.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## AM_SetFileRiskLevel -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetFileRiskLevel +``` + + + + This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. -- High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. -- Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. -- Low Risk: If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. +High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. + +Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. + +Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. If you enable this policy setting, you can specify the default risk level for file types. If you disable this policy setting, Windows sets the default risk level to moderate. -If you don't configure this policy setting, Windows sets the default risk level to moderate. +If you do not configure this policy setting, Windows sets the default risk level to moderate. + - + + + - -ADMX Info: -- GP Friendly name: *Default risk level for file attachments* -- GP name: *AM_SetFileRiskLevel* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AttachmentManager/AM_SetHighRiskInclusion** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AM_SetFileRiskLevel | +| Friendly Name | Default risk level for file attachments | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## AM_SetHighRiskInclusion -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetHighRiskInclusion +``` + + + + This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can create a custom list of high-risk file types. If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. -If you don't configure this policy setting, Windows uses its built-in list of high-risk file types. +If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. + - + + + - -ADMX Info: -- GP Friendly name: *Inclusion list for high risk file types* -- GP name: *AM_SetHighRiskInclusion* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AttachmentManager/AM_SetLowRiskInclusion** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AM_SetHighRiskInclusion | +| Friendly Name | Inclusion list for high risk file types | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## AM_SetLowRiskInclusion -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows won't prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetLowRiskInclusion +``` + + + + +This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). If you enable this policy setting, you can specify file types that pose a low risk. If you disable this policy setting, Windows uses its default trust logic. -If you don't configure this policy setting, Windows uses its default trust logic. +If you do not configure this policy setting, Windows uses its default trust logic. + - + + + - -ADMX Info: -- GP Friendly name: *Inclusion list for low file types* -- GP name: *AM_SetLowRiskInclusion* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_AttachmentManager/AM_SetModRiskInclusion** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AM_SetLowRiskInclusion | +| Friendly Name | Inclusion list for low file types | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## AM_SetModRiskInclusion -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AttachmentManager/AM_SetModRiskInclusion +``` + + + + This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can specify file types that pose a moderate risk. +If you enable this policy setting, you can specify file types which pose a moderate risk. If you disable this policy setting, Windows uses its default trust logic. -If you don't configure this policy setting, Windows uses its default trust logic. +If you do not configure this policy setting, Windows uses its default trust logic. + - + + + - -ADMX Info: -- GP Friendly name: *Inclusion list for moderate risk file types* -- GP name: *AM_SetModRiskInclusion* -- GP path: *Windows Components\Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | AM_SetModRiskInclusion | +| Friendly Name | Inclusion list for moderate risk file types | +| Location | User Configuration | +| Path | Windows Components > Attachment Manager | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Associations | +| ADMX File Name | AttachmentManager.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index ba2080b6b3..92935c8022 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,94 +1,102 @@ --- -title: Policy CSP - ADMX_AuditSettings -description: Learn about the Policy CSP - ADMX_AuditSettings. +title: ADMX_AuditSettings Policy CSP +description: Learn more about the ADMX_AuditSettings Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - ADMX_AuditSettings. + + + +# Policy CSP - ADMX_AuditSettings > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_AuditSettings policies + +## IncludeCmdLine -
    -
    - ADMX_AuditSettings/IncludeCmdLine -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_AuditSettings/IncludeCmdLine +``` + -
    + + +This policy setting determines what information is logged in security audit events when a new process has been created. - -**ADMX_AuditSettings/IncludeCmdLine** +This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. - +If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Default: Not configured - -
    +Note: When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. +**ADMX mapping**: -If you disable or don't configure this policy setting, the process's command line information won't be included in Audit Process Creation events. +| Name | Value | +|:--|:--| +| Name | IncludeCmdLine | +| Friendly Name | Include command line in process creation events | +| Location | Computer Configuration | +| Path | System > Audit Process Creation | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | +| Registry Value Name | ProcessCreationIncludeCmdLine_Enabled | +| ADMX File Name | AuditSettings.admx | + -Default is Not configured. + + + -> [!NOTE] -> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. + - + + + - -ADMX Info: -- GP Friendly name: *Include command line in process creation events* -- GP name: *IncludeCmdLine* -- GP path: *System/Audit Process Creation* -- GP ADMX file name: *AuditSettings.admx* + - - -
    +## Related articles - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index d60708eecf..95a1a7793a 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,785 +1,904 @@ --- -title: Policy CSP - ADMX_Bits -description: Learn about the Policy CSP - ADMX_Bits. +title: ADMX_Bits Policy CSP +description: Learn more about the ADMX_Bits Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/20/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Bits > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Bits policies + +## BITS_DisableBranchCache -
    -
    - ADMX_Bits/BITS_DisableBranchCache -
    -
    - ADMX_Bits/BITS_DisablePeercachingClient -
    -
    - ADMX_Bits/BITS_DisablePeercachingServer -
    -
    - ADMX_Bits/BITS_EnablePeercaching -
    -
    - ADMX_Bits/BITS_MaxBandwidthServedForPeers -
    -
    - ADMX_Bits/BITS_MaxBandwidthV2_Maintenance -
    -
    - ADMX_Bits/BITS_MaxBandwidthV2_Work -
    -
    - ADMX_Bits/BITS_MaxCacheSize -
    -
    - ADMX_Bits/BITS_MaxContentAge -
    -
    - ADMX_Bits/BITS_MaxDownloadTime -
    -
    - ADMX_Bits/BITS_MaxFilesPerJob -
    -
    - ADMX_Bits/BITS_MaxJobsPerMachine -
    -
    - ADMX_Bits/BITS_MaxJobsPerUser -
    -
    - ADMX_Bits/BITS_MaxRangesPerFile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_DisableBranchCache +``` + -
    - - -**ADMX_Bits/BITS_DisableBranchCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. -If you enable this policy setting, the BITS client doesn't use Windows Branch Cache. +If you enable this policy setting, the BITS client does not use Windows Branch Cache. -If you disable or don't configure this policy setting, the BITS client uses Windows Branch Cache. +If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. -> [!NOTE] -> This policy setting doesn't affect the use of Windows Branch Cache by applications other than BITS. This policy setting doesn't apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. +Note: This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow the BITS client to use Windows Branch Cache* -- GP name: *BITS_DisableBranchCache* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_DisablePeercachingClient** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_DisableBranchCache | +| Friendly Name | Do not allow the BITS client to use Windows Branch Cache | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | DisableBranchCache | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_DisablePeercachingClient -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_DisablePeercachingClient +``` + + + + This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. -If you disable or don't configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. +If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. -> [!NOTE] -> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. +Note: This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow the computer to act as a BITS Peercaching client* -- GP name: *BITS_DisablePeercachingClient* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_DisablePeercachingServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_DisablePeercachingClient | +| Friendly Name | Do not allow the computer to act as a BITS Peercaching client | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | DisablePeerCachingClient | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_DisablePeercachingServer -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_DisablePeercachingServer +``` + - - + + This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. -If you disable or don't configure this policy setting, the computer will offer downloaded and cached files to its peers. +If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. -> [!NOTE] -> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. +Note: This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow the computer to act as a BITS Peercaching server* -- GP name: *BITS_DisablePeercachingServer* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Bits/BITS_EnablePeercaching** +| Name | Value | +|:--|:--| +| Name | BITS_DisablePeercachingServer | +| Friendly Name | Do not allow the computer to act as a BITS Peercaching server | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | DisablePeerCachingServer | +| ADMX File Name | Bits.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## BITS_EnablePeercaching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_EnablePeercaching +``` + -
    - - - + + This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. -If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When a download job is being transferred, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. +If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. -If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it's possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. +If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. -If you disable or don't configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. +If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow BITS Peercaching* -- GP name: *BITS_EnablePeercaching* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Bits/BITS_MaxBandwidthServedForPeers** +| Name | Value | +|:--|:--| +| Name | BITS_EnablePeercaching | +| Friendly Name | Allow BITS Peercaching | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| Registry Value Name | EnablePeercaching | +| ADMX File Name | Bits.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## BITS_MaxBandwidthServedForPeers - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting doesn't affect transfers from the origin server). - -To prevent any negative impact to a computer caused by serving other peers, by default, BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100-Mbps network card and a 56-Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxBandwidthServedForPeers +``` + + + +This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). +To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. -If you disable this policy setting or don't configure it, the default value of 30 percent of the slowest active network interface will be used. +If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. -> [!NOTE] -> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. +Note: This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth used for Peercaching* -- GP name: *BITS_MaxBandwidthServedForPeers* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidthServedForPeers | +| Friendly Name | Limit the maximum network bandwidth used for Peercaching | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_MaxBandwidthV2_Maintenance -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxBandwidthV2_Maintenance +``` + + + + This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. -If you disable or don't configure this policy setting, the limits defined for work or non-work schedules will be used. +If you disable or do not configure this policy setting, the limits defined for work or nonwork schedules will be used. -> [!NOTE] -> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. +Note: The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. + - + + + - -ADMX Info: -- GP Friendly name: *Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers* -- GP name: *BITS_MaxBandwidthV2_Maintenance* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_MaxBandwidthV2_Work** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidthV2_Maintenance | +| Friendly Name | Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\Throttling | +| Registry Value Name | EnableMaintenanceLimits | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxBandwidthV2_Work -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxBandwidthV2_Work +``` + - - -This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that aren't defined in a work schedule are considered non-work hours. + + +This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and nonwork days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. -If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. +If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. -You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours. +You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers. +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. + - + + + - -ADMX Info: -- GP Friendly name: *Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers* -- GP name: *BITS_MaxBandwidthV2_Work* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_MaxCacheSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidthV2_Work | +| Friendly Name | Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\Throttling | +| Registry Value Name | EnableBandwidthLimits | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxCacheSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxCacheSize +``` + - - + + This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. -If you disable or don't configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. +If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. -> [!NOTE] -> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. +Note: This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Limit the BITS Peercache size* -- GP name: *BITS_MaxCacheSize* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_MaxContentAge** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_MaxCacheSize | +| Friendly Name | Limit the BITS Peercache size | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_MaxContentAge -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default, BITS removes any files in the peer cache that haven't been accessed in the past 90 days. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxContentAge +``` + + + + +This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. -If you disable or don't configure this policy setting, files that haven't been accessed for the past 90 days will be removed from the peer cache. +If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. -> [!NOTE] -> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. +Note: This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. + - + +Available in the latest Windows 10 Insider Preview Build. + - -ADMX Info: -- GP Friendly name: *Limit the age of files in the BITS Peercache* -- GP name: *BITS_MaxContentAge* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Bits/BITS_MaxDownloadTime** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BITS_MaxContentAge | +| Friendly Name | Limit the age of files in the BITS Peercache | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## BITS_MaxDownloadTime -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxDownloadTime +``` + + + + This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. -By default, BITS uses a maximum download time of 90 days (7,776,000 seconds). +By default BITS uses a maximum download time of 90 days (7,776,000 seconds). If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. -If you disable or don't configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. +If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum BITS job download time* -- GP name: *BITS_MaxDownloadTime* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_MaxFilesPerJob** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxDownloadTime | +| Friendly Name | Limit the maximum BITS job download time | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxFilesPerJob -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxFilesPerJob +``` + - - -This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS job can contain. + + +This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. -If you disable or don't configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. +If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. -> [!NOTE] -> BITS Jobs created by services and the local administrator account don't count toward this limit. +Note: BITS Jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of files allowed in a BITS job* -- GP name: *BITS_MaxFilesPerJob* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_MaxJobsPerMachine** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxFilesPerJob | +| Friendly Name | Limit the maximum number of files allowed in a BITS job | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxJobsPerMachine -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxJobsPerMachine +``` + - - + + This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. -If you disable or don't configure this policy setting, BITS will use the default BITS job limit of 300 jobs. +If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. -> [!NOTE] -> BITS jobs created by services and the local administrator account don't count toward this limit. +Note: BITS jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of BITS jobs for this computer* -- GP name: *BITS_MaxJobsPerMachine* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_MaxJobsPerUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxJobsPerMachine | +| Friendly Name | Limit the maximum number of BITS jobs for this computer | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxJobsPerUser -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxJobsPerUser +``` + - - + + This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. -If you disable or don't configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. +If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. -> [!NOTE] -> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account don't count toward this limit. +Note: This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of BITS jobs for each user* -- GP name: *BITS_MaxJobsPerUser* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Bits/BITS_MaxRangesPerFile** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxJobsPerUser | +| Friendly Name | Limit the maximum number of BITS jobs for each user | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## BITS_MaxRangesPerFile -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Bits/BITS_MaxRangesPerFile +``` + - - + + This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. -If you disable or don't configure this policy setting, BITS will limit ranges to 500 ranges per file. +If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. -> [!NOTE] -> BITS Jobs created by services and the local administrator account don't count toward this limit. +Note: BITS Jobs created by services and the local administrator account do not count toward this limit. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit the maximum number of ranges that can be added to the file in a BITS job* -- GP name: *BITS_MaxRangesPerFile* -- GP path: *Network\Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BITS_MaxRangesPerFile | +| Friendly Name | Limit the maximum number of ranges that can be added to the file in a BITS job | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 8b03be11b7..0ac3866b6f 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,155 +1,168 @@ --- -title: Policy CSP - ADMX_CipherSuiteOrder -description: Learn about the Policy CSP - ADMX_CipherSuiteOrder. +title: ADMX_CipherSuiteOrder Policy CSP +description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CipherSuiteOrder > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CipherSuiteOrder policies + +## SSLCipherSuiteOrder -
    -
    - ADMX_CipherSuiteOrder/SSLCipherSuiteOrder -
    -
    - ADMX_CipherSuiteOrder/SSLCurveOrder -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CipherSuiteOrder/SSLCipherSuiteOrder +``` + -
    - - -**ADMX_CipherSuiteOrder/SSLCipherSuiteOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). If you enable this policy setting, SSL cipher suites are prioritized in the order specified. If you disable or do not configure this policy setting, default cipher suite order is used. -For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel). +Link for all the cipherSuites: + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *SSL Cipher Suite Order* -- GP name: *SSLCipherSuiteOrder* -- GP path: *Network/SSL Configuration Settings* -- GP ADMX file name: *CipherSuiteOrder.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_CipherSuiteOrder/SSLCurveOrder** +| Name | Value | +|:--|:--| +| Name | SSLCipherSuiteOrder | +| Friendly Name | SSL Cipher Suite Order | +| Location | Computer Configuration | +| Path | Network > SSL Configuration Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 | +| ADMX File Name | CipherSuiteOrder.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SSLCurveOrder - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CipherSuiteOrder/SSLCurveOrder +``` + -
    - - - + + This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. -If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. +If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) If you disable or do not configure this policy setting, the default ECC curve order is used. -The default curve order is as follows: +Default Curve Order + +curve25519 +NistP256 +NistP384 -- curve25519 -- NistP256 -- NistP384 +To See all the curves supported on the system, Use the following command: -To see all the curves supported on the system, enter the following command: - -``` cmd CertUtil.exe -DisplayEccCurve -``` + - + + + - -ADMX Info: -- GP Friendly name: *ECC Curve Order* -- GP name: *SSLCurveOrder* -- GP path: *Network/SSL Configuration Settings* -- GP ADMX file name: *CipherSuiteOrder.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | SSLCurveOrder | +| Friendly Name | ECC Curve Order | +| Location | Computer Configuration | +| Path | Network > SSL Configuration Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 | +| ADMX File Name | CipherSuiteOrder.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index e98e447d36..8b8b45a109 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,148 +1,166 @@ --- -title: Policy CSP - ADMX_COM -description: Learn about the Policy CSP - ADMX_COM. +title: ADMX_COM Policy CSP +description: Learn more about the ADMX_COM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_COM > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_COM policies + +## AppMgmt_COM_SearchForCLSID_2 -
    -
    - ADMX_COM/AppMgmt_COM_SearchForCLSID_1 -
    -
    - ADMX_COM/AppMgmt_COM_SearchForCLSID_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_COM/AppMgmt_COM_SearchForCLSID_2 +``` + -
    - - -**ADMX_COM/AppMgmt_COM_SearchForCLSID_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components. +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly. +If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Download missing COM components* -- GP name: *AppMgmt_COM_SearchForCLSID_1* -- GP path: *System* -- GP ADMX file name: *COM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_COM/AppMgmt_COM_SearchForCLSID_2** +| Name | Value | +|:--|:--| +| Name | AppMgmt_COM_SearchForCLSID | +| Friendly Name | Download missing COM components | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\App Management | +| Registry Value Name | COMClassStore | +| ADMX File Name | COM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AppMgmt_COM_SearchForCLSID_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_COM/AppMgmt_COM_SearchForCLSID_1 +``` + -
    - - - + + This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs can't perform all their functions unless Windows has internally registered the required components. +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it's found, downloads it. The resulting searches might make some programs start or run slowly. +If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or don't configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + - -ADMX Info: -- GP Friendly name: *Download missing COM components* -- GP name: *AppMgmt_COM_SearchForCLSID_2* -- GP path: *System* -- GP ADMX file name: *COM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | AppMgmt_COM_SearchForCLSID | +| Friendly Name | Download missing COM components | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\App Management | +| Registry Value Name | COMClassStore | +| ADMX File Name | COM.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 859b2de089..721c8e5306 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,273 +1,306 @@ --- -title: Policy CSP - ADMX_ControlPanel -description: Learn about the Policy CSP - ADMX_ControlPanel. +title: ADMX_ControlPanel Policy CSP +description: Learn more about the ADMX_ControlPanel Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/05/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ControlPanel > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_ControlPanel policies + +## DisallowCpls -
    -
    - ADMX_ControlPanel/DisallowCpls -
    -
    - ADMX_ControlPanel/ForceClassicControlPanel -
    -
    - ADMX_ControlPanel/NoControlPanel -
    -
    - ADMX_ControlPanel/RestrictCpls -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/DisallowCpls +``` + -
    - - -**ADMX_ControlPanel/DisallowCpls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. -> [!NOTE] -> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". +Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. -> [!NOTE] -> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -> ->To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. +Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. - +Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + + + + - -ADMX Info: -- GP Friendly name: *Hide specified Control Panel items* -- GP name: *DisallowCpls* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanel/ForceClassicControlPanel** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisallowCpls | +| Friendly Name | Hide specified Control Panel items | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisallowCpl | +| ADMX File Name | ControlPanel.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## ForceClassicControlPanel -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/ForceClassicControlPanel +``` + + + + This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Control Panel opens to the icon view. If this policy setting is disabled, the Control Panel opens to the category view. -If this policy setting isn't configured, the Control Panel opens to the view used in the last Control Panel session. +If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. +Note: Icon size is dependent upon what the user has set it to in the previous session. + -> [!NOTE] -> Icon size is dependent upon what the user has set it to in the previous session. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Always open All Control Panel Items when opening Control Panel* -- GP name: *ForceClassicControlPanel* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_ControlPanel/NoControlPanel** +| Name | Value | +|:--|:--| +| Name | ForceClassicControlPanel | +| Friendly Name | Always open All Control Panel Items when opening Control Panel | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceClassicControlPanel | +| ADMX File Name | ControlPanel.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NoControlPanel - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/NoControlPanel +``` + -
    + + +Disables all Control Panel programs and the PC settings app. - - -Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app. - -This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users can't start Control Panel or PC settings, or run any of their items. +This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items. This setting removes Control Panel from: - -- The Start screen -- File Explorer +The Start screen +File Explorer This setting removes PC settings from: - -- The Start screen -- Settings charm -- Account picture -- Search results +The Start screen +Settings charm +Account picture +Search results If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action. + - + + +Available in the latest Windows 10 Insider Preview Build. + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit access to Control Panel and PC settings* -- GP name: *NoControlPanel* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ControlPanel/RestrictCpls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoControlPanel | +| Friendly Name | Prohibit access to Control Panel and PC settings | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoControlPanel | +| ADMX File Name | ControlPanel.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictCpls -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanel/RestrictCpls +``` + - - -This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those items you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. + + +This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. -> [!NOTE] -> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". +Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. -> [!NOTE] -> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -> -> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. +Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. - +Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. + - -ADMX Info: -- GP Friendly name: *Show only specified Control Panel items* -- GP name: *RestrictCpls* -- GP path: *Control Panel* -- GP ADMX file name: *ControlPanel.admx* + + + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictCpls | +| Friendly Name | Show only specified Control Panel items | +| Location | User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | RestrictCpl | +| ADMX File Name | ControlPanel.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 059b11b086..324a63ed77 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,664 +1,968 @@ --- -title: Policy CSP - ADMX_ControlPanelDisplay -description: Learn about the Policy CSP - ADMX_ControlPanelDisplay. +title: ADMX_ControlPanelDisplay Policy CSP +description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/05/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ControlPanelDisplay > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    - - -## ADMX_ControlPanelDisplay policies - -
    -
    - ADMX_ControlPanelDisplay/CPL_Display_Disable -
    -
    - ADMX_ControlPanelDisplay/CPL_Display_HideSettings -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle -
    -
    - ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground -
    -
    - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Display_Disable** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting disables the Display Control Panel. - -If you enable this setting, the Display Control Panel doesn't run. When users try to start Display, a message appears explaining that a setting prevents the action. - -Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. - - - - - -ADMX Info: -- GP Friendly name: *Disable the Display Control Panel* -- GP name: *CPL_Display_Disable* -- GP path: *Control Panel\Display* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Display_HideSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_ForceDefaultLockScreen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting removes the Settings tab from Display in Control Panel. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +``` + + + + +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. + +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). -This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as \\Server\Share\Corp.jpg. - +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. +Note: This setting only applies to Enterprise, Education, and Server SKUs. + - -ADMX Info: -- GP Friendly name: *Hide Settings tab* -- GP name: *CPL_Display_HideSettings* -- GP path: *Control Panel\Display* -- GP ADMX file name: *ControlPanelDisplay.admx* + + + - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting forces the theme color scheme to be the default color scheme. - -If you enable this setting, a user can't change the color scheme of the current desktop theme. - -If you disable or don't configure this setting, a user may change the color scheme of the current desktop theme. - -For Windows 7 and later, use the "Prevent changing color and appearance" setting. - - - - -ADMX Info: -- GP Friendly name: *Prevent changing color scheme* -- GP name: *CPL_Personalization_DisableColorSchemeChoice* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting disables the theme gallery in the Personalization Control Panel. - -If you enable this setting, users can't change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). - -If you disable or don't configure this setting, there's no effect. - -> [!NOTE] -> If you enable this setting but don't specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. - - - - -ADMX Info: -- GP Friendly name: *Prevent changing theme* -- GP name: *CPL_Personalization_DisableThemeChange* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. - -When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. - -When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. - - - - -ADMX Info: -- GP Friendly name: *Prevent changing visual style for windows and buttons* -- GP name: *CPL_Personalization_DisableVisualStyle* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting enables desktop screen savers. - -If you disable this setting, screen savers don't run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users can't change the screen saver options. - -If you don't configure it, this setting has no effect on the system. - -If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. - -Also, see the "Prevent changing Screen Saver" setting. - - - - -ADMX Info: -- GP Friendly name: *Enable screen saver* -- GP name: *CPL_Personalization_EnableScreenSaver* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting allows you to force a specific default lock screen and sign-in image by entering the path (location) of the image file. The same image will be used for both the lock and sign-in screens. - -This setting lets you specify the default lock screen and sign-in image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). - -To use this setting, type the fully qualified path and name of the file that stores the default lock screen and sign-in image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`. - -This setting can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and sign-in image to be shown. - ->[!NOTE] -> This setting only applies to Enterprise, Education, and Server SKUs. - - - - - -ADMX Info: -- GP Friendly name: *Force a specific default lock screen and logon image* -- GP name: *CPL_Personalization_ForceDefaultLockScreen* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting prevents users from changing the size of the font in the windows and buttons displayed on their screens. - -If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. - -If you disable or don't configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. - - - - -ADMX Info: -- GP Friendly name: *Prohibit selection of visual style font size* -- GP name: *CPL_Personalization_LockFontSize* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Prevents users from changing the background image shown when the machine is locked or when on the sign-in screen. - -By default, users can change the background image shown when the machine is locked or displaying the sign-in screen. - -If you enable this setting, the user won't be able to change their lock screen and sign-in image, and they'll instead see the default image. - - - - -ADMX Info: -- GP Friendly name: *Prevent changing lock screen and logon image* -- GP name: *CPL_Personalization_NoChangingLockScreen* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting prevents users from changing the look of their start menu background, such as its color or accent. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ForceDefaultLockScreen | +| Friendly Name | Force a specific default lock screen and logon image | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_NoChangingLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +``` + + + + +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. + +By default, users can change the background image shown when the machine is locked or displaying the logon screen. + +If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoChangingLockScreen | +| Friendly Name | Prevent changing lock screen and logon image | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingLockScreen | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_NoChangingStartMenuBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +``` + + + + +Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. -If you enable this setting, the user will be assigned the default start menu background and colors and won't be allowed to change them. +If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing start menu background* -- GP name: *CPL_Personalization_NoChangingStartMenuBackground* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoChangingStartMenuBackground | +| Friendly Name | Prevent changing start menu background | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingStartMenuBackground | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoLockScreen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature isn't available. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +``` + -This setting also prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. + + +This policy setting controls whether the lock screen appears for users. + +If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + +If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + + + + +Available in the latest Windows 10 Insider Preview Build. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreen | +| Friendly Name | Do not display the lock screen | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreen | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_PersonalColors + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +``` + + + + +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +By default, users can change the background and accent colors. + +If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_PersonalColors | +| Friendly Name | Force a specific background and accent color | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_SetTheme + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +``` + + + + +Specifies which theme file is applied to the computer the first time a user logs on. + +If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. + +If you disable or do not configure this setting, the default theme will be applied at the first logon. + + + + +Available in the latest Windows 10 Insider Preview Build. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetTheme | +| Friendly Name | Load a specific theme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_StartBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +``` + + + + +Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + +If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_StartBackground | +| Friendly Name | Force a specific Start background | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Display_Disable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Display_Disable +``` + + + + +Disables the Display Control Panel. + +If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. + +Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Display_Disable | +| Friendly Name | Disable the Display Control Panel | +| Location | User Configuration | +| Path | Control Panel > Display | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispCPL | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Display_HideSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Display_HideSettings +``` + + + + +Removes the Settings tab from Display in Control Panel. + +This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Display_HideSettings | +| Friendly Name | Hide Settings tab | +| Location | User Configuration | +| Path | Control Panel > Display | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispSettingsPage | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_DisableColorSchemeChoice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice +``` + + + + +This setting forces the theme color scheme to be the default color scheme. + +If you enable this setting, a user cannot change the color scheme of the current desktop theme. + +If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. + +For Windows 7 and later, use the "Prevent changing color and appearance" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_DisableColorSchemeChoice | +| Friendly Name | Prevent changing color scheme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoColorChoice | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_DisableThemeChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange +``` + + + + +This setting disables the theme gallery in the Personalization Control Panel. + +If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). + +If you disable or do not configure this setting, there is no effect. + +Note: If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_DisableThemeChange | +| Friendly Name | Prevent changing theme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoThemesTab | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_DisableVisualStyle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle +``` + + + + +Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. + +When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties. + +When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_DisableVisualStyle | +| Friendly Name | Prevent changing visual style for windows and buttons | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoVisualStyleChoice | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_EnableScreenSaver + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver +``` + + + + +Enables desktop screen savers. + +If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. + +If you do not configure it, this setting has no effect on the system. + +If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. + +Also, see the "Prevent changing Screen Saver" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_EnableScreenSaver | +| Friendly Name | Enable screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| Registry Value Name | ScreenSaveActive | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_LockFontSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize +``` + + + + +Prevents users from changing the size of the font in the windows and buttons displayed on their screens. + +If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. + +If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_LockFontSize | +| Friendly Name | Prohibit selection of visual style font size | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoSizeChoice | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_NoColorAppearanceUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI +``` + + + + +Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. + +This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. -For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the Display in Control Panel. +For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing color and appearance* -- GP name: *CPL_Personalization_NoColorAppearanceUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoColorAppearanceUI | +| Friendly Name | Prevent changing color and appearance | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispAppearancePage | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoDesktopBackgroundUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting prevents users from adding or changing the background design of the desktop. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI +``` + + + + +Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. @@ -666,610 +970,561 @@ If you enable this setting, none of the Desktop Background settings can be chang To specify wallpaper for a group, use the "Desktop Wallpaper" setting. ->[!NOTE] ->You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. +Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. Also, see the "Allow only bitmapped wallpaper" setting. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing desktop background* -- GP name: *CPL_Personalization_NoDesktopBackgroundUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoDesktopBackgroundUI | +| Friendly Name | Prevent changing desktop background | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoChangingWallPaper | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoDesktopIconsUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting prevents users from changing the desktop icons. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI +``` + + + + +Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. If you enable this setting, none of the desktop icons can be changed by the user. For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing desktop icons* -- GP name: *CPL_Personalization_NoDesktopIconsUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoDesktopIconsUI | +| Friendly Name | Prevent changing desktop icons | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispBackgroundPage | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CPL_Personalization_NoMousePointersUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI +``` + -If you enable this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. - -If you disable or don't configure this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. - - - - -ADMX Info: -- GP Friendly name: *Do not display the lock screen* -- GP name: *CPL_Personalization_NoLockScreen* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Available in the latest Windows 10 Insider Preview Build. This setting prevents users from changing the mouse pointers. + + +Prevents users from changing the mouse pointers. By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. + - + + +Available in the latest Windows 10 Insider Preview Build. + - -ADMX Info: -- GP Friendly name: *Prevent changing mouse pointers* -- GP name: *CPL_Personalization_NoMousePointersUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoMousePointersUI | +| Friendly Name | Prevent changing mouse pointers | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingMousePointers | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_NoScreenSaverUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI +``` + -This setting also prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It doesn't prevent a screen saver from running. + + +Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. - +This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. + - -ADMX Info: -- GP Friendly name: *Prevent changing screen saver* -- GP name: *CPL_Personalization_NoScreenSaverUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoScreenSaverUI | +| Friendly Name | Prevent changing screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | NoDispScrSavPage | +| ADMX File Name | ControlPanelDisplay.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## CPL_Personalization_NoSoundSchemeUI - - -This setting prevents users from changing the sound scheme. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI +``` + + + + +Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. If you enable this setting, none of the Sound Scheme settings can be changed by the user. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing sounds* -- GP name: *CPL_Personalization_NoSoundSchemeUI* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoSoundSchemeUI | +| Friendly Name | Prevent changing sounds | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingSoundScheme | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CPL_Personalization_ScreenSaverIsSecure -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure +``` + -By default, users can change the background and accent colors. + + +Determines whether screen savers used on the computer are password protected. -If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users can't change those colors. This setting won't be applied if the specified colors don't meet a contrast ratio of 2:1 with white text. - - - - -ADMX Info: -- GP Friendly name: *Force a specific background and accent color* -- GP name: *CPL_Personalization_PersonalColors* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting determines whether screen savers used on the computer are password protected. - -If you enable this setting, all screen savers are password protected. If you disable this setting, password protection can't be set on any screen saver. +If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. -If you don't configure this setting, users can choose whether or not to set password protection on each screen saver. +If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. -> [!NOTE] -> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. +Note: To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. + - + + + - -ADMX Info: -- GP Friendly name: *Password protect the screen saver* -- GP name: *CPL_Personalization_ScreenSaverIsSecure* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ScreenSaverIsSecure | +| Friendly Name | Password protect the screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| Registry Value Name | ScreenSaverIsSecure | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_ScreenSaverTimeOut -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut +``` + + + + Specifies how much user idle time must elapse before the screen saver is launched. -When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver won't be started. +When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. This setting has no effect under any of the following circumstances: - The setting is disabled or not configured. + - The wait time is set to zero. + - The "Enable Screen Saver" setting is disabled. -- The "Screen saver executable name" setting and the Screen Saver dialog of the client computer's Personalization or Display Control Panel don't specify a valid existing screen saver program on the client. +- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client. When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes. + - + + + - -ADMX Info: -- GP Friendly name: *Screen saver timeout* -- GP name: *CPL_Personalization_ScreenSaverTimeOut* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ScreenSaverTimeOut | +| Friendly Name | Screen saver timeout | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_SetScreenSaver -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This setting specifies the screen saver for the user's desktop. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver +``` + + + + +Specifies the screen saver for the user's desktop. If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. -If you disable this setting or don't configure it, users can select any screen saver. +If you disable this setting or do not configure it, users can select any screen saver. -If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file isn't in the %Systemroot%\System32 directory, type the fully qualified path to the file. +If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. -If the specified screen saver isn't installed on a computer to which this setting applies, the setting is ignored. +If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. -> [!NOTE] -> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers don't run. +Note: This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. + - + + + - -ADMX Info: -- GP Friendly name: *Force specific screen saver* -- GP name: *CPL_Personalization_SetScreenSaver* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetScreenSaver | +| Friendly Name | Force specific screen saver | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Control Panel\Desktop | +| ADMX File Name | ControlPanelDisplay.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## CPL_Personalization_SetVisualStyle -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle +``` + -If you enable this setting, the theme that you specify will be applied when a new user signs in for the first time. This policy doesn't prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first sign in. - -If you disable or don't configure this setting, the default theme will be applied at the first sign in. - - - - -ADMX Info: -- GP Friendly name: *Load a specific theme* -- GP name: *CPL_Personalization_SetTheme* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - -**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. -This file can be a local computer visual style (aero.msstyles) one, or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). +This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. -If you disable or don't configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). +If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). -> [!NOTE] -> If this setting is enabled and the file isn't available at user logon, the default visual style is loaded. -> -> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles. -> -> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you can't apply the Windows Classic visual style. +Note: If this setting is enabled and the file is not available at user logon, the default visual style is loaded. - +Note: When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles - -ADMX Info: -- GP Friendly name: *Force a specific visual style file or force Windows Classic* -- GP name: *CPL_Personalization_SetVisualStyle* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +Note: To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. + - - -
    + + + - -**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetVisualStyle | +| Friendly Name | Force a specific visual style file or force Windows Classic | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | ControlPanelDisplay.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + + + -If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + -If this setting is set to a nonzero value, then Start uses the specified background, and users can't change it. If the specified background isn't supported, the default background is used. +## Related articles - - - -ADMX Info: -- GP Friendly name: *Force a specific Start background* -- GP name: *CPL_Personalization_StartBackground* -- GP path: *Control Panel\Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 481b2ebb18..d47c331118 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,92 +1,100 @@ --- -title: Policy CSP - ADMX_Cpls -description: Learn about the Policy CSP - ADMX_Cpls. +title: ADMX_Cpls Policy CSP +description: Learn more about the ADMX_Cpls Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Cpls > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Cpls policies + +## UseDefaultTile -
    -
    - ADMX_Cpls/UseDefaultTile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Cpls/UseDefaultTile +``` + -
    - - -**ADMX_Cpls/UseDefaultTile** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. -> [!NOTE] -> The default account picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg.` The default guest picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg.` If the default pictures do not exist, an empty frame is displayed. +Note: The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed. If you disable or do not configure this policy setting, users will be able to customize their account pictures. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Apply the default account picture to all users* -- GP name: *UseDefaultTile* -- GP path: *Control Panel/User Accounts* -- GP ADMX file name: *Cpls.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | UseDefaultTile | +| Friendly Name | Apply the default account picture to all users | +| Location | Computer Configuration | +| Path | Control Panel > User Accounts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | UseDefaultTile | +| ADMX File Name | Cpls.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index ab23b0a57d..8d3b09714a 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,74 +1,49 @@ --- -title: Policy CSP - ADMX_CredentialProviders -description: Learn about the Policy CSP - ADMX_CredentialProviders. +title: ADMX_CredentialProviders Policy CSP +description: Learn more about the ADMX_CredentialProviders Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CredentialProviders > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CredentialProviders policies + +## AllowDomainDelayLock -
    -
    - ADMX_CredentialProviders/AllowDomainDelayLock -
    -
    - ADMX_CredentialProviders/DefaultCredentialProvider -
    -
    - ADMX_CredentialProviders/ExcludedCredentialProviders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock +``` + -
    - - -**ADMX_CredentialProviders/AllowDomainDelayLock** - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. @@ -78,123 +53,180 @@ If you disable this policy setting, a user cannot change the amount of time afte If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow users to select when a password is required when resuming from connected standby* -- GP name: *AllowDomainDelayLock* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_CredentialProviders/DefaultCredentialProvider** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowDomainDelayLock | +| Friendly Name | Allow users to select when a password is required when resuming from connected standby | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowDomainDelayLock | +| ADMX File Name | CredentialProviders.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DefaultCredentialProvider -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/DefaultCredentialProvider +``` + - - + + This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. -If you disable or don't configure this policy setting, the system picks the default credential provider on other user tile. +If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. -> [!NOTE] -> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. +Note: A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. + - + + + - -ADMX Info: -- GP Friendly name: *Assign a default credential provider* -- GP name: *DefaultCredentialProvider* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_CredentialProviders/ExcludedCredentialProviders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DefaultCredentialProvider | +| Friendly Name | Assign a default credential provider | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | CredentialProviders.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExcludedCredentialProviders -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/ExcludedCredentialProviders +``` + - - -This policy setting allows the administrator to exclude the specified credential providers from use during authentication. + + +This policy setting allows the administrator to exclude the specified +credential providers from use during authentication. -> [!NOTE] -> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). +Note: credential providers are used to process and validate user +credentials during logon or when authentication is required. +Windows Vista provides two default credential providers: +Password and Smart Card. An administrator can install additional +credential providers for different sets of credentials +(for example, to support biometric authentication). -If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. +If you enable this policy, an administrator can specify the CLSIDs +of the credential providers to exclude from the set of installed +credential providers available for authentication purposes. If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. + - + + + - -ADMX Info: -- GP Friendly name: *Exclude credential providers* -- GP name: *ExcludedCredentialProviders* -- GP path: *System\Logon* -- GP ADMX file name: *CredentialProviders.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | ExcludedCredentialProviders | +| Friendly Name | Exclude credential providers | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | CredentialProviders.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index eb460250a1..80c055cf2d 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,715 +1,817 @@ --- -title: Policy CSP - ADMX_CredSsp -description: Learn about the Policy CSP - ADMX_CredSsp. +title: ADMX_CredSsp Policy CSP +description: Learn more about the ADMX_CredSsp Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/20/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CredSsp > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CredSsp policies + +## AllowDefaultCredentials -
    -
    - ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/AllowDefaultCredentials -
    -
    - ADMX_CredSsp/AllowEncryptionOracle -
    -
    - ADMX_CredSsp/AllowFreshCredentials -
    -
    - ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/AllowSavedCredentials -
    -
    - ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly -
    -
    - ADMX_CredSsp/DenyDefaultCredentials -
    -
    - ADMX_CredSsp/DenyFreshCredentials -
    -
    - ADMX_CredSsp/DenySavedCredentials -
    -
    - ADMX_CredSsp/RestrictedRemoteAdministration -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowDefaultCredentials +``` + -
    - - -**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). - -This policy setting applies when server authentication was achieved via NTLM. - -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first signing in to Windows). - -If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any machine. - -> [!NOTE] -> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com - - - - - -ADMX Info: -- GP Friendly name: *Allow delegating default credentials with NTLM-only server authentication* -- GP name: *AllowDefCredentialsWhenNTLMOnly* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* - - - -
    - - -**ADMX_CredSsp/AllowDefaultCredentials** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first logging on to Windows). +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows. -If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. FWlink for KB: -https://go.microsoft.com/fwlink/?LinkId=301508 + -> [!NOTE] -> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +Note: The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating default credentials* -- GP name: *AllowDefaultCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowEncryptionOracle** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowDefaultCredentials | +| Friendly Name | Allow delegating default credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowDefaultCredentials | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowDefCredentialsWhenNTLMOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly +``` + + + + +This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. + +Note: The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowDefCredentialsWhenNTLMOnly | +| Friendly Name | Allow delegating default credentials with NTLM-only server authentication | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowDefCredentialsWhenNTLMOnly | +| ADMX File Name | CredSsp.admx | + + + + + + + + + +## AllowEncryptionOracle + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowEncryptionOracle +``` + + + + +Encryption Oracle Remediation - - This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). -Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. +Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. If you enable this policy setting, CredSSP version support will be selected based on the following options: -- Force Updated Clients: Client applications that use CredSSP won't be able to fall back to the insecure versions and services using CredSSP won't accept unpatched clients. +Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. - > [!NOTE] - > This setting should not be deployed until all remote hosts support the newest version. +**Note**: this setting should not be deployed until all remote hosts support the newest version. -- Mitigated: Client applications that use CredSSP won't be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. +Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. -- Vulnerable: Client applications that use CredSSP will expose the remote servers to attacks by supporting a fallback to the insecure versions and services using CredSSP will accept unpatched clients. +Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. -For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 +For more information about the vulnerability and servicing requirements for protection, see + - + + + - -ADMX Info: -- GP Friendly name: *Encryption Oracle Remediation* -- GP name: *AllowEncryptionOracle* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/AllowFreshCredentials** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | AllowEncryptionOracle | +| Friendly Name | Encryption Oracle Remediation | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowFreshCredentials -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowFreshCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application). +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine. +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. -> [!NOTE] -> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +Note: The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. - +For Example: +TERMSRV/host.humanresources.fabrikam.com +Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating fresh credentials* -- GP name: *AllowFreshCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowFreshCredentials | +| Friendly Name | Allow delegating fresh credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowFreshCredentials | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowFreshCredentialsWhenNTLMOnly - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application). +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine. +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. -> [!NOTE] -> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com +Note: The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating fresh credentials with NTLM-only server authentication* -- GP name: *AllowFreshCredentialsWhenNTLMOnly* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowSavedCredentials** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowFreshCredentialsWhenNTLMOnly | +| Friendly Name | Allow delegating fresh credentials with NTLM-only server authentication | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowFreshCredentialsWhenNTLMOnly | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowSavedCredentials - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowSavedCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of saved credentials isn't permitted to any machine. +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. -> [!NOTE] -> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com +Note: The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating saved credentials* -- GP name: *AllowSavedCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowSavedCredentials | +| Friendly Name | Allow delegating saved credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowSavedCredentials | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowSavedCredentialsWhenNTLMOnly - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). -If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine isn't a member of any domain. If the client is domain-joined, by default, the delegation of saved credentials isn't permitted to any machine. +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. -If you disable this policy setting, delegation of saved credentials isn't permitted to any machine. +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. -> [!NOTE] -> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com +Note: The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. - +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + - -ADMX Info: -- GP Friendly name: *Allow delegating saved credentials with NTLM-only server authentication* -- GP name: *AllowSavedCredentialsWhenNTLMOnly* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_CredSsp/DenyDefaultCredentials** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AllowSavedCredentialsWhenNTLMOnly | +| Friendly Name | Allow delegating saved credentials with NTLM-only server authentication | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowSavedCredentialsWhenNTLMOnly | +| ADMX File Name | CredSsp.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DenyDefaultCredentials - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/DenyDefaultCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's default credentials can't be delegated (default credentials are those credentials that you use when first logging on to Windows). +If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). -If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. -> [!NOTE] -> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +Note: The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. + - + + + - -ADMX Info: -- GP Friendly name: *Deny delegating default credentials* -- GP name: *DenyDefaultCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/DenyFreshCredentials** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DenyDefaultCredentials | +| Friendly Name | Deny delegating default credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | DenyDefaultCredentials | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DenyFreshCredentials -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/DenyFreshCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can't be delegated (fresh credentials are those credentials that you're prompted for when executing the application). +If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). -If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. -> [!NOTE] -> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +Note: The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. + - + + + - -ADMX Info: -- GP Friendly name: *Deny delegating fresh credentials* -- GP name: *DenyFreshCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/DenySavedCredentials** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DenyFreshCredentials | +| Friendly Name | Deny delegating fresh credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | DenyFreshCredentials | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DenySavedCredentials -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/DenySavedCredentials +``` + + + + This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's saved credentials can't be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager). +If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). -If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server. +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. -> [!NOTE] -> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN. -> -> For Example: -> -> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine -> - TERMSRV/* Remote Desktop Session Host running on all machines. -> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com +Note: The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. + +For Example: +TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +TERMSRV/* Remote Desktop Session Host running on all machines. +TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. + - + + + - -ADMX Info: -- GP Friendly name: *Deny delegating saved credentials* -- GP name: *DenySavedCredentials* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredSsp/RestrictedRemoteAdministration** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DenySavedCredentials | +| Friendly Name | Deny delegating saved credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | DenySavedCredentials | +| ADMX File Name | CredSsp.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RestrictedRemoteAdministration -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -When the participating applications are running in Restricted Admin or Remote Credential Guard mode, participating applications don't expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials aren't delegated. Remote Credential Guard doesn't limit access to resources because it redirects all requests back to the client device. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredSsp/RestrictedRemoteAdministration +``` + + + + +When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. Participating apps: Remote Desktop Client If you enable this policy setting, the following options are supported: -- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. -- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. -- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. +Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. -If you disable or don't configure this policy setting, Restricted Admin and Remote Credential Guard mode aren't enforced and participating apps can delegate credentials to remote devices. +Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. -> [!NOTE] -> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). -> -> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions don't support Remote Credential Guard. +Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. - +If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. - -ADMX Info: -- GP Friendly name: *Restrict delegation of credentials to remote servers* -- GP name: *RestrictedRemoteAdministration* -- GP path: *System\Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* +Note: To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). - - -
    +Note: On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. + + + + - + +**Description framework properties**: -## Related topics +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictedRemoteAdministration | +| Friendly Name | Restrict delegation of credentials to remote servers | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | RestrictedRemoteAdministration | +| ADMX File Name | CredSsp.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 9aba18f299..5b2471b164 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,136 +1,157 @@ --- -title: Policy CSP - ADMX_CredUI -description: Learn about the Policy CSP - ADMX_CredUI. +title: ADMX_CredUI Policy CSP +description: Learn more about the ADMX_CredUI Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CredUI > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CredUI policies + +## EnableSecureCredentialPrompting -
    -
    - ADMX_CredUI/EnableSecureCredentialPrompting -
    -
    - ADMX_CredUI/NoLocalPasswordResetQuestions -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredUI/EnableSecureCredentialPrompting +``` + -
    - - -**ADMX_CredUI/EnableSecureCredentialPrompting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. -> [!NOTE] -> This policy affects non-logon authentication tasks only. As a security best practice, this policy should be enabled. +Note: This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. -If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism. +If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. -If you disable or don't configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. +If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. + - + + + - -ADMX Info: -- GP Friendly name: *Require trusted path for credential entry* -- GP name: *EnableSecureCredentialPrompting* -- GP path: *Windows Components\Credential User Interface* -- GP ADMX file name: *CredUI.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CredUI/NoLocalPasswordResetQuestions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableSecureCredentialPrompting | +| Friendly Name | Require trusted path for credential entry | +| Location | Computer Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\CredUI | +| Registry Value Name | EnableSecureCredentialPrompting | +| ADMX File Name | CredUI.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NoLocalPasswordResetQuestions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Available in the latest Windows 10 Insider Preview Build. If you turn on this policy setting, local users won’t be able to set up and use security questions to reset their passwords. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_CredUI/NoLocalPasswordResetQuestions +``` + - + + +If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. + + + +Available in the latest Windows 10 Insider Preview Build. + - -ADMX Info: -- GP Friendly name: *Prevent the use of security questions for local accounts* -- GP name: *NoLocalPasswordResetQuestions* -- GP path: *Windows Components\Credential User Interface* -- GP ADMX file name: *CredUI.admx* + +**Description framework properties**: - - -< - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoLocalPasswordResetQuestions | +| Friendly Name | Prevent the use of security questions for local accounts | +| Location | Computer Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | NoLocalPasswordResetQuestions | +| ADMX File Name | CredUI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 80a8a8f0fd..e081be4028 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,246 +1,286 @@ --- -title: Policy CSP - ADMX_CtrlAltDel -description: Learn about the Policy CSP - ADMX_CtrlAltDel. +title: ADMX_CtrlAltDel Policy CSP +description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_CtrlAltDel > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_CtrlAltDel policies + +## DisableChangePassword -
    -
    - ADMX_CtrlAltDel/DisableChangePassword -
    -
    - ADMX_CtrlAltDel/DisableLockComputer -
    -
    - ADMX_CtrlAltDel/DisableTaskMgr -
    -
    - ADMX_CtrlAltDel/NoLogoff -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/DisableChangePassword +``` + -
    - - -**ADMX_CtrlAltDel/DisableChangePassword** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents users from changing their Windows password on demand. -If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del. +If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. -However, users will still be able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. +However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Change Password* -- GP name: *DisableChangePassword* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_CtrlAltDel/DisableLockComputer** +| Name | Value | +|:--|:--| +| Name | DisableChangePassword | +| Friendly Name | Remove Change Password | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableChangePassword | +| ADMX File Name | CtrlAltDel.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableLockComputer - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/DisableLockComputer +``` + -
    - - - + + This policy setting prevents users from locking the system. -While locked, the desktop is hidden and the system can't be used. Only the user who locked the system or the system administrator can unlock it. +While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. -If you enable this policy setting, users can't lock the computer from the keyboard using Ctrl+Alt+Del. +If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del. -If you disable or don't configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. +If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. +Tip:To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Remove Lock Computer* -- GP name: *DisableLockWorkstation* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* +| Name | Value | +|:--|:--| +| Name | DisableLockComputer | +| Friendly Name | Remove Lock Computer | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableLockWorkstation | +| ADMX File Name | CtrlAltDel.admx | + - - -
    + + + - -**ADMX_CtrlAltDel/DisableTaskMgr** - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableTaskMgr - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/DisableTaskMgr +``` + -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents users from starting Task Manager. -Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. +Task Manager (taskmgr.exe) lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run. -If you enable this policy setting, users won't be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. +If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. -If you disable or don't configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. +If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Task Manager* -- GP name: *DisableTaskMgr* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_CtrlAltDel/NoLogoff** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableTaskMgr | +| Friendly Name | Remove Task Manager | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableTaskMgr | +| ADMX File Name | CtrlAltDel.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoLogoff -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_CtrlAltDel/NoLogoff +``` + + + + This policy setting disables or removes all menu items and buttons that log the user off the system. -If you enable this policy setting, users won't see the Logoff menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu. +If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. Also, see the 'Remove Logoff on the Start Menu' policy setting. -If you disable or don't configure this policy setting, users can see and select the Logoff menu item when they press Ctrl+Alt+Del. +If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Logoff* -- GP name: *NoLogoff* -- GP path: *System/Ctrl+Alt+Del Options* -- GP ADMX file name: *CtrlAltDel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | NoLogoff | +| Friendly Name | Remove Logoff | +| Location | User Configuration | +| Path | System > Ctrl+Alt+Del Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoLogoff | +| ADMX File Name | CtrlAltDel.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 657cdef18f..5da89c9cb7 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,92 +1,95 @@ --- -title: Policy CSP - ADMX_DataCollection -description: Learn about the Policy CSP - ADMX_DataCollection. +title: ADMX_DataCollection Policy CSP +description: Learn more about the ADMX_DataCollection Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DataCollection -
    - - -## ADMX_DataCollection policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_DataCollection/CommercialIdPolicy -
    -
    + + + + +## CommercialIdPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_DataCollection/CommercialIdPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DataCollection/CommercialIdPolicy +``` + - + + +This policy setting defines the identifier used to uniquely associate this device’s diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. +**ADMX mapping**: -If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. +| Name | Value | +|:--|:--| +| Name | CommercialId | +| Friendly Name | Configure the Commercial ID | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| ADMX File Name | DataCollection.admx | + -If you disable or don't configure this policy setting, then Microsoft won't be able to use this identifier to associate this machine and its telemetry data with your organization. + + + - + + + + - -ADMX Info: -- GP Friendly name: *Configure the Commercial ID* -- GP name: *CommercialIdPolicy* -- GP path: *Windows Components\Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* + - - -
    +## Related articles -> [!NOTE] -> These policies are for upcoming release. - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 16739693a2..23d4e853cd 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,168 +1,174 @@ --- -title: Policy CSP - ADMX_DCOM -description: Learn about the Policy CSP - ADMX_DCOM. +title: ADMX_DCOM Policy CSP +description: Learn more about the ADMX_DCOM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DCOM > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DCOM policies + +## DCOMActivationSecurityCheckAllowLocalList -
    -
    - ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList -
    -
    - ADMX_DCOM/DCOMActivationSecurityCheckExemptionList -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList +``` + -
    + + +Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. - -**ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList** +If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled), DCOM will look for an entry in the locally configured list. - +If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured. + - -
    + + +**NOTE** This policy setting applies to all sites in Trusted zones. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. +**ADMX mapping**: -If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list. +| Name | Value | +|:--|:--| +| Name | DCOMActivationSecurityCheckAllowLocalList | +| Friendly Name | Allow local activation security check exemptions | +| Location | Computer Configuration | +| Path | System > Distributed COM > Application Compatibility Settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DCOM\AppCompat | +| Registry Value Name | AllowLocalActivationSecurityCheckExemptionList | +| ADMX File Name | DCOM.admx | + -If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list. + + + -If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured. + -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. + +## DCOMActivationSecurityCheckExemptionList - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow local activation security check exemptions* -- GP name: *DCOMActivationSecurityCheckAllowLocalList* -- GP path: *Windows Components\AppCompat!AllowLocalActivationSecurityCheckExemptionList* -- GP ADMX file name: *DCOM.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DCOM/DCOMActivationSecurityCheckExemptionList +``` + - - -
    + + +Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. - -**ADMX_DCOM/DCOMActivationSecurityCheckExemptionList** +DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. - +If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, the appid exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. - -
    +If you do not configure this policy setting, the appid exemption list defined by local computer administrators is used. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Notes: -> [!div class = "checklist"] -> * Device +The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. -
    +If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. The proper action in this situation is to re-configure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid. - - -This policy setting allows you to view and change a list of DCOM server application IDs (app IDs), which are exempted from the DCOM Activation security check. -DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators. -DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled. -DCOM server application IDs added to this policy must be listed in curly brace format. +DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. Also note, exemptions for DCOM Server Appids added to this list will apply to both 32-bit and 64-bit versions of the server if present. + -For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. -If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors. + + +**NOTE** This policy setting applies to all sites in Trusted zones. + -If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server. -If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local -settings. + +**Description framework properties**: -If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. +**ADMX mapping**: ->[!Note] -> The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. +| Name | Value | +|:--|:--| +| Name | DCOMActivationSecurityCheckExemptionList | +| Friendly Name | Define Activation Security Check exemptions | +| Location | Computer Configuration | +| Path | System > Distributed COM > Application Compatibility Settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DCOM\AppCompat | +| Registry Value Name | ListBox_Support_ActivationSecurityCheckExemptionList | +| ADMX File Name | DCOM.admx | + -This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. + + + -The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid. -DCOM servers added to this exemption list are only exempted if their custom launch permissions don't contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups. + -> [!NOTE] -> Exemptions for DCOM Server Application IDs added to this list will apply to both 32-bit and 64-bit versions of the server if present. -> -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. + + + - + - -ADMX Info: -- GP Friendly name: *Allow local activation security check exemptions* -- GP name: *DCOMActivationSecurityCheckExemptionList* -- GP path: *Windows Components\AppCompat!ListBox_Support_ActivationSecurityCheckExemptionList* -- GP ADMX file name: *DCOM.admx* +## Related articles - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index 7948964398..fdb4402be8 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,1534 +1,1817 @@ --- -title: Policy CSP - ADMX_Desktop -description: Learn about Policy CSP - ADMX_Desktop. +title: ADMX_Desktop Policy CSP +description: Learn more about the ADMX_Desktop Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Desktop > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Desktop policies + +## NoDesktop -
    -
    - ADMX_Desktop/AD_EnableFilter -
    -
    - ADMX_Desktop/AD_HideDirectoryFolder -
    -
    - ADMX_Desktop/AD_QueryLimit -
    -
    - ADMX_Desktop/ForceActiveDesktopOn -
    -
    - ADMX_Desktop/NoActiveDesktop -
    -
    - ADMX_Desktop/NoActiveDesktopChanges -
    -
    - ADMX_Desktop/NoDesktop -
    -
    - ADMX_Desktop/NoDesktopCleanupWizard -
    -
    - ADMX_Desktop/NoInternetIcon -
    -
    - ADMX_Desktop/NoMyComputerIcon -
    -
    - ADMX_Desktop/NoMyDocumentsIcon -
    -
    - ADMX_Desktop/NoNetHood -
    -
    - ADMX_Desktop/NoPropertiesMyComputer -
    -
    - ADMX_Desktop/NoPropertiesMyDocuments -
    -
    - ADMX_Desktop/NoRecentDocsNetHood -
    -
    - ADMX_Desktop/NoRecycleBinIcon -
    -
    - ADMX_Desktop/NoRecycleBinProperties -
    -
    - ADMX_Desktop/NoSaveSettings -
    -
    - ADMX_Desktop/NoWindowMinimizingShortcuts -
    -
    - ADMX_Desktop/Wallpaper -
    -
    - ADMX_Desktop/sz_ATC_DisableAdd -
    -
    - ADMX_Desktop/sz_ATC_DisableClose -
    -
    - ADMX_Desktop/sz_ATC_DisableDel -
    -
    - ADMX_Desktop/sz_ATC_DisableEdit -
    -
    - ADMX_Desktop/sz_ATC_NoComponents -
    -
    - ADMX_Desktop/sz_AdminComponents_Title -
    -
    - ADMX_Desktop/sz_DB_DragDropClose -
    -
    - ADMX_Desktop/sz_DB_Moving -
    -
    - ADMX_Desktop/sz_DWP_NoHTMLPaper -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop +``` + - -**ADMX_Desktop/AD_EnableFilter** + + +Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. - +Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying more filters to search results. +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoDesktop | +| Friendly Name | Hide and disable all items on the desktop | +| Location | Computer and User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDesktop | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## AD_EnableFilter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/AD_EnableFilter +``` + + + + +Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. -If you disable this setting or don't configure it, the filter bar doesn't appear, but users can display it by selecting "Filter" on the "View" menu. +If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. -To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar doesn't appear above the resulting display, on the View menu, click Filter. +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable filter in Find dialog box* -- GP name: *AD_EnableFilter* -- GP path: *Desktop\Active Directory* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/AD_HideDirectoryFolder** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AD_EnableFilter | +| Friendly Name | Enable filter in Find dialog box | +| Location | User Configuration | +| Path | Desktop > Active Directory | +| Registry Key Name | Software\Policies\Microsoft\Windows\Directory UI | +| Registry Value Name | EnableFilter | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AD_HideDirectoryFolder -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/AD_HideDirectoryFolder +``` + - - + + Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. -If you enable this setting, the Active Directory folder doesn't appear in the Network Locations folder. +If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. -If you disable this setting or don't configure it, the Active Directory folder appears in the Network Locations folder. +If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Active Directory folder* -- GP name: *AD_HideDirectoryFolder* -- GP path: *Desktop\Active Directory* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/AD_QueryLimit** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AD_HideDirectoryFolder | +| Friendly Name | Hide Active Directory folder | +| Location | User Configuration | +| Path | Desktop > Active Directory | +| Registry Key Name | Software\Policies\Microsoft\Windows\Directory UI | +| Registry Value Name | HideDirectoryFolder | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AD_QueryLimit -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/AD_QueryLimit +``` + - - -Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those displays in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. + + +Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. -If you disable this setting or don't configure it, the system displays up to 10,000 objects. This screen-display consumes approximately 2 MB of memory or disk space. +If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. This setting is designed to protect the network and the domain controller from the effect of expansive searches. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Maximum size of Active Directory searches* -- GP name: *AD_QueryLimit* -- GP path: *Desktop\Active Directory* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/ForceActiveDesktopOn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AD_QueryLimit | +| Friendly Name | Maximum size of Active Directory searches | +| Location | User Configuration | +| Path | Desktop > Active Directory | +| Registry Key Name | Software\Policies\Microsoft\Windows\Directory UI | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ForceActiveDesktopOn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/ForceActiveDesktopOn +``` + - - + + Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. -> [!NOTE] -> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. +Note: If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. + - + + + - -ADMX Info: -- GP Friendly name: *Enable Active Desktop* -- GP name: *ForceActiveDesktopOn* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoActiveDesktop** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ForceActiveDesktopOn | +| Friendly Name | Enable Active Desktop | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceActiveDesktopOn | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoActiveDesktop -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoActiveDesktop +``` + + + + Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it. +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. -> [!NOTE] -> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. +Note: If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable Active Desktop* -- GP name: *NoActiveDesktop* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoActiveDesktopChanges** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoActiveDesktop | +| Friendly Name | Disable Active Desktop | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoActiveDesktop | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoActiveDesktopChanges -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoActiveDesktopChanges +``` + - - + + Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. -This setting is a comprehensive one that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users can't enable or disable Active Desktop. If Active Desktop is already enabled, users can't add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. +This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit changes* -- GP name: *NoActiveDesktopChanges* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoDesktop** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoActiveDesktopChanges | +| Friendly Name | Prohibit changes | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoActiveDesktopChanges | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoDesktopCleanupWizard -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktopCleanupWizard +``` + -Removing icons and shortcuts doesn't prevent the user from using another method to start the programs or opening the items they represent. - -Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. The removal of the Desktop icon will help prevent users from saving data to the Desktop. - - - - - -ADMX Info: -- GP Friendly name: *Hide and disable all items on the desktop* -- GP name: *NoDesktop* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/NoDesktopCleanupWizard** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Prevents users from using the Desktop Cleanup Wizard. -If you enable this setting, the Desktop Cleanup wizard doesn't automatically run on a user's workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. +If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. -If you disable this setting or don't configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. +If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. -> [!NOTE] -> When this setting isn't enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. +Note: When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove the Desktop Cleanup Wizard* -- GP name: *NoDesktopCleanupWizard* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoInternetIcon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDesktopCleanupWizard | +| Friendly Name | Remove the Desktop Cleanup Wizard | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDesktopCleanupWizard | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoInternetIcon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoInternetIcon +``` + - - + + Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. -This setting doesn't prevent the user from starting Internet Explorer by using other methods. +This setting does not prevent the user from starting Internet Explorer by using other methods. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Internet Explorer icon on desktop* -- GP name: *NoInternetIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoMyComputerIcon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInternetIcon | +| Friendly Name | Hide Internet Explorer icon on desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetIcon | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMyComputerIcon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoMyComputerIcon +``` + - - + + This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. -If you don't configure this setting, the default is to display Computer as usual. +If you do not configure this setting, the default is to display Computer as usual. -> [!NOTE] -> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents doesn't hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. +Note: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Computer icon on the desktop* -- GP name: *NoMyComputerIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoMyDocumentsIcon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoMyComputerIcon | +| Friendly Name | Remove Computer icon on the desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum | +| Registry Value Name | {20D04FE0-3AEA-1069-A2D8-08002B30309D} | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMyDocumentsIcon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoMyDocumentsIcon +``` + - - + + Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. -This setting doesn't prevent the user from using other methods to gain access to the contents of the My Documents folder. +This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. -This setting doesn't remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. +This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. -> [!NOTE] -> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. +Note: To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. + - + + + - -ADMX Info: -- GP Friendly name: *Remove My Documents icon on the desktop* -- GP name: *NoMyDocumentsIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoNetHood** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoMyDocumentsIcon | +| Friendly Name | Remove My Documents icon on the desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum | +| Registry Value Name | {450D8FBA-AD25-11D0-98A8-0800361B1103} | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoNetHood -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoNetHood +``` + + + + Removes the Network Locations icon from the desktop. -This setting only affects the desktop icon. It doesn't prevent users from connecting to the network or browsing for shared computers on the network. +This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. -> [!NOTE] -> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. +Note: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Network Locations icon on desktop* -- GP name: *NoNetHood* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoPropertiesMyComputer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoNetHood | +| Friendly Name | Hide Network Locations icon on desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNetHood | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPropertiesMyComputer -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoPropertiesMyComputer +``` + - - + + This setting hides Properties on the context menu for Computer. -If you enable this setting, the Properties option won't be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. +If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. -If you disable or don't configure this setting, the Properties option is displayed as usual. +If you disable or do not configure this setting, the Properties option is displayed as usual. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Properties from the Computer icon context menu* -- GP name: *NoPropertiesMyComputer* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoPropertiesMyDocuments** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoPropertiesMyComputer | +| Friendly Name | Remove Properties from the Computer icon context menu | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPropertiesMyComputer | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPropertiesMyDocuments -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoPropertiesMyDocuments +``` + - - + + This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. -If you enable this policy setting, the Properties menu command won't be displayed when the user does any of the following tasks: +If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: -- Right-clicks the My Documents icon. -- Clicks the My Documents icon, and then opens the File menu. -- Clicks the My Documents icon, and then presses ALT+ENTER. +Right-clicks the My Documents icon. +Clicks the My Documents icon, and then opens the File menu. +Clicks the My Documents icon, and then presses ALT+ENTER. -If you disable or don't configure this policy setting, the Properties menu command is displayed. +If you disable or do not configure this policy setting, the Properties menu command is displayed. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Properties from the Documents icon context menu* -- GP name: *NoPropertiesMyDocuments* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoRecentDocsNetHood** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoPropertiesMyDocuments | +| Friendly Name | Remove Properties from the Documents icon context menu | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPropertiesMyDocuments | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRecentDocsNetHood -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Remote shared folders aren't added to Network Locations whenever you open a document in the shared folder. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoRecentDocsNetHood +``` + -If you disable this setting or don't configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. + + +Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. -If you enable this setting, shared folders aren't added to Network Locations automatically when you open a document in the shared folder. +If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. - +If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. + + + + - -ADMX Info: -- GP Friendly name: *Do not add shares of recently opened documents to Network Locations* -- GP name: *NoRecentDocsNetHood* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoRecycleBinIcon** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoRecentDocsNetHood | +| Friendly Name | Do not add shares of recently opened documents to Network Locations | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRecentDocsNetHood | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRecycleBinIcon -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoRecycleBinIcon +``` + + + + Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. -This setting doesn't prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. +This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. -> [!NOTE] -> To make changes to this setting effective, you must log off and then log back on. +Note: To make changes to this setting effective, you must log off and then log back on. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Recycle Bin icon from desktop* -- GP name: *NoRecycleBinIcon* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Desktop/NoRecycleBinProperties** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoRecycleBinIcon | +| Friendly Name | Remove Recycle Bin icon from desktop | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum | +| Registry Value Name | {645FF040-5081-101B-9F08-00AA002F954E} | +| ADMX File Name | Desktop.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoRecycleBinProperties -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoRecycleBinProperties +``` + + + + Removes the Properties option from the Recycle Bin context menu. -If you enable this setting, the Properties option won't be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. +If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. -If you disable or don't configure this setting, the Properties option is displayed as usual. +If you disable or do not configure this setting, the Properties option is displayed as usual. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Properties from the Recycle Bin context menu* -- GP name: *NoRecycleBinProperties* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoSaveSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRecycleBinProperties | +| Friendly Name | Remove Properties from the Recycle Bin context menu | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPropertiesRecycleBin | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSaveSettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoSaveSettings +``` + - - + + Prevents users from saving certain changes to the desktop. -If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, aren't saved when users sign out. However, shortcuts placed on the desktop are always saved. +If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Don't save settings at exit* -- GP name: *NoSaveSettings* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/NoWindowMinimizingShortcuts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSaveSettings | +| Friendly Name | Don't save settings at exit | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSaveSettings | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWindowMinimizingShortcuts -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoWindowMinimizingShortcuts +``` + - - + + Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. -If you enable this policy, application windows won't be minimized or restored when the active window is shaken back and forth with the mouse. - -If you disable or don't configure this policy, this window minimizing and restoring gesture will apply. - - - - -ADMX Info: -- GP Friendly name: *Turn off Aero Shake window minimizing mouse gesture* -- GP name: *NoWindowMinimizingShortcuts* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/Wallpaper** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the desktop background ("wallpaper") displayed on all users' desktops. - -This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. - -To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file isn't available when the user logs on, no wallpaper is displayed. Users can't specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users can't change this specification. - -If you disable this setting or don't configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. - -Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. - -> [!NOTE] -> This setting doesn't apply to remote desktop server sessions. - - - - -ADMX Info: -- GP Friendly name: *Desktop Wallpaper* -- GP name: *Wallpaper* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableAdd** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from adding Web content to their Active Desktop. - -This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. This setting doesn't remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. - -Also, see the "Disable all items" setting. - - - - -ADMX Info: -- GP Friendly name: *Prohibit adding items* -- GP name: *sz_ATC_DisableAdd* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableClose** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from removing Web content from their Active Desktop. - -In Active Desktop, you can add items to the desktop but close them so they aren't displayed. - -If you enable this setting, items added to the desktop can't be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. - -> [!NOTE] -> This setting doesn't prevent users from deleting items from their Active Desktop. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit closing items* -- GP name: *sz_ATC_DisableClose* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableDel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from deleting Web content from their Active Desktop. - -This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. - -This setting doesn't prevent users from adding Web content to their Active Desktop. - -Also, see the "Prohibit closing items" and "Disable all items" settings. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit deleting items* -- GP name: *sz_ATC_DisableDel* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_DisableEdit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Prevents users from changing the properties of Web content items on their Active Desktop. - -This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users can't change the properties of an item, such as its synchronization schedule, password, or display characteristics. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit editing items* -- GP name: *sz_ATC_DisableEdit* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_ATC_NoComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Removes Active Desktop content and prevents users from adding Active Desktop content. - -This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. - -> [!NOTE] -> This setting doesn't disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. - - - - - -ADMX Info: -- GP Friendly name: *Disable all items* -- GP name: *sz_ATC_NoComponents* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* - - - -
    - - -**ADMX_Desktop/sz_AdminComponents_Title** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - +If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. + +If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoWindowMinimizingShortcuts | +| Friendly Name | Turn off Aero Shake window minimizing mouse gesture | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoWindowMinimizingShortcuts | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_AdminComponents_Title + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_AdminComponents_Title +``` + + + + Adds and deletes specified Web content items. You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. -> [!NOTE] -> Removing an item from the "Add" list for this setting isn't the same as deleting it. Items that are removed from the "Add" list aren't removed from the desktop. They are simply not added again. +Note: Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. -> [!NOTE] -> For this setting to take effect, you must log off and log on to the system. +Note: For this setting to take affect, you must log off and log on to the system. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add/Delete items* -- GP name: *sz_AdminComponents_Title* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/sz_DB_DragDropClose** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | sz_AdminComponents_Title | +| Friendly Name | Add/Delete items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## sz_ATC_DisableAdd -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableAdd +``` + - - + + +Prevents users from adding Web content to their Active Desktop. + +This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. + +Also, see the "Disable all items" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableAdd | +| Friendly Name | Prohibit adding items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoAddingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_DisableClose + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableClose +``` + + + + +Prevents users from removing Web content from their Active Desktop. + +In Active Desktop, you can add items to the desktop but close them so they are not displayed. + +If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. + +Note: This setting does not prevent users from deleting items from their Active Desktop. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableClose | +| Friendly Name | Prohibit closing items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoClosingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_DisableDel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableDel +``` + + + + +Prevents users from deleting Web content from their Active Desktop. + +This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. + +This setting does not prevent users from adding Web content to their Active Desktop. + +Also, see the "Prohibit closing items" and "Disable all items" settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableDel | +| Friendly Name | Prohibit deleting items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoDeletingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_DisableEdit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_DisableEdit +``` + + + + +Prevents users from changing the properties of Web content items on their Active Desktop. + +This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_DisableEdit | +| Friendly Name | Prohibit editing items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoEditingComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_ATC_NoComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_ATC_NoComponents +``` + + + + +Removes Active Desktop content and prevents users from adding Active Desktop content. + +This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. + +Note: This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | sz_ATC_NoComponents | +| Friendly Name | Disable all items | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoComponents | +| ADMX File Name | Desktop.admx | + + + + + + + + + +## sz_DB_DragDropClose + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_DB_DragDropClose +``` + + + + Prevents users from manipulating desktop toolbars. -If you enable this setting, users can't add or remove toolbars from the desktop. Also, users can't drag toolbars onto or off from the docked toolbars. +If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. -> [!NOTE] -> If users have added or removed toolbars, this setting prevents them from restoring the default configuration. +Note: If users have added or removed toolbars, this setting prevents them from restoring the default configuration. -> [!TIP] -> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." +Tip: To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." Also, see the "Prohibit adjusting desktop toolbars" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent adding, dragging, dropping and closing the Taskbar's toolbars* -- GP name: *sz_DB_DragDropClose* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/sz_DB_Moving** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | sz_DB_DragDropClose | +| Friendly Name | Prevent adding, dragging, dropping and closing the Taskbar's toolbars | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoCloseDragDropBands | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## sz_DB_Moving -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_DB_Moving +``` + - - -Prevents users from adjusting the length of desktop toolbars. Also, users can't reposition items or toolbars on docked toolbars. + + +Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. -This setting doesn't prevent users from adding or removing toolbars on the desktop. +This setting does not prevent users from adding or removing toolbars on the desktop. -> [!NOTE] -> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. +Note: If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit adjusting desktop toolbars* -- GP name: *sz_DB_Moving* -- GP path: *Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Desktop/sz_DWP_NoHTMLPaper** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | sz_DB_Moving | +| Friendly Name | Prohibit adjusting desktop toolbars | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoMovingBands | +| ADMX File Name | Desktop.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## sz_DWP_NoHTMLPaper -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/sz_DWP_NoHTMLPaper +``` + - - -Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper doesn't load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". + + +Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow only bitmapped wallpaper* -- GP name: *sz_DWP_NoHTMLPaper* -- GP path: *Desktop\Desktop* -- GP ADMX file name: *Desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | sz_DWP_NoHTMLPaper | +| Friendly Name | Allow only bitmapped wallpaper | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | +| Registry Value Name | NoHTMLWallPaper | +| ADMX File Name | Desktop.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + +## Wallpaper + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/Wallpaper +``` + + + + +Specifies the desktop background ("wallpaper") displayed on all users' desktops. + +This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. + +To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. + +If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. + +Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. + +Note: This setting does not apply to remote desktop server sessions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Wallpaper | +| Friendly Name | Desktop Wallpaper | +| Location | User Configuration | +| Path | Desktop > Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | Desktop.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index 4391477405..9527d9ce53 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,127 +1,150 @@ --- -title: Policy CSP - ADMX_DeviceCompat -description: Learn about Policy CSP - ADMX_DeviceCompat. +title: ADMX_DeviceCompat Policy CSP +description: Learn more about the ADMX_DeviceCompat Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/09/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceCompat + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DeviceCompat policies + +## DeviceFlags -
    -
    - ADMX_DeviceCompat/DeviceFlags -
    -
    - ADMX_DeviceCompat/DriverShims -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceCompat/DeviceFlags +``` + -
    - - -**ADMX_DeviceCompat/DeviceFlags** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Changes behavior of Microsoft bus drivers to work with specific devices. + - + + + - -ADMX Info: -- GP Friendly name: *Device compatibility settings* -- GP name: *DeviceFlags* -- GP path: *Windows Components\Device and Driver Compatibility* -- GP ADMX file name: *DeviceCompat.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_DeviceCompat/DriverShims** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DeviceFlags | +| Friendly Name | Device compatibility settings | +| Location | Computer Configuration | +| Path | Windows Components > Device and Driver Compatibility | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\Compatibility | +| Registry Value Name | DisableDeviceFlags | +| ADMX File Name | DeviceCompat.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DriverShims -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceCompat/DriverShims +``` + - + + +Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions. + - -ADMX Info: -- GP Friendly name: *Driver compatibility settings* -- GP name: *DriverShims* -- GP path: *Windows Components\Device and Driver Compatibility* -- GP ADMX file name: *DeviceCompat.admx* + + + - - + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DriverShims | +| Friendly Name | Driver compatibility settings | +| Location | Computer Configuration | +| Path | Windows Components > Device and Driver Compatibility | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\Compatibility | +| Registry Value Name | DisableDriverShims | +| ADMX File Name | DeviceCompat.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 07d87543fe..1a33f9e1e1 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,99 +1,107 @@ --- -title: Policy CSP - ADMX_DeviceGuard -description: Learn about Policy CSP - ADMX_DeviceGuard. +title: ADMX_DeviceGuard Policy CSP +description: Learn more about the ADMX_DeviceGuard Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceGuard -> [!WARNING] -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + +> [!WARNING] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for [policy deployment](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). + - -## ADMX_DeviceGuard policies + +## ConfigCIPolicy -
    -
    - ADMX_DeviceGuard/ConfigCIPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceGuard/ConfigCIPolicy +``` + -
    + + +Deploy Windows Defender Application Control - -**ADMX_DeviceGuard/ConfigCIPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine. -If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. +If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be rebooted. -To enable this policy, the machine must be rebooted. -The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`), -or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`. +The file path must be either a UNC path (for example, \\ServerName\ShareName\SIPolicy.p7b), or a locally valid path (for example, C:\FolderName\SIPolicy.p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file. -The local machine account (LOCAL SYSTEM) must have access permission to the policy file. -If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: +If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: -- First update the policy to a non-protected policy and then disable the setting. (or) -- Disable the setting and then remove the policy from each computer, with a physically present user. +1) first update the policy to a non-protected policy and then disable the setting, or +2) disable the setting and then remove the policy from each computer, with a physically present user. + - + + + - -ADMX Info: -- GP Friendly name: *Deploy Windows Defender Application Control* -- GP name: *ConfigCIPolicy* -- GP path: *Windows Components/DeviceGuard!DeployConfigCIPolicy* -- GP ADMX file name: *DeviceGuard.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | ConfigCIPolicy | +| Friendly Name | Deploy Windows Defender Application Control | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| Registry Value Name | DeployConfigCIPolicy | +| ADMX File Name | DeviceGuard.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 4ec0b160fd..ef54eb773e 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,442 +1,519 @@ --- -title: Policy CSP - ADMX_DeviceInstallation -description: Learn about Policy CSP - ADMX_DeviceInstallation. +title: ADMX_DeviceInstallation Policy CSP +description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceInstallation > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DeviceInstallation policies + +## DeviceInstall_AllowAdminInstall -
    -
    - ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall -
    -
    - ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText -
    -
    - ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText -
    -
    - ADMX_DeviceInstallation/DeviceInstall_InstallTimeout -
    -
    - ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime -
    -
    - ADMX_DeviceInstallation/DeviceInstall_Removable_Deny -
    -
    - ADMX_DeviceInstallation/DeviceInstall_SystemRestore -
    -
    - ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall +``` + -
    - - -**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. +If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow administrators to override Device Installation Restriction policies* -- GP name: *DeviceInstall_AllowAdminInstall* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_AllowAdminInstall | +| Friendly Name | Allow administrators to override Device Installation Restriction policies | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowAdminInstall | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_DeniedPolicy_DetailText -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText +``` + - - + + This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. -If you disable or don't configure this policy setting, Windows displays a default message when a policy setting prevents device installation. +If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display a custom message when installation is prevented by a policy setting* -- GP name: *DeviceInstall_DeniedPolicy_DetailText* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_DeniedPolicy_DetailText | +| Friendly Name | Display a custom message when installation is prevented by a policy setting | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_DeniedPolicy_SimpleText -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText +``` + - - + + This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. -If you disable or don't configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. +If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display a custom message title when device installation is prevented by a policy setting* -- GP name: *DeviceInstall_DeniedPolicy_SimpleText* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_DeniedPolicy_SimpleText | +| Friendly Name | Display a custom message title when device installation is prevented by a policy setting | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_InstallTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_InstallTimeout +``` + - - + + This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. -If you disable or don't configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. +If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure device installation time-out* -- GP name: *DeviceInstall_InstallTimeout* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_InstallTimeout | +| Friendly Name | Configure device installation time-out | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_Policy_RebootTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime +``` + - - + + This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. -If you enable this policy setting, set the number of seconds you want the system to wait until a reboot. +If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. -If you disable or don't configure this policy setting, the system doesn't force a reboot. +If you disable or do not configure this policy setting, the system does not force a reboot. ->[!Note] -> If no reboot is forced, the device installation restriction right won't take effect until the system is restarted. +Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Time (in seconds) to force reboot when required for policy changes to take effect* -- GP name: *DeviceInstall_Policy_RebootTime* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Policy_RebootTime | +| Friendly Name | Time (in seconds) to force reboot when required for policy changes to take effect | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | ForceReboot | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DeviceInstall_Removable_Deny -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_Removable_Deny +``` + - - -This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + + +This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices can't have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. +NOTE: To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you disable or don't configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. - +If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. +If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings. + - -ADMX Info: -- GP Friendly name: *Prevent installation of removable devices* -- GP name: *DeviceInstall_Removable_Deny* -- GP path: *System\Device Installation\Device Installation Restrictions* -- GP ADMX file name: *DeviceInstallation.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_DeviceInstallation/DeviceInstall_SystemRestore** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Removable_Deny | +| Friendly Name | Prevent installation of removable devices | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyRemovableDevices | +| ADMX File Name | DeviceInstallation.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DeviceInstall_SystemRestore - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DeviceInstall_SystemRestore +``` + + + + This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. -If you enable this policy setting, Windows doesn't create a system restore point when one would normally be created. +If you enable this policy setting, Windows does not create a system restore point when one would normally be created. -If you disable or don't configure this policy setting, Windows creates a system restore point as it normally would. +If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point* -- GP name: *DeviceInstall_SystemRestore* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceInstallation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_SystemRestore | +| Friendly Name | Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings | +| Registry Value Name | DisableSystemRestore | +| ADMX File Name | DeviceInstallation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DriverInstall_Classes_AllowUser -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser +``` + - - -This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. + + +This policy setting specifies a list of device setup class GUIDs describing driver packages that non-administrator members of the built-in Users group may install on the system. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. -If you disable or don't configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. +If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new driver packages on the system. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow non-administrators to install drivers for these device setup classes* -- GP name: *DriverInstall_Classes_AllowUser* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceInstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DriverInstall_Classes_AllowUser | +| Friendly Name | Allow non-administrators to install drivers for these device setup classes | +| Location | Computer Configuration | +| Path | System > Driver Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DriverInstall\Restrictions | +| Registry Value Name | AllowUserDeviceClasses | +| ADMX File Name | DeviceInstallation.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 75d6ef18bf..32b9e76cc9 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,143 +1,161 @@ --- -title: Policy CSP - ADMX_DeviceSetup -description: Learn about Policy CSP - ADMX_DeviceSetup. +title: ADMX_DeviceSetup Policy CSP +description: Learn more about the ADMX_DeviceSetup Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DeviceSetup > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DeviceSetup policies + +## DeviceInstall_BalloonTips -
    -
    - ADMX_DeviceSetup/DeviceInstall_BalloonTips -
    -
    - ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceSetup/DeviceInstall_BalloonTips +``` + -
    - - -**ADMX_DeviceSetup/DeviceInstall_BalloonTips** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off "Found New Hardware" balloons during device installation. -If you enable this policy setting, "Found New Hardware" balloons don't appear while a device is being installed. +If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. -If you disable or don't configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. +If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off "Found New Hardware" balloons during device installation* -- GP name: *DeviceInstall_BalloonTips* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceSetup.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_BalloonTips | +| Friendly Name | Turn off "Found New Hardware" balloons during device installation | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Settings | +| Registry Value Name | DisableBalloonTips | +| ADMX File Name | DeviceSetup.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DriverSearchPlaces_SearchOrderConfiguration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration +``` + - - + + This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. ->[!Note] -> Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. +Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. -This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching is enabled and only when needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system. +If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. -If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. +If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. + - + + + - -ADMX Info: -- GP Friendly name: *Specify search order for device driver source locations* -- GP name: *DriverSearchPlaces_SearchOrderConfiguration* -- GP path: *System\Device Installation* -- GP ADMX file name: *DeviceSetup.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | DriverSearchPlaces_SearchOrderConfiguration | +| Friendly Name | Specify search order for device driver source locations | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | Software\Policies\Microsoft\Windows\DriverSearching | +| ADMX File Name | DeviceSetup.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index e40ed73aad..f1728146f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,92 +1,99 @@ --- -title: Policy CSP - ADMX_DFS -description: Learn about Policy CSP - ADMX_DFS. +title: ADMX_DFS Policy CSP +description: Learn more about the ADMX_DFS Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DFS > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_DFS policies + + + -
    -
    - ADMX_DFS/DFSDiscoverDC -
    -
    + +## DFSDiscoverDC + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DFS/DFSDiscoverDC +``` + - -**ADMX_DFS/DFSDiscoverDC** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. -By default, a DFS client attempts to discover domain controllers every 15 minutes. + + +This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes. If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes. -If you disable or don't configure this policy setting, the default value of 15 minutes applies. +If you disable or do not configure this policy setting, the default value of 15 minutes applies. -> [!NOTE] -> The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. +Note: The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. + - + + + - -ADMX Info: -- GP Friendly name: *Configure how often a DFS client discovers domain controllers* -- GP name: *DFSDiscoverDC* -- GP path: *Windows Components\ActiveX Installer Service* -- GP ADMX file name: *DFS.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DFSDiscoverDC | +| Friendly Name | Configure how often a DFS client discovers domain controllers | +| Location | Computer Configuration | +| Path | Network | +| Registry Key Name | Software\Policies\Microsoft\System\DFSClient | +| ADMX File Name | DFS.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 90522018ee..751d2e0a19 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,143 +1,162 @@ --- -title: Policy CSP - ADMX_DigitalLocker -description: Learn about Policy CSP - ADMX_DigitalLocker. +title: ADMX_DigitalLocker Policy CSP +description: Learn more about the ADMX_DigitalLocker Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/31/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DigitalLocker > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DigitalLocker policies + +## Digitalx_DiableApplication_TitleText_2 -
    -
    - ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 -
    -
    - ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 +``` + -
    - - -**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies whether Digital Locker can run. + + +Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker won't run. +If you enable this setting, Digital Locker will not run. -If you disable or don't configure this setting, Digital Locker can be run. +If you disable or do not configure this setting, Digital Locker can be run. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Digital Locker to run* -- GP name: *Digitalx_DiableApplication_TitleText_1* -- GP path: *Windows Components/Digital Locker* -- GP ADMX file name: *DigitalLocker.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Digitalx_DiableApplication_TitleText | +| Friendly Name | Do not allow Digital Locker to run | +| Location | Computer Configuration | +| Path | Windows Components > Digital Locker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Digital Locker | +| Registry Value Name | DoNotRunDigitalLocker | +| ADMX File Name | DigitalLocker.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Digitalx_DiableApplication_TitleText_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies whether Digital Locker can run. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 +``` + + + + +Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker won't run. +If you enable this setting, Digital Locker will not run. -If you disable or don't configure this setting, Digital Locker can be run. +If you disable or do not configure this setting, Digital Locker can be run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow Digital Locker to run* -- GP name: *Digitalx_DiableApplication_TitleText_2* -- GP path: *Windows Components/Digital Locker* -- GP ADMX file name: *DigitalLocker.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Digitalx_DiableApplication_TitleText | +| Friendly Name | Do not allow Digital Locker to run | +| Location | User Configuration | +| Path | Windows Components > Digital Locker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Digital Locker | +| Registry Value Name | DoNotRunDigitalLocker | +| ADMX File Name | DigitalLocker.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 9c83d784c0..8855716640 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,125 +1,114 @@ --- -title: Policy CSP - ADMX_DiskDiagnostic -description: Learn about Policy CSP - ADMX_DiskDiagnostic. +title: ADMX_DiskDiagnostic Policy CSP +description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/08/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DiskDiagnostic > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DiskDiagnostic policies + +## DfdAlertPolicy -
    -
    - ADMX_DiskDiagnostic/DfdAlertPolicy -
    -
    - ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskDiagnostic/DfdAlertPolicy +``` + -
    - - -**ADMX_DiskDiagnostic/DfdAlertPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. -If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message. +If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. -No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. -This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. -The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!NOTE] -> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services. +Note: For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + - + + + - -ADMX Info: -- GP Friendly name: *Configure custom alert text* -- GP name: *DfdAlertPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* -- GP ADMX file name: *DiskDiagnostic.admx* + +**Description framework properties**: - - -
    -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DfdAlertPolicy | +| Friendly Name | Disk Diagnostic: Configure custom alert text | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Disk Diagnostic | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD} | +| ADMX File Name | DiskDiagnostic.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WdiScenarioExecutionPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy +``` + + + + This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. @@ -128,31 +117,58 @@ If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. -If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +If you do not configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. -No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. -This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. -> [!NOTE] -> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. +This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. - +Note: For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + - -ADMX Info: -- GP Friendly name: *Configure execution level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* -- GP ADMX file name: *DiskDiagnostic.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Disk Diagnostic: Configure execution level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Disk Diagnostic | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD} | +| ADMX File Name | DiskDiagnostic.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 2f3c8c7fb5..4000ca5105 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,93 +1,95 @@ --- -title: Policy CSP - ADMX_DistributedLinkTracking -description: Learn about Policy CSP - ADMX_DistributedLinkTracking. +title: ADMX_DistributedLinkTracking Policy CSP +description: Learn more about the ADMX_DistributedLinkTracking Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DistributedLinkTracking > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DistributedLinkTracking policies + +## DLT_AllowDomainMode -
    -
    - ADMX_DistributedLinkTracking/DLT_AllowDomainMode -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DistributedLinkTracking/DLT_AllowDomainMode +``` + -
    + + +Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT server is running on all domain controllers in the domain. + - -**ADMX_DistributedLinkTracking/DLT_AllowDomainMode** + + +**Note** This policy setting applies to all sites in Trusted zones. + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Machine +| Name | Value | +|:--|:--| +| Name | DLT_AllowDomainMode | +| Friendly Name | Allow Distributed Link Tracking clients to use domain resources | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DLT_AllowDomainMode | +| ADMX File Name | DistributedLinkTracking.admx | + -
    + + + - - -This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. + -The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. + + + -The DLT client can more reliably track links when allowed to use the DLT server. -This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain. + -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. +## Related articles - - - -ADMX Info: -- GP Friendly name: *Allow Distributed Link Tracking clients to use domain resources* -- GP name: *DLT_AllowDomainMode* -- GP path: *Windows\System!DLT_AllowDomainMode* -- GP ADMX file name: *DistributedLinkTracking.admx* - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 282156487a..088059f1f3 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,176 +1,110 @@ --- -title: Policy CSP - ADMX_DnsClient -description: Learn about Policy CSP - ADMX_DnsClient. +title: ADMX_DnsClient Policy CSP +description: Learn more about the ADMX_DnsClient Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DnsClient > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DnsClient policies + +## DNS_AllowFQDNNetBiosQueries -
    -
    - ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries -
    -
    - ADMX_DnsClient/DNS_AppendToMultiLabelName -
    -
    - ADMX_DnsClient/DNS_Domain -
    -
    - ADMX_DnsClient/DNS_DomainNameDevolutionLevel -
    -
    - ADMX_DnsClient/DNS_IdnEncoding -
    -
    - ADMX_DnsClient/DNS_IdnMapping -
    -
    - ADMX_DnsClient/DNS_NameServer -
    -
    - ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns -
    -
    - ADMX_DnsClient/DNS_PrimaryDnsSuffix -
    -
    - ADMX_DnsClient/DNS_RegisterAdapterName -
    -
    - ADMX_DnsClient/DNS_RegisterReverseLookup -
    -
    - ADMX_DnsClient/DNS_RegistrationEnabled -
    -
    - ADMX_DnsClient/DNS_RegistrationOverwritesInConflict -
    -
    - ADMX_DnsClient/DNS_RegistrationRefreshInterval -
    -
    - ADMX_DnsClient/DNS_RegistrationTtl -
    -
    - ADMX_DnsClient/DNS_SearchList -
    -
    - ADMX_DnsClient/DNS_SmartMultiHomedNameResolution -
    -
    - ADMX_DnsClient/DNS_SmartProtocolReorder -
    -
    - ADMX_DnsClient/DNS_UpdateSecurityLevel -
    -
    - ADMX_DnsClient/DNS_UpdateTopLevelDomainZones -
    -
    - ADMX_DnsClient/DNS_UseDomainNameDevolution -
    -
    - ADMX_DnsClient/Turn_Off_Multicast -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries +``` + -
    + + +Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. - -**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries** - +If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition to single-label names. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified domain names. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. +**ADMX mapping**: -If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. +| Name | Value | +|:--|:--| +| Name | DNS_AllowFQDNNetBiosQueries | +| Friendly Name | Allow NetBT queries for fully qualified domain names | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | QueryNetBTFQDN | +| ADMX File Name | DnsClient.admx | + -If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. + + + - + + +## DNS_AppendToMultiLabelName - -ADMX Info: -- GP Friendly name: *Allow NetBT queries for fully qualified domain names* -- GP name: *DNS_AllowFQDNNetBiosQueries* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_AppendToMultiLabelName +``` + - -**ADMX_DnsClient/DNS_AppendToMultiLabelName** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. + + +Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. @@ -182,975 +116,132 @@ If you enable this policy setting, suffixes are allowed to be appended to an unq If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. -If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. +If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. + - + + + - -ADMX Info: -- GP Friendly name: *Allow DNS suffix appending to unqualified multi-label name queries* -- GP name: *DNS_AppendToMultiLabelName* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DnsClient/DNS_Domain** - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DNS_AppendToMultiLabelName | +| Friendly Name | Allow DNS suffix appending to unqualified multi-label name queries | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | AppendToMultiLabelName | +| ADMX File Name | DnsClient.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DNS_Domain -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_Domain +``` + + + + +Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. + +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Connection-specific DNS suffix* -- GP name: *DNS_Domain* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_DnsClient/DNS_DomainNameDevolutionLevel** - +| Name | Value | +|:--|:--| +| Name | DNS_Domain | +| Friendly Name | Connection-specific DNS suffix | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DNS_DomainNameDevolutionLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_DomainNameDevolutionLevel +``` + - - -This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. + + +Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. -Devolution isn't enabled if a global suffix search list is configured using Group Policy. +Devolution is not enabled if a global suffix search list is configured using Group Policy. -If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: - -- The primary DNS suffix, as specified on the Computer Name tab of the System control panel. -- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. - -For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. - -If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. - -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. - -If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. - -If you disable this policy setting or don't configure it, DNS clients use the default devolution level of two if DNS devolution is enabled. - - - - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix devolution level* -- GP name: *DNS_DomainNameDevolutionLevel* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_IdnEncoding** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. - -If this policy setting is enabled, IDNs aren't converted to Punycode. - -If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. - - - - - -ADMX Info: -- GP Friendly name: *Turn off IDN encoding* -- GP name: *DNS_IdnEncoding* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_IdnMapping** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. - -If this policy setting is enabled, IDNs are converted to the Nameprep form. - -If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form. - - - - - -ADMX Info: -- GP Friendly name: *IDN mapping* -- GP name: *DNS_IdnMapping* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_NameServer** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. - -To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. - -If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. - - - - - -ADMX Info: -- GP Friendly name: *DNS servers* -- GP name: *DNS_NameServer* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). - -If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. - -If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. - -> [!NOTE] -> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. - - - - -ADMX Info: -- GP Friendly name: *Prefer link local responses over DNS when received over a network with higher precedence* -- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - - -
    - - -**ADMX_DnsClient/DNS_PrimaryDnsSuffix** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. - -To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. - -> [!IMPORTANT] -> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. - -If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. - -You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. - -If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined. - - - - -ADMX Info: -- GP Friendly name: *Primary DNS suffix* -- GP name: *DNS_PrimaryDnsSuffix* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegisterAdapterName** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. - -By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. - -If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This suffix-update applies to all network connections used by computers that receive this policy setting. - -For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. - ->[!Important] -> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. - -If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix. - - - - -ADMX Info: -- GP Friendly name: *Register DNS records with connection-specific DNS suffix* -- GP name: *DNS_RegisterAdapterName* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegisterReverseLookup** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if DNS client computers will register PTR resource records. - -By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. - -If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. - -To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: - -- Do not register: Computers won't attempt to register PTR resource records -- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful. -- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings. - - - - -ADMX Info: -- GP Friendly name: *Register PTR records* -- GP name: *DNS_RegisterReverseLookup* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationEnabled** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. - -If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. - -If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. - - - - - -ADMX Info: -- GP Friendly name: *Dynamic update* -- GP name: *DNS_RegistrationEnabled* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. - -This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers. - -During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing (A) resource record with an (A) resource record that has the client's current IP address. - -If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting (A) resource records during dynamic update. - -If you disable this policy setting, existing (A) resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer. - - - - - -ADMX Info: -- GP Friendly name: *Replace addresses in conflicts* -- GP name: *DNS_RegistrationOverwritesInConflict* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationRefreshInterval** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. - -Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records. - -> [!WARNING] -> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. - -To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. - -If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. - - - - - -ADMX Info: -- GP Friendly name: *Registration refresh interval* -- GP name: *DNS_RegistrationRefreshInterval* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_RegistrationTtl** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. - -To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). - -If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). - - - - - -ADMX Info: -- GP Friendly name: *TTL value for A and PTR records* -- GP name: *DNS_RegistrationTtl* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_SearchList** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. - -An unqualified single-label name contains no dots. The name "example" is a single-label name. This name is different from a fully qualified domain name such as "example.microsoft.com." - -Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." - -To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. - -If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. - -If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. - - - - - -ADMX Info: -- GP Friendly name: *DNS suffix search list* -- GP name: *DNS_SearchList* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. If multiple positive responses are received, the network binding order is used to determine which response to accept. - -If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. - -If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. - - - - - -ADMX Info: -- GP Friendly name: *Turn off smart multi-homed name resolution* -- GP name: *DNS_SmartMultiHomedNameResolution* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_SmartProtocolReorder** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). - -If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. - -If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. - -> [!NOTE] -> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. - - - - -ADMX Info: -- GP Friendly name: *Turn off smart protocol reordering* -- GP name: *DNS_SmartProtocolReorder* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_UpdateSecurityLevel** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the security level for dynamic DNS updates. - -To use this policy setting, click Enabled and then select one of the following values: - -- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. -- Only unsecure - computers send only nonsecure dynamic updates. -- Only secure - computers send only secure dynamic updates. - -If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. - -If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. - - - - - -ADMX Info: -- GP Friendly name: *Update security level* -- GP name: *DNS_UpdateSecurityLevel* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." - -By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. - -If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. - -If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. - - - - - -ADMX Info: -- GP Friendly name: *Update top level domain zones* -- GP name: *DNS_UpdateTopLevelDomainZones* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* - - - - -
    - - -**ADMX_DnsClient/DNS_UseDomainNameDevolution** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. - -With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. - -The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. - -Devolution isn't enabled if a global suffix search list is configured using Group Policy. - -If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: The primary DNS suffix, as specified on the Computer Name tab of the System control panel. @@ -1158,78 +249,1206 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. -If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. -For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. -If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. -If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +If this policy setting is disabled, or if this policy setting is not configured, DNS clients use the default devolution level of two provided that DNS devolution is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Primary DNS suffix devolution* -- GP name: *DNS_UseDomainNameDevolution* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_DnsClient/Turn_Off_Multicast** - +| Name | Value | +|:--|:--| +| Name | DNS_DomainNameDevolutionLevel | +| Friendly Name | Primary DNS suffix devolution level | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | EnableDevolutionLevelControl | +| ADMX File Name | DnsClient.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DNS_IdnEncoding -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_IdnEncoding +``` + - - -This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + + +Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. -LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible. +If this policy setting is enabled, IDNs are not converted to Punycode. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_IdnEncoding | +| Friendly Name | Turn off IDN encoding | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | DisableIdnEncoding | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_IdnMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_IdnMapping +``` + + + + +Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. + +If this policy setting is enabled, IDNs are converted to the Nameprep form. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_IdnMapping | +| Friendly Name | IDN mapping | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | EnableIdnMapping | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_NameServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_NameServer +``` + + + + +Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. + +To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. + +If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_NameServer | +| Friendly Name | DNS servers | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_PreferLocalResponsesOverLowerOrderDns + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns +``` + + + + +Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. + +If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. + +Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_PreferLocalResponsesOverLowerOrderDns | +| Friendly Name | Prefer link local responses over DNS when received over a network with higher precedence | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | PreferLocalOverLowerBindingDNS | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_PrimaryDnsSuffix + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_PrimaryDnsSuffix +``` + + + + +Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. + +To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. + +Important: In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. + +If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. + +You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. + +If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_PrimaryDnsSuffix | +| Friendly Name | Primary DNS suffix | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\System\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegisterAdapterName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegisterAdapterName +``` + + + + +Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. + +By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. + +If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. + +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. + +Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. + +If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegisterAdapterName | +| Friendly Name | Register DNS records with connection-specific DNS suffix | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | RegisterAdapterName | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegisterReverseLookup + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegisterReverseLookup +``` + + + + +Specifies if DNS client computers will register PTR resource records. + +By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. + +If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. + +To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: + +Do not register: Computers will not attempt to register PTR resource records. + +Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. + +Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegisterReverseLookup | +| Friendly Name | Register PTR records | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationEnabled +``` + + + + +Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. + +If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. + +If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationEnabled | +| Friendly Name | Dynamic update | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | RegistrationEnabled | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationOverwritesInConflict + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationOverwritesInConflict +``` + + + + +Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. + +This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. + +During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. + +If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. + +If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationOverwritesInConflict | +| Friendly Name | Replace addresses in conflicts | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | RegistrationOverwritesInConflict | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationRefreshInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationRefreshInterval +``` + + + + +Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. + +Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. + +Warning: If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. + +To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. + +If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationRefreshInterval | +| Friendly Name | Registration refresh interval | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_RegistrationTtl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_RegistrationTtl +``` + + + + +Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. + +To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). + +If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_RegistrationTtl | +| Friendly Name | TTL value for A and PTR records | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_SearchList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SearchList +``` + + + + +Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. + +An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." + +Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." + +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. + +If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. + +If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_SearchList | +| Friendly Name | DNS suffix search list | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_SmartMultiHomedNameResolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SmartMultiHomedNameResolution +``` + + + + +Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. + +If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. + +If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_SmartMultiHomedNameResolution | +| Friendly Name | Turn off smart multi-homed name resolution | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | DisableSmartNameResolution | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_SmartProtocolReorder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_SmartProtocolReorder +``` + + + + +Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. + +If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. + +Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_SmartProtocolReorder | +| Friendly Name | Turn off smart protocol reordering | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | DisableSmartProtocolReordering | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_UpdateSecurityLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UpdateSecurityLevel +``` + + + + +Specifies the security level for dynamic DNS updates. + +To use this policy setting, click Enabled and then select one of the following values: + +Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. + +Only unsecure - computers send only nonsecure dynamic updates. + +Only secure - computers send only secure dynamic updates. + +If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_UpdateSecurityLevel | +| Friendly Name | Update security level | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_UpdateTopLevelDomainZones + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UpdateTopLevelDomainZones +``` + + + + +Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." + +By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. + +If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. + +If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_UpdateTopLevelDomainZones | +| Friendly Name | Update top level domain zones | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | UpdateTopLevelDomainZones | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## DNS_UseDomainNameDevolution + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/DNS_UseDomainNameDevolution +``` + + + + +Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +The primary DNS suffix, as specified on the Computer Name tab of the System control panel. + +Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. + +If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + +If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DNS_UseDomainNameDevolution | +| Friendly Name | Primary DNS suffix devolution | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | UseDomainNameDevolution | +| ADMX File Name | DnsClient.admx | + + + + + + + + + +## Turn_Off_Multicast + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DnsClient/Turn_Off_Multicast +``` + + + + +Specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + +LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. -If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters. +If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off multicast name resolution* -- GP name: *Turn_Off_Multicast* -- GP path: *Network/DNS Client* -- GP ADMX file name: *DnsClient.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DNS_TurnOffMulticast | +| Friendly Name | Turn off multicast name resolution | +| Location | Computer Configuration | +| Path | Network > DNS Client | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DNSClient | +| Registry Value Name | EnableMulticast | +| ADMX File Name | DnsClient.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 0d52811a07..01d13ee89c 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,354 +1,410 @@ --- -title: Policy CSP - ADMX_DWM -description: Learn about Policy CSP - ADMX_DWM. +title: ADMX_DWM Policy CSP +description: Learn more about the ADMX_DWM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/31/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DWM > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_DWM policies + +## DwmDefaultColorizationColor_2 -
    -
    - ADMX_DWM/DwmDefaultColorizationColor_1 -
    -
    - ADMX_DWM/DwmDefaultColorizationColor_2 -
    -
    - ADMX_DWM/DwmDisallowAnimations_1 -
    -
    - ADMX_DWM/DwmDisallowAnimations_2 -
    -
    - ADMX_DWM/DwmDisallowColorizationColorChanges_1 -
    -
    - ADMX_DWM/DwmDisallowColorizationColorChanges_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDefaultColorizationColor_2 +``` + -
    + + +This policy setting controls the default color for window frames when the user does not specify a color. - -**ADMX_DWM/DwmDefaultColorizationColor_1** +If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. - +If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Note: This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting controls the default color for window frames when the user doesn't specify a color. +**ADMX mapping**: -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color. +| Name | Value | +|:--|:--| +| Name | DwmDefaultColorizationColor | +| Friendly Name | Specify a default color | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DefaultColorizationColorState | +| ADMX File Name | DWM.admx | + -If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color. + + + -> [!NOTE] -> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. + - + +## DwmDisallowAnimations_2 - -ADMX Info: -- GP Friendly name: *Specify a default color* -- GP name: *DwmDefaultColorizationColor_1* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowAnimations_2 +``` + -
    - - -**ADMX_DWM/DwmDefaultColorizationColor_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the default color for window frames when the user doesn't specify a color. - -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user doesn't specify a color. - -If you disable or don't configure this policy setting, the default internal color is used, if the user doesn't specify a color. - -> [!NOTE] -> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. - - - - - -ADMX Info: -- GP Friendly name: *Specify a default color* -- GP name: *DwmDefaultColorizationColor_2* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* - - - -
    - - -**ADMX_DWM/DwmDisallowAnimations_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. -If you disable or don't configure this policy setting, window animations are turned on. +If you disable or do not configure this policy setting, window animations are turned on. -Changing this policy setting requires a sign out for it to be applied. +Changing this policy setting requires a logoff for it to be applied. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow window animations* -- GP name: *DwmDisallowAnimations_1* -- GP path: *Windows Components/Desktop Window Manager* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DWM/DwmDisallowAnimations_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDisallowAnimations | +| Friendly Name | Do not allow window animations | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowAnimations | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDisallowColorizationColorChanges_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowColorizationColorChanges_2 +``` + - - + + +This policy setting controls the ability to change the color of window frames. + +If you enable this policy setting, you prevent users from changing the default window frame color. + +If you disable or do not configure this policy setting, you allow users to change the default window frame color. + +Note: This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DwmDisallowColorizationColorChanges | +| Friendly Name | Do not allow color changes | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowColorizationColorChanges | +| ADMX File Name | DWM.admx | + + + + + + + + + +## DwmDefaultColorizationColor_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDefaultColorizationColor_1 +``` + + + + +This policy setting controls the default color for window frames when the user does not specify a color. + +If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. + +If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. + +Note: This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DwmDefaultColorizationColor | +| Friendly Name | Specify a default color | +| Location | User Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DefaultColorizationColorState | +| ADMX File Name | DWM.admx | + + + + + + + + + +## DwmDisallowAnimations_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowAnimations_1 +``` + + + + This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. -If you disable or don't configure this policy setting, window animations are turned on. +If you disable or do not configure this policy setting, window animations are turned on. -Changing this policy setting requires out a sign for it to be applied. +Changing this policy setting requires a logoff for it to be applied. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow window animations* -- GP name: *DwmDisallowAnimations_2* -- GP path: *Windows Components/Desktop Window Manager* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DWM/DwmDisallowColorizationColorChanges_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDisallowAnimations | +| Friendly Name | Do not allow window animations | +| Location | User Configuration | +| Path | Windows Components > Desktop Window Manager | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowAnimations | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DwmDisallowColorizationColorChanges_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowColorizationColorChanges_1 +``` + - - + + This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. -If you disable or don't configure this policy setting, you allow users to change the default window frame color. +If you disable or do not configure this policy setting, you allow users to change the default window frame color. -> [!NOTE] -> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. +Note: This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow color changes* -- GP name: *DwmDisallowColorizationColorChanges_1* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_DWM/DwmDisallowColorizationColorChanges_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DwmDisallowColorizationColorChanges | +| Friendly Name | Do not allow color changes | +| Location | User Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowColorizationColorChanges | +| ADMX File Name | DWM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting controls the ability to change the color of window frames. - -If you enable this policy setting, you prevent users from changing the default window frame color. - -If you disable or don't configure this policy setting, you allow users to change the default window frame color. - -> [!NOTE] -> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. - - - - -ADMX Info: -- GP Friendly name: *Do not allow color changes* -- GP name: *DwmDisallowColorizationColorChanges_2* -- GP path: *Windows Components/Desktop Window Manager/Window Frame Coloring* -- GP ADMX file name: *DWM.admx* - - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 4463e3732f..12856554a1 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,475 +1,512 @@ --- -title: Policy CSP - ADMX_EAIME -description: Learn about the Policy CSP - ADMX_EAIME. +title: ADMX_EAIME Policy CSP +description: Learn more about the ADMX_EAIME Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/19/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EAIME > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EAIME policies + +## L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList -
    -
    - ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList -
    -
    - ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion -
    -
    - ADMX_EAIME/L_TurnOffCustomDictionary -
    -
    - ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput -
    -
    - ADMX_EAIME/L_TurnOffInternetSearchIntegration -
    -
    - ADMX_EAIME/L_TurnOffOpenExtendedDictionary -
    -
    - ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile -
    -
    - ADMX_EAIME/L_TurnOnCloudCandidate -
    -
    - ADMX_EAIME/L_TurnOnCloudCandidateCHS -
    -
    - ADMX_EAIME/L_TurnOnLexiconUpdate -
    -
    - ADMX_EAIME/L_TurnOnLiveStickers -
    -
    - ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList +``` + -
    - - -**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. -If you enable this policy setting, Non-Publishing Standard Glyph isn't included in the candidate list when Publishing Standard Glyph for the word exists. +If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. -If you disable or don't configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. +If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. This policy setting applies to Japanese Microsoft IME only. -> [!NOTE] -> Changes to this setting will not take effect until the user logs off. +Note: Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not include Non-Publishing Standard Glyph in the candidate list* -- GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList | +| Friendly Name | Do not include Non-Publishing Standard Glyph in the candidate list | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| Registry Value Name | ShowOnlyPublishingStandardGlyph | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_RestrictCharacterCodeRangeOfConversion -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion +``` + - - + + This policy setting allows you to restrict character code range of conversion by setting character filter. -If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: +If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: -- 0x0001 // JIS208 area -- 0x0002 // NEC special char code -- 0x0004 // NEC selected IBM extended code -- 0x0008 // IBM extended code -- 0x0010 // Half width katakana code -- 0x0100 // EUDC(GAIJI) -- 0x0200 // S-JIS unmapped area -- 0x0400 // Unicode char -- 0x0800 // surrogate char -- 0x1000 // IVS char -- 0xFFFF // no definition. +0x0001 // JIS208 area +0x0002 // NEC special char code +0x0004 // NEC selected IBM extended code +0x0008 // IBM extended code +0x0010 // Half width katakana code +0x0100 // EUDC(GAIJI) +0x0200 // S-JIS unmapped area +0x0400 // Unicode char +0x0800 // surrogate char +0x1000 // IVS char +0xFFFF // no definition. -If you disable or don't configure this policy setting, no range of characters are filtered by default. +If you disable or do not configure this policy setting, no range of characters are filtered by default. This policy setting applies to Japanese Microsoft IME only. -> [!NOTE] -> Changes to this setting will not take effect until the user logs off. +Note: Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict character code range of conversion* -- GP name: *L_RestrictCharacterCodeRangeOfConversion* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOffCustomDictionary** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_RestrictCharacterCodeRangeOfConversion | +| Friendly Name | Restrict character code range of conversion | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffCustomDictionary -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffCustomDictionary +``` + - - + + This policy setting allows you to turn off the ability to use a custom dictionary. -If you enable this policy setting, you can't add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. +If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. -If you disable or don't configure this policy setting, the custom dictionary can be used by default. +If you disable or do not configure this policy setting, the custom dictionary can be used by default. -For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. +[Clear auto-tuning information] removes self-tuned words from the custom dictionary, even if a group policy setting is turned on. To do this, select Settings > Time & Language > Japanese Options > Microsoft IME Options. If compatibility mode is turned on, select Advanced options > Dictionary/Auto-tuning > [Clear auto-tuning information]. + +[Clear input history] removes self-tuned words from the custom dictionary, even if a group policy setting is turned on. To do this, select Settings > Time & Language > Japanese Options > Microsoft IME Options > Learning and Dictionary > [Clear input history]. This policy setting is applied to Japanese Microsoft IME. -> [!NOTE] -> Changes to this setting will not take effect until the user logs off. +Note: Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off custom dictionary* -- GP name: *L_TurnOffCustomDictionary* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffCustomDictionary | +| Friendly Name | Turn off custom dictionary | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | UserDict | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffHistorybasedPredictiveInput -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput +``` + - - + + This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. -If you disable or don't configure this policy setting, history-based predictive input is on by default. +If you disable or do not configure this policy setting, history-based predictive input is on by default. This policy setting applies to Japanese Microsoft IME only. -> [!NOTE] -> Changes to this setting will not take effect until the user logs off. +Note: Changes to this setting will not take effect until the user logs off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off history-based predictive input* -- GP name: *L_TurnOffHistorybasedPredictiveInput* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EAIME/L_TurnOffInternetSearchIntegration** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | L_TurnOffHistorybasedPredictiveInput | +| Friendly Name | Turn off history-based predictive input | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| Registry Value Name | UseHistorybasedPredictiveInput | +| ADMX File Name | EAIME.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## L_TurnOffInternetSearchIntegration -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffInternetSearchIntegration +``` + + + + This policy setting allows you to turn off Internet search integration. -Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. +Search integration includes both using Search Provider (Japanese Microsoft IME) and performing bing search from predictive input for Japanese Microsoft IME. -If you enable this policy setting, you can't use search integration. +If you enable this policy setting, you cannot use search integration. -If you disable or don't configure this policy setting, the search integration function can be used by default. +If you disable or do not configure this policy setting, the search integration function can be used by default. This policy setting applies to Japanese Microsoft IME. -> [!NOTE] -> Changes to this setting will not take effect until the user logs off. +Note: Changes to this setting will not take effect until the user logs off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet search integration* -- GP name: *L_TurnOffInternetSearchIntegration* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOffOpenExtendedDictionary** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffInternetSearchIntegration | +| Friendly Name | Turn off Internet search integration | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | SearchPlugin | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffOpenExtendedDictionary -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffOpenExtendedDictionary +``` + - - + + This policy setting allows you to turn off Open Extended Dictionary. -If you enable this policy setting, Open Extended Dictionary is turned off. You can't add a new Open Extended Dictionary. +If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. -For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting isn't used for conversion. +For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. -If you disable or don't configure this policy setting, Open Extended Dictionary can be added and used by default. +If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. This policy setting is applied to Japanese Microsoft IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Open Extended Dictionary* -- GP name: *L_TurnOffOpenExtendedDictionary* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffOpenExtendedDictionary | +| Friendly Name | Turn off Open Extended Dictionary | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | OpenExtendedDict | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOffSavingAutoTuningDataToFile -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile +``` + - - + + This policy setting allows you to turn off saving the auto-tuning result to file. -If you enable this policy setting, the auto-tuning data isn't saved to file. +If you enable this policy setting, the auto-tuning data is not saved to file. -If you disable or don't configure this policy setting, auto-tuning data is saved to file by default. +If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. This policy setting applies to Japanese Microsoft IME only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off saving auto-tuning data to file* -- GP name: *L_TurnOffSavingAutoTuningDataToFile* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOnCloudCandidate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOffSavingAutoTuningDataToFile | +| Friendly Name | Turn off saving auto-tuning data to file | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\imejp | +| Registry Value Name | SaveAutoTuneDataToFile | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOnCloudCandidate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnCloudCandidate +``` + - - + + This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -479,48 +516,61 @@ If you disable this policy setting, the functionality associated with this featu If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on cloud candidate* -- GP name: *L_TurnOnCloudCandidate* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOnCloudCandidateCHS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOnCloudCandidate | +| Friendly Name | Turn on cloud candidate | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\Shared | +| Registry Value Name | Enable Cloud Candidate | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOnCloudCandidateCHS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnCloudCandidateCHS +``` + - - + + This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. @@ -530,48 +580,65 @@ If you disable this policy setting, the functionality associated with this featu If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. This Policy setting applies only to Microsoft CHS Pinyin IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on cloud candidate for CHS* -- GP name: *L_TurnOnCloudCandidateCHS* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_EAIME/L_TurnOnLexiconUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | L_TurnOnCloudCandidateCHS | +| Friendly Name | Turn on cloud candidate for CHS | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | Software\Policies\Microsoft\InputMethod\Settings\CHS | +| Registry Value Name | Enable Cloud Candidate | +| ADMX File Name | EAIME.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## L_TurnOnLexiconUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnLexiconUpdate +``` + - - + + + + + + This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. @@ -581,48 +648,51 @@ If you disable this policy setting, the functionality associated with this featu If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature. This Policy setting applies only to Microsoft CHS Pinyin IME. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn on lexicon update* -- GP name: *L_TurnOnLexiconUpdate* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    + + - -**ADMX_EAIME/L_TurnOnLiveStickers** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## L_TurnOnLiveStickers - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnLiveStickers +``` + -> [!div class = "checklist"] -> * User + + + -
    - - - + + This policy setting controls the live sticker feature, which uses an online service to provide stickers online. If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. @@ -632,72 +702,98 @@ If you disable this policy setting, the functionality associated with this featu If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature. This Policy setting applies only to Microsoft CHS Pinyin IME. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn on Live Sticker* -- GP name: *L_TurnOnLiveStickers* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    + + - -**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## L_TurnOnMisconversionLoggingForMisconversionReport - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport +``` + -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. -If you disable or don't configure this policy setting, misconversion logging is turned off. +If you disable or do not configure this policy setting, misconversion logging is turned off. This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on misconversion logging for misconversion report* -- GP name: *L_TurnOnMisconversionLoggingForMisconversionReport* -- GP path: *Windows Components\IME* -- GP ADMX file name: *EAIME.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | L_TurnOnMisconversionLoggingForMisconversionReport | +| Friendly Name | Turn on misconversion logging for misconversion report | +| Location | User Configuration | +| Path | Windows Components > IME | +| Registry Key Name | software\policies\microsoft\ime\shared | +| Registry Value Name | misconvlogging | +| ADMX File Name | EAIME.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 3e68fe88f8..c233fee0f8 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,92 +1,100 @@ --- -title: Policy CSP - ADMX_EncryptFilesonMove -description: Learn about the Policy CSP - ADMX_EncryptFilesonMove. +title: ADMX_EncryptFilesonMove Policy CSP +description: Learn more about the ADMX_EncryptFilesonMove Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EncryptFilesonMove > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EncryptFilesonMove policies + +## NoEncryptOnMove -
    -
    - ADMX_EncryptFilesonMove/NoEncryptOnMove -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EncryptFilesonMove/NoEncryptOnMove +``` + -
    - - -**ADMX_EncryptFilesonMove/NoEncryptOnMove** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. -If you enable this policy setting, File Explorer won't automatically encrypt files that are moved to an encrypted folder. +If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. -If you disable or don't configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. +If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not automatically encrypt files moved to encrypted folders* -- GP name: *NoEncryptOnMove* -- GP path: *System* -- GP ADMX file name: *EncryptFilesonMove.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoEncryptOnMove | +| Friendly Name | Do not automatically encrypt files moved to encrypted folders | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoEncryptOnMove | +| ADMX File Name | EncryptFilesonMove.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index c8a720e1e6..b8fe9e6112 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,336 +1,400 @@ --- -title: Policy CSP - ADMX_EnhancedStorage -description: Learn about the Policy CSP - ADMX_EnhancedStorage. +title: ADMX_EnhancedStorage Policy CSP +description: Learn more about the ADMX_EnhancedStorage Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EnhancedStorage > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EnhancedStorage policies + +## ApprovedEnStorDevices -
    -
    - ADMX_EnhancedStorage/ApprovedEnStorDevices -
    -
    - ADMX_EnhancedStorage/ApprovedSilos -
    -
    - ADMX_EnhancedStorage/DisablePasswordAuthentication -
    -
    - ADMX_EnhancedStorage/DisallowLegacyDiskDevices -
    -
    - ADMX_EnhancedStorage/LockDeviceOnMachineLock -
    -
    - ADMX_EnhancedStorage/RootHubConnectedEnStorDevices -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/ApprovedEnStorDevices +``` + -
    - - -**ADMX_EnhancedStorage/ApprovedEnStorDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure a list of Enhanced Storage devices that contain a manufacturer and product ID that are usable on your computer. + + +This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. -If you disable or don't configure this policy setting, all Enhanced Storage devices are usable on your computer. +If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. + - + + + - -ADMX Info: -- GP Friendly name: *Configure list of Enhanced Storage devices usable on your computer* -- GP name: *ApprovedEnStorDevices* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/ApprovedSilos** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ApprovedEnStorDevices | +| Friendly Name | Configure list of Enhanced Storage devices usable on your computer | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices | +| Registry Value Name | PolicyEnabled | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ApprovedSilos -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that is usable on your computer. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/ApprovedSilos +``` + + + + +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. -If you disable or don't configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. +If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. + - + + + - -ADMX Info: -- GP Friendly name: *Configure list of IEEE 1667 silos usable on your computer* -- GP name: *ApprovedSilos* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/DisablePasswordAuthentication** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ApprovedSilos | +| Friendly Name | Configure list of IEEE 1667 silos usable on your computer | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedSilos | +| Registry Value Name | SiloAllowListPolicy | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisablePasswordAuthentication -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/DisablePasswordAuthentication +``` + + + + This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. -If you enable this policy setting, a password can't be used to unlock an Enhanced Storage device. +If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. -If you disable or don't configure this policy setting, a password can be used to unlock an Enhanced Storage device. +If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow password authentication of Enhanced Storage devices* -- GP name: *DisablePasswordAuthentication* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/DisallowLegacyDiskDevices** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisablePasswordAuthentication | +| Friendly Name | Do not allow password authentication of Enhanced Storage devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | DisablePasswordAuthentication | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisallowLegacyDiskDevices -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/DisallowLegacyDiskDevices +``` + + + + This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. -If you enable this policy setting, non-Enhanced Storage removable devices aren't allowed on your computer. +If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. -If you disable or don't configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. +If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow non-Enhanced Storage removable devices* -- GP name: *DisallowLegacyDiskDevices* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/LockDeviceOnMachineLock** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisallowLegacyDiskDevices | +| Friendly Name | Do not allow non-Enhanced Storage removable devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | DisallowLegacyDiskDevices | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## LockDeviceOnMachineLock -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/LockDeviceOnMachineLock +``` + + + + This policy setting locks Enhanced Storage devices when the computer is locked. ->[!Note] ->This policy setting is supported in Windows Server SKUs only. +This policy setting is supported in Windows Server SKUs only. If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. -If you disable or don't configure this policy setting, the Enhanced Storage device state isn't changed when the computer is locked. +If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. + - + + + - -ADMX Info: -- GP Friendly name: *Lock Enhanced Storage when the computer is locked* -- GP name: *LockDeviceOnMachineLock* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LockDeviceOnMachineLock | +| Friendly Name | Lock Enhanced Storage when the computer is locked | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | LockDeviceOnMachineLock | +| ADMX File Name | EnhancedStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RootHubConnectedEnStorDevices -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EnhancedStorage/RootHubConnectedEnStorDevices +``` + + + + This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. -If you disable or don't configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. +If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. + - + + + - -ADMX Info: -- GP Friendly name: *Allow only USB root hub connected Enhanced Storage devices* -- GP name: *RootHubConnectedEnStorDevices* -- GP path: *System\Enhanced Storage Access* -- GP ADMX file name: *EnhancedStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | RootHubConnectedEnStorDevices | +| Friendly Name | Allow only USB root hub connected Enhanced Storage devices | +| Location | Computer Configuration | +| Path | System > Enhanced Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\EnhancedStorageDevices | +| Registry Value Name | RootHubConnectedEnStorDevices | +| ADMX File Name | EnhancedStorage.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 3eb7a233ee..a16a17919c 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,1519 +1,1838 @@ --- -title: Policy CSP - ADMX_ErrorReporting -description: Learn about the Policy CSP - ADMX_ErrorReporting. +title: ADMX_ErrorReporting Policy CSP +description: Learn more about the ADMX_ErrorReporting Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ErrorReporting -
    - - -## ADMX_ErrorReporting policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneDef -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneEx -
    -
    - ADMX_ErrorReporting/PCH_AllOrNoneInc -
    -
    - ADMX_ErrorReporting/PCH_ConfigureReport -
    -
    - ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults -
    -
    - ADMX_ErrorReporting/WerArchive_1 -
    -
    - ADMX_ErrorReporting/WerArchive_2 -
    -
    - ADMX_ErrorReporting/WerAutoApproveOSDumps_1 -
    -
    - ADMX_ErrorReporting/WerAutoApproveOSDumps_2 -
    -
    - ADMX_ErrorReporting/WerBypassDataThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassDataThrottling_2 -
    -
    - ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 -
    -
    - ADMX_ErrorReporting/WerBypassPowerThrottling_1 -
    -
    - ADMX_ErrorReporting/WerBypassPowerThrottling_2 -
    -
    - ADMX_ErrorReporting/WerCER -
    -
    - ADMX_ErrorReporting/WerConsentCustomize_1 -
    -
    - ADMX_ErrorReporting/WerConsentOverride_1 -
    -
    - ADMX_ErrorReporting/WerConsentOverride_2 -
    -
    - ADMX_ErrorReporting/WerDefaultConsent_1 -
    -
    - ADMX_ErrorReporting/WerDefaultConsent_2 -
    -
    - ADMX_ErrorReporting/WerDisable_1 -
    -
    - ADMX_ErrorReporting/WerExlusion_1 -
    -
    - ADMX_ErrorReporting/WerExlusion_2 -
    -
    - ADMX_ErrorReporting/WerNoLogging_1 -
    -
    - ADMX_ErrorReporting/WerNoLogging_2 -
    -
    - ADMX_ErrorReporting/WerNoSecondLevelData_1 -
    -
    - ADMX_ErrorReporting/WerQueue_1 -
    -
    - ADMX_ErrorReporting/WerQueue_2 -
    -
    + + + + +## PCH_AllOrNoneDef -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_ErrorReporting/PCH_AllOrNoneDef** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_AllOrNoneDef +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. -If you disable or don't configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. +If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. + - + + + - -ADMX Info: -- GP Friendly name: *Default application reporting settings* -- GP name: *PCH_AllOrNoneDef* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/PCH_AllOrNoneEx** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_AllOrNoneDef | +| Friendly Name | Default application reporting settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PCH_AllOrNoneEx -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_AllOrNoneEx +``` + + + + This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. -If you disable or don't configure this policy setting, the Default application reporting settings policy setting takes precedence. +If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *List of applications to never report errors for* -- GP name: *PCH_AllOrNoneEx* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/PCH_AllOrNoneInc** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_AllOrNoneEx | +| Friendly Name | List of applications to never report errors for | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PCH_AllOrNoneInc -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_AllOrNoneInc +``` + + + + This policy setting specifies applications for which Windows Error Reporting should always report errors. -To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list aren't reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. -If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) ->[!Note] ->The Microsoft applications category includes the Windows components category. +If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. -If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence. - -Also, see the "Default Application Reporting" and "Application Exclusion List" policies. +Also see the ""Default Application Reporting"" and ""Application Exclusion List"" policies. This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *List of applications to always report errors for* -- GP name: *PCH_AllOrNoneInc* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ErrorReporting/PCH_ConfigureReport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PCH_AllOrNoneInc | +| Friendly Name | List of applications to always report errors for | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PCH_ConfigureReport -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_ConfigureReport +``` + - - + + This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. -This policy setting doesn't enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. +This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. -> [!IMPORTANT] -> If the Turn off Windows Error Reporting policy setting isn't configured, then Control Panel settings for Windows Error Reporting override this policy setting. +Important: If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. -If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that aren't configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: +If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: -- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you don't want error dialog boxes to display links to Microsoft websites. -- "Do not collect additional files": Select this option if you don't want extra files to be collected and included in error reports. -- "Do not collect additional computer data": Select this option if you don't want additional information about the computer to be collected and included in error reports. -- "Force queue mode for application errors": Select this option if you don't want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to sign in to the computer can send the error reports to Microsoft. -- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to sign in to the computer can send the error reports to Microsoft. -- "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. +- ""Do not display links to any Microsoft ‘More information’ websites"": Select this option if you do not want error dialog boxes to display links to Microsoft websites. -If you don't configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. +- ""Do not collect additional files"": Select this option if you do not want additional files to be collected and included in error reports. + +- ""Do not collect additional computer data"": Select this if you do not want additional information about the computer to be collected and included in error reports. + +- ""Force queue mode for application errors"": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. + +- ""Corporate file path"": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. + +- ""Replace instances of the word ‘Microsoft’ with"": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. + +If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. If you disable this policy setting, configuration settings in the policy setting are left blank. -See related policy settings Display Error Notification (same folder as this policy setting), and turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. +See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Error Reporting* -- GP name: *PCH_ConfigureReport* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_ConfigureReport | +| Friendly Name | Configure Error Reporting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PCH_ReportOperatingSystemFaults -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults +``` + + + + This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. If you enable this policy setting, Windows Error Reporting includes operating system errors. -If you disable this policy setting, operating system errors aren't included in error reports. +If you disable this policy setting, operating system errors are not included in error reports. -If you don't configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. +If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. See also the Configure Error Reporting policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Report operating system errors* -- GP name: *PCH_ReportOperatingSystemFaults* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerArchive_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PCH_ReportOperatingSystemFaults | +| Friendly Name | Report operating system errors | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| Registry Value Name | IncludeKernelFaults | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerArchive_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerArchive_2 +``` + + + + This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. -If you disable or don't configure this policy setting, no Windows Error Reporting information is stored. +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Report Archive* -- GP name: *WerArchive_1* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerArchive_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|No|No| +| Name | Value | +|:--|:--| +| Name | WerArchive | +| Friendly Name | Configure Report Archive | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableArchive | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerAutoApproveOSDumps_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls the behavior of the Windows Error Reporting archive. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerAutoApproveOSDumps_2 +``` + -If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + + +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. -If you disable or don't configure this policy setting, no Windows Error Reporting information is stored. - - - - -ADMX Info: -- GP Friendly name: *Configure Report Archive* -- GP name: *WerArchive_2* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerAutoApproveOSDumps_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps. - -If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + - + + + - -ADMX Info: -- GP Friendly name: *Automatically send memory dumps for OS-generated error reports* -- GP name: *WerAutoApproveOSDumps_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerAutoApproveOSDumps_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|No|No| +| Name | Value | +|:--|:--| +| Name | WerAutoApproveOSDumps | +| Friendly Name | Automatically send memory dumps for OS-generated error reports | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | AutoApproveOSDumps | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerBypassDataThrottling_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy doesn't apply to error reports generated by 3rd-party products, or to data other than memory dumps. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassDataThrottling_2 +``` + -If you enable or don't configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + + +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. -If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. - -ADMX Info: -- GP Friendly name: *Automatically send memory dumps for OS-generated error reports* -- GP name: *WerAutoApproveOSDumps_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + - - -
    + + + - -**ADMX_ErrorReporting/WerBypassDataThrottling_1** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | WerBypassDataThrottling | +| Friendly Name | Do not throttle additional data | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassDataThrottling | +| ADMX File Name | ErrorReporting.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - -This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server. + +## WerBypassNetworkCostThrottling_2 -If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 +``` + - - - -ADMX Info: -- GP Friendly name: *Do not throttle additional data* -- GP name: *WerBypassDataThrottling_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerBypassDataThrottling_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether Windows Error Reporting (WER) sends more first-level report data, accompanied by second-level report data, even if a CAB file containing data about the same event types has already been uploaded to the server. - -If you enable this policy setting, WER doesn't throttle data; that is, WER uploads more CAB files that can contain data about the same event types as an earlier uploaded report. - -If you disable or don't configure this policy setting, WER throttles data by default; that is, WER doesn't upload more than one CAB file for a report that contains data about the same event types. - - - - -ADMX Info: -- GP Friendly name: *Do not throttle additional data* -- GP name: *WerBypassDataThrottling_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. -If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted. +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. -If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed. +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + - + + + - -ADMX Info: -- GP Friendly name: *Send data when on connected to a restricted/costed network* -- GP name: *WerBypassNetworkCostThrottling_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerBypassNetworkCostThrottling | +| Friendly Name | Send data when on connected to a restricted/costed network | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassNetworkCostThrottling | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerBypassPowerThrottling_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassPowerThrottling_2 +``` + -If you enable this policy setting, WER doesn't check for network cost policy restrictions, and transmits data even if network cost is restricted. + + +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. -If you disable or don't configure this policy setting, WER doesn't send data, but will check the network cost policy again if the network profile is changed. +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. - +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + - -ADMX Info: -- GP Friendly name: *Send data when on connected to a restricted/costed network* -- GP name: *WerBypassNetworkCostThrottling_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_ErrorReporting/WerBypassPowerThrottling_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WerBypassPowerThrottling | +| Friendly Name | Send additional data when on battery power | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassPowerThrottling | +| ADMX File Name | ErrorReporting.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## WerCER - - -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerCER +``` + -If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source. - - - - -ADMX Info: -- GP Friendly name: *Send additional data when on battery power* -- GP name: *WerBypassPowerThrottling_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerBypassPowerThrottling_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but doesn't upload extra report data until the computer is connected to a more permanent power source. - -If you enable this policy setting, WER doesn't determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. - -If you disable or don't configure this policy setting, WER checks for solutions while a computer is running on battery power, but doesn't upload report data until the computer is connected to a more permanent power source. - - - - -ADMX Info: -- GP Friendly name: *Send additional data when on battery power* -- GP name: *WerBypassPowerThrottling_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerCER** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you don't want to send error reports to Microsoft). + + +This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. -If you disable or don't configure this policy setting, Windows Error Reporting sends error reports to Microsoft. +If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Corporate Windows Error Reporting* -- GP name: *WerCER* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerConsentCustomize_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerCER | +| Friendly Name | Configure Corporate Windows Error Reporting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## WerConsentOverride_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentOverride_2 +``` + -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those types meant for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - -- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. -- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send more data requested by Microsoft. -- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send more data requested by Microsoft. -- 4 (Send all data): Any data requested by Microsoft is sent automatically. - -If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. - - - - -ADMX Info: -- GP Friendly name: *Customize consent settings* -- GP name: *WerConsentCustomize_1* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerConsentOverride_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|No|No| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. -If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore custom consent settings* -- GP name: *WerConsentOverride_1* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerConsentOverride_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerConsentOverride | +| Friendly Name | Ignore custom consent settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| Registry Value Name | DefaultOverrideBehavior | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerDefaultConsent_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDefaultConsent_2 +``` + -If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. - -If you disable or don't configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. - - - - -ADMX Info: -- GP Friendly name: *Ignore custom consent settings* -- GP name: *WerConsentOverride_2* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerDefaultConsent_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: -- **Always ask before sending data**: Windows prompts users for consent to send reports. -- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. -- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. -- **Send all data**: any error reporting data requested by Microsoft is sent automatically. +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Default consent* -- GP name: *WerDefaultConsent_1* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerDefaultConsent_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerDefaultConsent | +| Friendly Name | Configure Default consent | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerExlusion_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines the default consent behavior of Windows Error Reporting. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerExlusion_2 +``` + -If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: - -- **Always ask before sending data**: Windows prompts users for consent to send reports. -- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. -- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. -- **Send all data**: any error reporting data requested by Microsoft is sent automatically. - -If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. - - - - -ADMX Info: -- GP Friendly name: *Configure Default consent* -- GP name: *WerDefaultConsent_2* -- GP path: *Windows Components\Windows Error Reporting\Consent* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerDisable_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. - -If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. - -If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. - - - - -ADMX Info: -- GP Friendly name: *Disable Windows Error Reporting* -- GP name: *WerDisable_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerExlusion_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. -If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default. +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *List of applications to be excluded* -- GP name: *WerExlusion_1* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ErrorReporting/WerExlusion_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerExlusion | +| Friendly Name | List of applications to be excluded | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WerNoLogging_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoLogging_2 +``` + - - -This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. - -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. - -If you disable or don't configure this policy setting, errors are reported on all Microsoft and Windows applications by default. - - - - -ADMX Info: -- GP Friendly name: *List of applications to be excluded* -- GP name: *WerExlusion_2* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerNoLogging_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. -If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log. +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. -If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + - + + + - -ADMX Info: -- GP Friendly name: *Disable logging* -- GP name: *WerNoLogging_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_ErrorReporting/WerNoLogging_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WerNoLogging | +| Friendly Name | Disable logging | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | LoggingDisabled | +| ADMX File Name | ErrorReporting.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WerQueue_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerQueue_2 +``` + -If you enable this policy setting, Windows Error Reporting events aren't recorded in the system event log. - -If you disable or don't configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. - - - - -ADMX Info: -- GP Friendly name: *Disable logging* -- GP name: *WerNoLogging_2* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerNoSecondLevelData_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting controls whether more data in support of error reports can be sent to Microsoft automatically. - -If you enable this policy setting, any extra-data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. - -If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. - - - - -ADMX Info: -- GP Friendly name: *Do not send additional data* -- GP name: *WerNoSecondLevelData_1* -- GP path: *Windows Components\Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerQueue_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines the behavior of the Windows Error Reporting report queue. - -If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. - -The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. - -If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs. - - - - -ADMX Info: -- GP Friendly name: *Configure Report Queue* -- GP name: *WerQueue_1* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* - - - -
    - - -**ADMX_ErrorReporting/WerQueue_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. -If you disable or don't configure this policy setting, Windows Error Reporting reports aren't queued, and users can only send reports at the time that a problem occurs. +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Report Queue* -- GP name: *WerQueue_2* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | WerQueue | +| Friendly Name | Configure Report Queue | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableQueue | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerArchive_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerArchive_1 +``` + + + + +This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerArchive | +| Friendly Name | Configure Report Archive | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableArchive | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerAutoApproveOSDumps_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +``` + + + + +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerAutoApproveOSDumps | +| Friendly Name | Automatically send memory dumps for OS-generated error reports | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | AutoApproveOSDumps | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerBypassDataThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassDataThrottling_1 +``` + + + + +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerBypassDataThrottling | +| Friendly Name | Do not throttle additional data | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassDataThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerBypassNetworkCostThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +``` + + + + +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerBypassNetworkCostThrottling | +| Friendly Name | Send data when on connected to a restricted/costed network | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassNetworkCostThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerBypassPowerThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassPowerThrottling_1 +``` + + + + +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerBypassPowerThrottling | +| Friendly Name | Send additional data when on battery power | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassPowerThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerConsentCustomize_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentCustomize_1 +``` + + + + +This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. + +- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + +- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + +- 4 (Send all data): Any data requested by Microsoft is sent automatically. + +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerConsentCustomize | +| Friendly Name | Customize consent settings | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerConsentOverride_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentOverride_1 +``` + + + + +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerConsentOverride | +| Friendly Name | Ignore custom consent settings | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| Registry Value Name | DefaultOverrideBehavior | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerDefaultConsent_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDefaultConsent_1 +``` + + + + +This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerDefaultConsent | +| Friendly Name | Configure Default consent | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerDisable_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDisable_1 +``` + + + + +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. + +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerDisable | +| Friendly Name | Disable Windows Error Reporting | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | Disabled | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerExlusion_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerExlusion_1 +``` + + + + +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerExlusion | +| Friendly Name | List of applications to be excluded | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerNoLogging_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoLogging_1 +``` + + + + +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerNoLogging | +| Friendly Name | Disable logging | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | LoggingDisabled | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerNoSecondLevelData_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoSecondLevelData_1 +``` + + + + +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. + +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerNoSecondLevelData | +| Friendly Name | Do not send additional data | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DontSendAdditionalData | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + +## WerQueue_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerQueue_1 +``` + + + + +This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerQueue | +| Friendly Name | Configure Report Queue | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableQueue | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 227a9dfb49..7475c803aa 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,153 +1,161 @@ --- -title: Policy CSP - ADMX_EventForwarding -description: Learn about the Policy CSP - ADMX_EventForwarding. +title: ADMX_EventForwarding Policy CSP +description: Learn more about the ADMX_EventForwarding Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventForwarding - -
    - - -## ADMX_EventForwarding policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_EventForwarding/ForwarderResourceUsage -
    -
    - ADMX_EventForwarding/SubscriptionManager -
    -
    + + + + +## ForwarderResourceUsage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_EventForwarding/ForwarderResourceUsage** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventForwarding/ForwarderResourceUsage +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. -If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This volume-control may be required in high-volume environments. +If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. -If you disable or don't configure this policy setting, forwarder resource usage isn't specified. +If you disable or do not configure this policy setting, forwarder resource usage is not specified. This setting applies across all subscriptions for the forwarder (source computer). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure forwarder resource usage* -- GP name: *ForwarderResourceUsage* -- GP path: *Windows Components/Event Forwarding* -- GP ADMX file name: *EventForwarding.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_EventForwarding/SubscriptionManager** +| Name | Value | +|:--|:--| +| Name | ForwarderResourceUsage | +| Friendly Name | Configure forwarder resource usage | +| Location | Computer Configuration | +| Path | Windows Components > Event Forwarding | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\EventForwarding | +| ADMX File Name | EventForwarding.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SubscriptionManager - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventForwarding/SubscriptionManager +``` + -
    - - - + + This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. Use the following syntax when using the HTTPS protocol: +Server=https://``:5986/wsman/SubscriptionManager/WEC,Refresh=``,IssuerCA=``. When using the HTTP protocol, use port 5985. -``` syntax -Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=. -``` +If you disable or do not configure this policy setting, the Event Collector computer will not be specified. + ->[!Note] -> When using the HTTP protocol, use port 5985. + + + -If you disable or don't configure this policy setting, the Event Collector computer won't be specified. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure target Subscription Manager* -- GP name: *SubscriptionManager* -- GP path: *Windows Components/Event Forwarding* -- GP ADMX file name: *EventForwarding.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SubscriptionManager | +| Friendly Name | Configure target Subscription Manager | +| Location | Computer Configuration | +| Path | Windows Components > Event Forwarding | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\EventForwarding | +| ADMX File Name | EventForwarding.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index c16f154c2f..c8adf75d8a 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,1109 +1,1315 @@ --- -title: Policy CSP - ADMX_EventLog -description: Learn about the Policy CSP - ADMX_EventLog. +title: ADMX_EventLog Policy CSP +description: Learn more about the ADMX_EventLog Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventLog -
    - - -## ADMX_EventLog policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_EventLog/Channel_LogEnabled -
    -
    - ADMX_EventLog/Channel_LogFilePath_1 -
    -
    - ADMX_EventLog/Channel_LogFilePath_2 -
    -
    - ADMX_EventLog/Channel_LogFilePath_3 -
    -
    - ADMX_EventLog/Channel_LogFilePath_4 -
    -
    - ADMX_EventLog/Channel_LogMaxSize_3 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_1 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_2 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_3 -
    -
    - ADMX_EventLog/Channel_Log_AutoBackup_4 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_1 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_2 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_3 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_4 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_5 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_6 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_7 -
    -
    - ADMX_EventLog/Channel_Log_FileLogAccess_8 -
    -
    - ADMX_EventLog/Channel_Log_Retention_2 -
    -
    - ADMX_EventLog/Channel_Log_Retention_3 -
    -
    - ADMX_EventLog/Channel_Log_Retention_4 -
    -
    + + + + +## Channel_Log_AutoBackup_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_EventLog/Channel_LogEnabled** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_1 +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting turns on logging. - -If you enable or don't configure this policy setting, then events can be written to this log. - -If the policy setting is disabled, then no new events can be logged. - ->[!Note] -> Events can always be read from the log, regardless of this policy setting. - - - - -ADMX Info: -- GP Friendly name: *Turn on logging* -- GP name: *Channel_LogEnabled* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_LogFilePath_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. - -If you enable this policy setting, the Event Log uses the path specified in this policy setting. - -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. - - - - -ADMX Info: -- GP Friendly name: *Control the location of the log file* -- GP name: *Channel_LogFilePath_1* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_LogFilePath_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. - -If you enable this policy setting, the Event Log uses the path specified in this policy setting. - -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. - - - - -ADMX Info: -- GP Friendly name: *Control the location of the log file* -- GP name: *Channel_LogFilePath_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_LogFilePath_3** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. - -If you enable this policy setting, the Event Log uses the path specified in this policy setting. - -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. - - - - -ADMX Info: -- GP Friendly name: *Control the location of the log file* -- GP name: *Channel_LogFilePath_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_LogFilePath_4** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. - -If you enable this policy setting, the Event Log uses the path specified in this policy setting. - -If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. - - - - -ADMX Info: -- GP Friendly name: *Turn on logging* -- GP name: *Channel_LogFilePath_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_LogMaxSize_3** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes), in kilobyte increments. - -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. - - - - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* - - - -
    - - -**ADMX_EventLog/Channel_Log_AutoBackup_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + - + + + - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_1* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_AutoBackup_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_AutoBackup_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_2 +``` + + + + This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + - + + + - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_AutoBackup_3** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_AutoBackup_3 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_3 +``` + + + + This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + - + + + - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_AutoBackup_4** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_AutoBackup_4 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_4 +``` + + + + This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started. +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + - + + + - -ADMX Info: -- GP Friendly name: *Back up log automatically when full* -- GP name: *Channel_Log_AutoBackup_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_AutoBackup | +| Friendly Name | Back up log automatically when full | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| Registry Value Name | AutoBackupLogFiles | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_1 +``` + + + + This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. -If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log. +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_1* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_2 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. -If you disable or don't configure this policy setting, only system software and administrators can read or clear this log. +If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_3** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_3 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_3 +``` + + + + This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. -If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log. +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_4** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_4 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_4 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. -If you disable or don't configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. +If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. -> [!NOTE] -> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access* -- GP name: *Channel_Log_FileLogAccess_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_5** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess | +| Friendly Name | Configure log access | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_5 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_5 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. -If you don't configure this policy setting, the previous policy setting configuration remains in effect. +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_5* -- GP path: *Windows Components\Event Log Service\Application* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_6** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_Legacy | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\Application | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_6 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_6 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. If you disable this policy setting, only system software and administrators can read or clear this log. -If you don't configure this policy setting, the previous policy setting configuration remains in effect. +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_6* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_7** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_Legacy | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\Security | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_7 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect both modern and legacy tools. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_7 +``` + + + + +This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, only those users matching the security descriptor can access the log. If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. -If you don't configure this policy setting, the previous policy setting configuration remains in effect. +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_7* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_FileLogAccess_8** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_Legacy | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\Setup | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_FileLogAccess_8 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_8 +``` + + + + This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. -If you don't configure this policy setting, the previous policy setting configuration remains in effect. +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + - + + + - -ADMX Info: -- GP Friendly name: *Configure log access (legacy)* -- GP name: *Channel_Log_FileLogAccess_8* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_Retention_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|No|No| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_FileLogAccess_Legacy | +| Friendly Name | Configure log access (legacy) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | System\CurrentControlSet\Services\EventLog\System | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_Retention_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_2 +``` + + + + This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. ->[!Note] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_2* -- GP path: *Windows Components\Event Log Service\Security* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_Retention_3** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Channel_Log_Retention_3 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_3 +``` + + + + This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. ->[!Note] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_3* -- GP path: *Windows Components\Event Log Service\Setup* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_EventLog/Channel_Log_Retention_4** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Channel_Log_Retention_4 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_4 +``` + - - + + This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. ->[!Note] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_4* -- GP path: *Windows Components\Event Log Service\System* -- GP ADMX file name: *EventLog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogEnabled +``` + + + + +This policy setting turns on logging. + +If you enable or do not configure this policy setting, then events can be written to this log. + +If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_LogEnabled | +| Friendly Name | Turn on logging | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| Registry Value Name | Enabled | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogFilePath_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_1 +``` + + + + +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogFilePath_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_2 +``` + + + + +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogFilePath_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_3 +``` + + + + +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogFilePath_4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_4 +``` + + + + +This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_LogFilePath | +| Friendly Name | Control the location of the log file | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| ADMX File Name | EventLog.admx | + + + + + + + + + +## Channel_LogMaxSize_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogMaxSize_3 +``` + + + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Setup | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup | +| ADMX File Name | EventLog.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index f4391621bc..683fb90ac1 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,91 +1,98 @@ --- -title: Policy CSP - ADMX_EventLogging -description: Learn about the Policy CSP - ADMX_EventLogging. +title: ADMX_EventLogging Policy CSP +description: Learn more about the ADMX_EventLogging Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/12/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventLogging > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EventLogging policies + +## EnableProtectedEventLogging -
    -
    - ADMX_EventLogging/EnableProtectedEventLogging -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventLogging/EnableProtectedEventLogging +``` + -
    - - -**ADMX_EventLogging/EnableProtectedEventLogging** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you configure Protected Event Logging. -If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. +If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, provided that you have access to the private key corresponding to the public key that they were encrypted with. -You can use the `Unprotect-CmsMessage` PowerShell cmdlet to decrypt these encrypted messages, if you have access to the private key corresponding to the public key that they were encrypted with. +If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log. + -If you disable or don't configure this policy setting, components won't encrypt event log messages before writing them to the event log. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Protected Event Logging* -- GP name: *EnableProtectedEventLogging* -- GP path: *Windows Components\Event Logging* -- GP ADMX file name: *EventLogging.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableProtectedEventLogging | +| Friendly Name | Enable Protected Event Logging | +| Location | Computer Configuration | +| Path | Windows Components > Event Logging | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging | +| Registry Value Name | EnableProtectedEventLogging | +| ADMX File Name | EventLogging.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index 813b284d14..1ca041f7cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,178 +1,203 @@ --- -title: Policy CSP - ADMX_EventViewer -description: Learn about the Policy CSP - ADMX_EventViewer. +title: ADMX_EventViewer Policy CSP +description: Learn more about the ADMX_EventViewer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/13/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_EventViewer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_EventViewer policies + +## EventViewer_RedirectionProgram -
    -
    - ADMX_EventViewer/EventViewer_RedirectionProgram -
    -
    - ADMX_EventViewer_RedirectionProgramCommandLineParameters -
    -
    - ADMX_EventViewer/EventViewer_RedirectionURL -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventViewer/EventViewer_RedirectionProgram +``` + -
    + + +This is the program that will be invoked when the user clicks the events.asp link. + - -**ADMX_EventViewer/EventViewer_RedirectionProgram** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | EventViewer_RedirectionProgram | +| Friendly Name | Events.asp program | +| Location | Computer Configuration | +| Path | Windows Components > Event Viewer | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| ADMX File Name | EventViewer.admx | + -
    + + + - - -This program is the one that will be invoked when the user clicks the `events.asp` link. + - + +## EventViewer_RedirectionProgramCommandLineParameters + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Events.asp program* -- GP name: *EventViewer_RedirectionProgram* -- GP path: *Windows Components\Event Viewer* -- GP ADMX file name: *EventViewer.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters +``` + - - -
    + + +This specifies the command line parameters that will be passed to the events.asp program + - -**ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | EventViewer_RedirectionProgramCommandLineParameters | +| Friendly Name | Events.asp program command line parameters | +| Location | Computer Configuration | +| Path | Windows Components > Event Viewer | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| ADMX File Name | EventViewer.admx | + -
    + + + - - -This program specifies the command line parameters that will be passed to the `events.asp` program. + - + +## EventViewer_RedirectionURL - -ADMX Info: -- GP Friendly name: *Events.asp program command line parameters* -- GP name: *EventViewer_RedirectionProgramCommandLineParameters* -- GP path: *Windows Components\Event Viewer* -- GP ADMX file name: *EventViewer.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_EventViewer/EventViewer_RedirectionURL +``` + - -**ADMX_EventViewer/EventViewer_RedirectionURL** + + +This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to use a different Web server to handle event information requests. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | EventViewer_RedirectionURL | +| Friendly Name | Events.asp URL | +| Location | Computer Configuration | +| Path | Windows Components > Event Viewer | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| ADMX File Name | EventViewer.admx | + - - -This URL is the one that will be passed to the Description area in the Event Properties dialog box. + + + -Change this value if you want to use a different Web server to handle event information requests. + - + + + - -ADMX Info: -- GP Friendly name: *Events.asp URL* -- GP name: *EventViewer_RedirectionURL* -- GP path: *Windows Components\Event Viewer* -- GP ADMX file name: *EventViewer.admx* + - - -
    +## Related articles - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index c4a13d5154..a2e6109ed4 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,283 +1,335 @@ --- -title: Policy CSP - ADMX_Explorer -description: Learn about the Policy CSP - ADMX_Explorer. +title: ADMX_Explorer Policy CSP +description: Learn more about the ADMX_Explorer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Explorer -
    - - -## ADMX_Explorer policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_Explorer/AdminInfoUrl -
    -
    - ADMX_Explorer/AlwaysShowClassicMenu -
    -
    - ADMX_Explorer/DisableRoamedProfileInit -
    -
    - ADMX_Explorer/PreventItemCreationInUsersFilesFolder -
    -
    - ADMX_Explorer/TurnOffSPIAnimations -
    -
    + + + + +## AdminInfoUrl -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_Explorer/AdminInfoUrl** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Explorer/AdminInfoUrl +``` + - + + +Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - -This policy setting sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. +| Name | Value | +|:--|:--| +| Name | AdminInfoUrl | +| Friendly Name | Set a support web page link | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | Explorer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Set a support web page link* -- GP name: *AdminInfoUrl* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + - - -
    + +## DisableRoamedProfileInit - -**ADMX_Explorer/AlwaysShowClassicMenu** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Explorer/DisableRoamedProfileInit +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. - -
    +If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -Available in the latest Windows 10 Insider Preview Build. This policy setting configures File Explorer to always display the menu bar. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> [!NOTE] -> By default, the menu bar is not displayed in File Explorer. +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRoamedProfileInit | +| Friendly Name | Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableRoamedProfileInit | +| ADMX File Name | Explorer.admx | + + + + + + + + + +## AlwaysShowClassicMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Explorer/AlwaysShowClassicMenu +``` + + + + +This policy setting configures File Explorer to always display the menu bar. + +Note: By default, the menu bar is not displayed in File Explorer. If you enable this policy setting, the menu bar will be displayed in File Explorer. -If you disable or don't configure this policy setting, the menu bar won't be displayed in File Explorer. +If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer. -> [!NOTE] -> When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. +Note: When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. + - -ADMX Info: -- GP Friendly name: *Display the menu bar in File Explorer* -- GP name: *AlwaysShowClassicMenu* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + + +Available in the latest Windows 10 Insider Preview Build. + - - -
    + +**Description framework properties**: - -**ADMX_Explorer/DisableRoamedProfileInit** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | AlwaysShowClassicMenu | +| Friendly Name | Display the menu bar in File Explorer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | AlwaysShowClassicMenu | +| ADMX File Name | Explorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## PreventItemCreationInUsersFilesFolder - - -This policy setting allows administrators who have configured roaming profile with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer won't reinitialize default program associations and other settings to default values. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting on a machine that doesn't contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Explorer/PreventItemCreationInUsersFilesFolder +``` + - + + +This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. - -ADMX Info: -- GP Friendly name: *Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time* -- GP name: *DisableRoamedProfileInit* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* +If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. - - -
    +If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. - -**ADMX_Explorer/PreventItemCreationInUsersFilesFolder** - +Note: Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * User + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - -This policy setting allows administrators to prevent users from adding new items, such as files or folders to the root of their Users Files folder in File Explorer. +| Name | Value | +|:--|:--| +| Name | PreventItemCreationInUsersFilesFolder | +| Friendly Name | Prevent users from adding files to the root of their Users Files folder. | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreventItemCreationInUsersFilesFolder | +| ADMX File Name | Explorer.admx | + -If you enable this policy setting, users will no longer be able to add new items, such as files or folders to the root of their Users Files folder in File Explorer. + + + -If you disable or don't configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. + -> [!NOTE] -> Enabling this policy setting doesn't prevent the user from being able to add new items, such as files and folders to their actual file system profile folder at %userprofile%. + +## TurnOffSPIAnimations - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Prevent users from adding files to the root of their Users Files folder.* -- GP name: *PreventItemCreationInUsersFilesFolder* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Explorer/TurnOffSPIAnimations +``` + - - -
    + + +This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios. + - -**ADMX_Explorer/TurnOffSPIAnimations** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | TurnOffSPIAnimations | +| Friendly Name | Turn off common control and window animations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TurnOffSPIAnimations | +| ADMX File Name | Explorer.admx | + -
    + + + - - -This policy is similar to settings directly available to computer users. + -Disabling animations can improve usability for users with some visual disabilities, and also improve performance and battery life in some scenarios. + + + - + - -ADMX Info: -- GP Friendly name: *Turn off common control and window animations* -- GP name: *TurnOffSPIAnimations* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Explorer.admx* +## Related articles - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index e86fe56c4b..1bf343650f 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,193 +1,220 @@ --- -title: Policy CSP - ADMX_ExternalBoot -description: Learn about the Policy CSP - ADMX_ExternalBoot. +title: ADMX_ExternalBoot Policy CSP +description: Learn more about the ADMX_ExternalBoot Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/21/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/13/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ExternalBoot > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## Policy CSP - ADMX_ExternalBoot + +## PortableOperatingSystem_Hibernate -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Hibernate - -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Sleep - -
    -
    - ADMX_ExternalBoot/PortableOperatingSystem_Launcher - -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ExternalBoot/PortableOperatingSystem_Hibernate +``` + - -**ADMX_ExternalBoot/PortableOperatingSystem_Hibernate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. + + +Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. -If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, and can't hibernate the PC. +If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can't hibernate the PC. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow hibernate (S4) when starting from a Windows To Go workspace* -- GP name: *PortableOperatingSystem_Hibernate* -- GP path: *Windows Components\Portable Operating System* -- GP ADMX file name: *ExternalBoot.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PortableOperatingSystem_Hibernate_DisplayName | +| Friendly Name | Allow hibernate (S4) when starting from a Windows To Go workspace | +| Location | Computer Configuration | +| Path | Windows Components > Portable Operating System | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem | +| Registry Value Name | Hibernate | +| ADMX File Name | ExternalBoot.admx | + - -**ADMX_ExternalBoot/PortableOperatingSystem_Sleep** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## PortableOperatingSystem_Launcher - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ExternalBoot/PortableOperatingSystem_Launcher +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. -
    +If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item. - - -This policy specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. +If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration. + +If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PortableOperatingSystem_Launcher_DisplayName | +| Friendly Name | Windows To Go Default Startup Options | +| Location | Computer Configuration | +| Path | Windows Components > Portable Operating System | +| Registry Key Name | Software\Policies\Microsoft\PortableOperatingSystem | +| Registry Value Name | Launcher | +| ADMX File Name | ExternalBoot.admx | + + + + + + + + + +## PortableOperatingSystem_Sleep + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ExternalBoot/PortableOperatingSystem_Sleep +``` + + + + +Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby states to make the PC sleep. If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace* -- GP name: *PortableOperatingSystem_Sleep* -- GP path: *Windows Components\Portable Operating System* -- GP ADMX file name: *ExternalBoot.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ExternalBoot/PortableOperatingSystem_Launcher** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PortableOperatingSystem_Sleep_DisplayName | +| Friendly Name | Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace | +| Location | Computer Configuration | +| Path | Windows Components > Portable Operating System | +| Registry Key Name | System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem | +| Registry Value Name | Sleep | +| ADMX File Name | ExternalBoot.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. - -If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users won't be able to make changes using the Windows To Go Startup Options Control Panel item. - -If you disable this setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the BIOS or other boot order configuration. - -If you don't configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. - - - - -ADMX Info: -- GP Friendly name: *Windows To Go Default Startup Options* -- GP name: *PortableOperatingSystem_Launcher* -- GP path: *Windows Components\Portable Operating System* -- GP ADMX file name: *ExternalBoot.admx* - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 88de0a6413..516eae188b 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,80 +1,111 @@ --- -title: Policy CSP - ADMX_FileRecovery -description: Learn about the Policy CSP - ADMX_FileRecovery. +title: ADMX_FileRecovery Policy CSP +description: Learn more about the ADMX_FileRecovery Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 03/24/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileRecovery > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    -
    - ADMX_FileRecovery/WdiScenarioExecutionPolicy -
    -
    + + + + +## WdiScenarioExecutionPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileRecovery/WdiScenarioExecutionPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileRecovery/WdiScenarioExecutionPolicy +``` + - + + +This policy setting allows you to configure the recovery behavior for corrupted files to one of three states: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery behavior for corrupted files. - -
    +Silent: Detection, troubleshooting, and recovery of corrupted files will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is recommended for headless operation. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Troubleshooting Only: Detection and troubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an administrator event with instructions if manual recovery is possible. -> [!div class = "checklist"] -
    +If you enable this setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubleshooting only state. - - +If you disable this setting, the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. -> [!NOTE] -> This policy setting applies to all sites in Trusted zones. +If you do not configure this setting, the recovery behavior for corrupted files will be set to the regular recovery behavior. - +No system or service restarts are required for changes to this policy to take immediate effect after a Group Policy refresh. +Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - -ADMX Info: -- GP ADMX file name: *FileRecovery.admx* + + +**Note** This policy setting applies to all sites in Trusted zones. + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Corrupted File Recovery behavior | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Corrupted File Recovery | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{8519d925-541e-4a2b-8b1e-8059d16082f2} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | FileRecovery.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index 7707136130..3a65ac03d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,91 +1,102 @@ --- -title: Policy CSP - ADMX_FileRevocation -description: Learn about the Policy CSP - ADMX_FileRevocation. +title: ADMX_FileRevocation Policy CSP +description: Learn more about the ADMX_FileRevocation Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/13/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileRevocation > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -
    -
    - ADMX_FileRevocation/DelegatedPackageFamilyNames -
    -
    + +## DelegatedPackageFamilyNames + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FileRevocation/DelegatedPackageFamilyNames +``` + - -**ADMX_FileRevocation/DelegatedPackageFamilyNames** + + +Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - - - -Windows Runtime applications can protect content that has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. -Example value: `Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy` +Example value: +Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. -If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. +If you disable or do not configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revoke access to content it protected. -Any other Windows Runtime application will only be able to revoke access to content it protected. +Note: File revocation applies to all content protected under the same second level domain as the provided enterprise identifier. So, revoking an enterprise ID of mail.contoso.com will revoke the user’s access to all content protected under the contoso.com hierarchy. + -> [!NOTE] -> Information the user should notice even if skimmingFile revocation applies to all content protected under the same second level domain as the provided enterprise identifier. Therefore, revoking an enterprise ID of `mail.contoso.com` will revoke the user’s access to all content protected under the contoso.com hierarchy. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Windows Runtime apps to revoke enterprise data.* -- GP name: *DelegatedPackageFamilyNames* -- GP path: *Windows Components\File Revocation* -- GP ADMX file name: *FileRevocation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DelegatedPackageFamilyNames_Name | +| Friendly Name | Allow Windows Runtime apps to revoke enterprise data | +| Location | User Configuration | +| Path | Windows Components > File Revocation | +| Registry Key Name | Software\Policies\Microsoft\Windows\FileRevocation | +| ADMX File Name | FileRevocation.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index ffb6a56824..87505ed986 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,92 +1,100 @@ --- -title: Policy CSP - ADMX_FileServerVSSProvider -description: Learn about the Policy CSP - ADMX_FileServerVSSProvider. +title: ADMX_FileServerVSSProvider Policy CSP +description: Learn more about the ADMX_FileServerVSSProvider Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileServerVSSProvider > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_FileServerVSSProvider policies + +## Pol_EncryptProtocol -
    -
    - ADMX_FileServerVSSProvider/Pol_EncryptProtocol -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileServerVSSProvider/Pol_EncryptProtocol +``` + -
    - - -**ADMX_FileServerVSSProvider/Pol_EncryptProtocol** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. + + +Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. -> [!NOTE] -> To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. +Note: To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service . + - + + + - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.* -- GP name: *Pol_EncryptProtocol* -- GP path: *System/File Share Shadow Copy Provider* -- GP ADMX file name: *FileServerVSSProvider.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | Pol_EncryptProtocol | +| Friendly Name | Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers. | +| Location | Computer Configuration | +| Path | System > File Share Shadow Copy Provider | +| Registry Key Name | Software\Policies\Microsoft\Windows\fssProv | +| Registry Value Name | EncryptProtocol | +| ADMX File Name | FileServerVSSProvider.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 89ca799f8e..8f838165cc 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,409 +1,503 @@ --- -title: Policy CSP - ADMX_FileSys -description: Learn about the Policy CSP - ADMX_FileSys. +title: ADMX_FileSys Policy CSP +description: Learn more about the ADMX_FileSys Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FileSys -
    - - -## ADMX_FileSys policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_FileSys/DisableCompression -
    -
    - ADMX_FileSys/DisableDeleteNotification -
    -
    - ADMX_FileSys/DisableEncryption -
    -
    - ADMX_FileSys/EnablePagefileEncryption -
    -
    - ADMX_FileSys/LongPathsEnabled -
    -
    - ADMX_FileSys/ShortNameCreationSettings -
    -
    - ADMX_FileSys/SymlinkEvaluation -
    -
    - ADMX_FileSys/TxfDeprecatedFunctionality -
    -
    + + + + +## DisableCompression -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileSys/DisableCompression** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/DisableCompression +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files. - +A reboot is required for this setting to take effect + + + + - -ADMX Info: -- GP Friendly name: *Do not allow compression on all NTFS volumes* -- GP name: *DisableCompression* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FileSys/DisableDeleteNotification** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableCompression | +| Friendly Name | Do not allow compression on all NTFS volumes | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsDisableCompression | +| ADMX File Name | FileSys.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DisableDeleteNotification - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/DisableDeleteNotification +``` + + + + Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. - A value of 1 will disable delete notifications for all volumes. + - + + + - -ADMX Info: -- GP Friendly name: *Disable delete notifications on all volumes* -- GP name: *DisableDeleteNotification* -- GP path: *System/Filesystem* -- GP ADMX file name: *FileSys.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FileSys/DisableEncryption** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableDeleteNotification | +| Friendly Name | Disable delete notifications on all volumes | +| Location | Computer Configuration | +| Path | System > Filesystem | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | DisableDeleteNotification | +| ADMX File Name | FileSys.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## DisableEncryption - - -Encryption can add to the processing overhead of filesystem operations. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Enabling this setting will prevent access to and creation of encrypted files. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/DisableEncryption +``` + - -ADMX Info: -- GP Friendly name: *Do not allow encryption on all NTFS volumes* -- GP name: *DisableEncryption* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + + +Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. - - -
    +A reboot is required for this setting to take effect + - -**ADMX_FileSys/EnablePagefileEncryption** + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DisableEncryption | +| Friendly Name | Do not allow encryption on all NTFS volumes | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsDisableEncryption | +| ADMX File Name | FileSys.admx | + - - -Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. + + + -Enabling this setting will cause the page files to be encrypted. + - + +## EnablePagefileEncryption - -ADMX Info: -- GP Friendly name: *Enable NTFS pagefile encryption* -- GP name: *EnablePagefileEncryption* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/EnablePagefileEncryption +``` + - -**ADMX_FileSys/LongPathsEnabled** + + +Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - -Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. +| Name | Value | +|:--|:--| +| Name | EnablePagefileEncryption | +| Friendly Name | Enable NTFS pagefile encryption | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsEncryptPagingFile | +| ADMX File Name | FileSys.admx | + -Enabling this setting will cause the long paths to be accessible within the process. + + + - + - -ADMX Info: -- GP Friendly name: *Enable Win32 long paths* -- GP name: *LongPathsEnabled* -- GP path: *System/Filesystem* -- GP ADMX file name: *FileSys.admx* + +## LongPathsEnabled - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileSys/ShortNameCreationSettings** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/LongPathsEnabled +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit. Enabling this setting will cause the long paths to be accessible within the process. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. +**ADMX mapping**: -If you enable short names on all volumes, then short names will always be generated. If you disable them on all volumes, then they'll never be generated. If you set short name creation to be configurable on a per volume basis, then an on-disk flag will determine whether or not short names are created on a given volume. +| Name | Value | +|:--|:--| +| Name | LongPathsEnabled | +| Friendly Name | Enable Win32 long paths | +| Location | Computer Configuration | +| Path | System > Filesystem | +| Registry Key Name | System\CurrentControlSet\Control\FileSystem | +| Registry Value Name | LongPathsEnabled | +| ADMX File Name | FileSys.admx | + -If you disable short name creation on all data volumes, then short names will only be generated for files created on the system volume. + + + - + - -ADMX Info: -- GP Friendly name: *Short name creation options* -- GP name: *ShortNameCreationSettings* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + +## ShortNameCreationSettings - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FileSys/SymlinkEvaluation** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/ShortNameCreationSettings +``` + + + +These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShortNameCreationSettings | +| Friendly Name | Short name creation options | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| ADMX File Name | FileSys.admx | + + + + + + + + + +## SymlinkEvaluation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/SymlinkEvaluation +``` + + + + Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: -- Local Link to a Local Target -- Local Link to a Remote Target -- Remote Link to Remote Target -- Remote Link to Local Target +Local Link to a Local Target +Local Link to a Remote Target +Remote Link to Remote Target +Remote Link to Local Target -For more information, see the Windows Help section. +For further information please refer to the Windows Help section -> [!NOTE] -> If this policy is disabled or not configured, local administrators may select the types of symbolic links to be evaluated. +NOTE: If this policy is Disabled or Not Configured, local administrators may select the types of symbolic links to be evaluated. + - + + + - -ADMX Info: -- GP Friendly name: *Selectively allow the evaluation of a symbolic link* -- GP name: *SymlinkEvaluation* -- GP path: *System/Filesystem* -- GP ADMX file name: *FileSys.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FileSys/TxfDeprecatedFunctionality** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | SymlinkEvaluation | +| Friendly Name | Selectively allow the evaluation of a symbolic link | +| Location | Computer Configuration | +| Path | System > Filesystem | +| Registry Key Name | Software\Policies\Microsoft\Windows\Filesystems\NTFS | +| Registry Value Name | SymLinkState | +| ADMX File Name | FileSys.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TxfDeprecatedFunctionality - - -TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FileSys/TxfDeprecatedFunctionality +``` + + + +TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Please enable it if you want to use these APIs. + - -ADMX Info: -- GP Friendly name: *Enable / disable TXF deprecated features* -- GP name: *TxfDeprecatedFunctionality* -- GP path: *System/Filesystem/NTFS* -- GP ADMX file name: *FileSys.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | TxfDeprecatedFunctionality | +| Friendly Name | Enable / disable TXF deprecated features | +| Location | Computer Configuration | +| Path | System > Filesystem > NTFS | +| Registry Key Name | System\CurrentControlSet\Policies | +| Registry Value Name | NtfsEnableTxfDeprecatedFunctionality | +| ADMX File Name | FileSys.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index 9098d1152d..083d17de33 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,407 +1,479 @@ --- -title: Policy CSP - ADMX_FolderRedirection -description: Learn about the Policy CSP - ADMX_FolderRedirection. +title: ADMX_FolderRedirection Policy CSP +description: Learn more about the ADMX_FolderRedirection Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FolderRedirection -
    - - -## ADMX_FolderRedirection policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_FolderRedirection/DisableFRAdminPin -
    -
    - ADMX_FolderRedirection/DisableFRAdminPinByFolder -
    -
    - ADMX_FolderRedirection/FolderRedirectionEnableCacheRename -
    -
    - ADMX_FolderRedirection/LocalizeXPRelativePaths_1 -
    -
    - ADMX_FolderRedirection/LocalizeXPRelativePaths_2 -
    -
    - ADMX_FolderRedirection/PrimaryComputer_FR_1 -
    -
    - ADMX_FolderRedirection/PrimaryComputer_FR_2 -
    -
    + + + + +## LocalizeXPRelativePaths_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_FolderRedirection/DisableFRAdminPin** - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/LocalizeXPRelativePaths_2 +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. - -
    +If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. -> [!div class = "checklist"] -> * User +Note: This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. + -
    + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LocalizeXPRelativePaths | +| Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | +| Location | Computer Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | LocalizeXPRelativePaths | +| ADMX File Name | FolderRedirection.admx | + + + + + + + + + +## PrimaryComputer_FR_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/PrimaryComputer_FR_2 +``` + + + + +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + +To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. + +If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. + +If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. + +Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrimaryComputerFr | +| Friendly Name | Redirect folders on primary computers only | +| Location | Computer Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | PrimaryComputerEnabledFR | +| ADMX File Name | FolderRedirection.admx | + + + + + + + + + +## DisableFRAdminPin + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/DisableFRAdminPin +``` + + + + This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, users must manually select the files they wish to make available offline. -If you disable or don't configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. +If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. -> [!NOTE] -> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. -> -> Don't enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable. -> -> If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". +Note: This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. - +Note: Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable. - -ADMX Info: -- GP Friendly name: *Do not automatically make all redirected folders available offline* -- GP name: *DisableFRAdminPin* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* +Note: If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". + - - -
    + + + - -**ADMX_FolderRedirection/DisableFRAdminPinByFolder** - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | DisableFRAdminPin | +| Friendly Name | Do not automatically make all redirected folders available offline | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | DisableFRAdminPin | +| ADMX File Name | FolderRedirection.admx | + -
    + + + - - + + + +## DisableFRAdminPinByFolder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/DisableFRAdminPinByFolder +``` + + + + This policy setting allows you to control whether individual redirected shell folders are available offline by default. For the folders affected by this setting, users must manually select the files they wish to make available offline. -If you disable or don't configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. +If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. -> [!NOTE] -> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. -> -> The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". +Note: This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. - +Note: The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". + - -ADMX Info: -- GP Friendly name: *Do not automatically make specific redirected folders available offline* -- GP name: *DisableFRAdminPinByFolder* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_FolderRedirection/FolderRedirectionEnableCacheRename** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableFRAdminPinByFolder | +| Friendly Name | Do not automatically make specific redirected folders available offline | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache\DisableFRAdminPinByFolder | +| ADMX File Name | FolderRedirection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## FolderRedirectionEnableCacheRename - - -This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or renamed in the Offline Files cache when a folder is redirected to a new location. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/FolderRedirectionEnableCacheRename +``` + + + + +This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. -If you disable or don't configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. +If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. + - + + + - -ADMX Info: -- GP Friendly name: *Enable optimized move of contents in Offline Files cache on Folder Redirection server path change* -- GP name: *FolderRedirectionEnableCacheRename* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/LocalizeXPRelativePaths_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FolderRedirectionEnableCacheRename | +| Friendly Name | Enable optimized move of contents in Offline Files cache on Folder Redirection server path change | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | FolderRedirectionEnableCacheRename | +| ADMX File Name | FolderRedirection.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## LocalizeXPRelativePaths_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/LocalizeXPRelativePaths_1 +``` + + + + This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. -> [!NOTE] -> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. +Note: This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. + - + + + - -ADMX Info: -- GP Friendly name: *Use localized subfolder names when redirecting Start Menu and My Documents* -- GP name: *LocalizeXPRelativePaths_1* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/LocalizeXPRelativePaths_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LocalizeXPRelativePaths | +| Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | LocalizeXPRelativePaths | +| ADMX File Name | FolderRedirection.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PrimaryComputer_FR_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/PrimaryComputer_FR_1 +``` + -If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. - -If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. - -> [!NOTE] -> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. - - - - -ADMX Info: -- GP Friendly name: *Use localized subfolder names when redirecting Start Menu and My Documents* -- GP name: *LocalizeXPRelativePaths_2* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* - - - -
    - - -**ADMX_FolderRedirection/PrimaryComputer_FR_1** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve sign-in performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + + +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. -If you disable or don't configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user signs in to. +If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. -> [!NOTE] -> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. +Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Redirect folders on primary computers only* -- GP name: *PrimaryComputer_FR_1* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_FolderRedirection/PrimaryComputer_FR_2** - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | PrimaryComputerFr | +| Friendly Name | Redirect folders on primary computers only | +| Location | User Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | PrimaryComputerEnabledFR | +| ADMX File Name | FolderRedirection.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + + + - - -This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve sign-in performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + -To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. +## Related articles -If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. - -If you disable or don't configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user signs in to. - -> [!NOTE] -> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. - - - - - -ADMX Info: -- GP Friendly name: *Redirect folders on primary computers only* -- GP name: *PrimaryComputer_FR_2* -- GP path: *System/Folder Redirection* -- GP ADMX file name: *FolderRedirection.admx* - - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From dd4f8efb0f489c84bb76be50d8df11c38c74bfa5 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:36:26 -0800 Subject: [PATCH 045/152] add maps csp --- .../client-management/mdm/policy-csp-maps.md | 205 ++++++++++-------- 1 file changed, 109 insertions(+), 96 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index be48625372..4cd8a3b490 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,132 +1,145 @@ --- -title: Policy CSP - Maps -description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections. +title: Maps Policy CSP +description: Learn more about the Maps Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/21/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Maps -
    + + + - -## Maps policies + +## AllowOfflineMapsDownloadOverMeteredConnection -
    -
    - Maps/AllowOfflineMapsDownloadOverMeteredConnection -
    -
    - Maps/EnableOfflineMapsAutoUpdate -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Maps/AllowOfflineMapsDownloadOverMeteredConnection +``` + - -**Maps/AllowOfflineMapsDownloadOverMeteredConnection** + + +Allows the download and update of map data over metered connections. After the policy is applied, you can verify the settings in the user interface in System > Offline Maps. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disabled. Force disable auto-update over metered connection. | +| 1 | Enabled. Force enable auto-update over metered connection. | +| 65535 (Default) | Not configured. User's choice. | + -
    + + + - - -Allows the download and update of map data over metered connections. + -After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + +## EnableOfflineMapsAutoUpdate - - -The following list shows the supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -- 0 – Disabled. Force disable auto-update over metered connection. -- 1 – Enabled. Force enable auto-update over metered connection. -- 65535 (default) – Not configured. User's choice. + +```Device +./Device/Vendor/MSFT/Policy/Config/Maps/EnableOfflineMapsAutoUpdate +``` + - - + + +Disables the automatic download and update of map data. After the policy is applied, you can verify the settings in the user interface in System > Offline Maps. + -
    + + + - -**Maps/EnableOfflineMapsAutoUpdate** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 65535 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. Force off auto-update. | +| 1 | Enabled. Force on auto-update. | +| 65535 (Default) | Not configured. User's choice. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | TurnOffAutoUpdate | +| Friendly Name | Turn off Automatic Download and Update of Map Data | +| Location | Computer Configuration | +| Path | Windows Components > Maps | +| Registry Key Name | Software\Policies\Microsoft\Windows\Maps | +| Registry Value Name | AutoDownloadAndUpdateMapData | +| ADMX File Name | WinMaps.admx | + -
    + + + - - -Disables the automatic download and update of map data. + -After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + + + - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download and Update of Map Data* -- GP name: *TurnOffAutoUpdate* -- GP path: *Windows Components/Maps* -- GP ADMX file name: *WinMaps.admx* + - - -The following list shows the supported values: +## Related articles -- 0 – Disabled. Force off auto-update. -- 1 – Enabled. Force on auto-update. -- 65535 (default) – Not configured. User's choice. - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 424549e0b6ea85af7d3b6edbb61d04561074011c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:42:31 -0800 Subject: [PATCH 046/152] add admx_winsrv policy --- .../mdm/policy-csp-admx-winsrv.md | 137 ++++++++++-------- 1 file changed, 73 insertions(+), 64 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 50e594e0d2..2d8626de35 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,93 +1,102 @@ --- -title: Policy CSP - ADMX_Winsrv -description: Policy CSP - ADMX_Winsrv +title: ADMX_Winsrv Policy CSP +description: Learn more about the ADMX_Winsrv Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 02/25/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Winsrv ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowBlockingAppsAtShutdown - -## ADMX_Winsrv policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_Winsrv/AllowBlockingAppsAtShutdown -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Winsrv/AllowBlockingAppsAtShutdown +``` + + + +This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. -
    +If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdown. - -**ADMX_Winsrv/AllowBlockingAppsAtShutdown** +If you disable or do not configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly. + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. - -By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. - -- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown won't be automatically terminated during shutdown. -- If you disable or don't configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that windows can shut down faster and more smoothly. + + > [!NOTE] > This policy setting applies to all sites in Trusted zones. - + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off automatic termination of applications that block or cancel shutdown* -- GP name: *AllowBlockingAppsAtShutdown* -- GP path: *System\Shutdown Options* -- GP ADMX file name: *Winsrv.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | AllowBlockingAppsAtShutdown | +| Friendly Name | Turn off automatic termination of applications that block or cancel shutdown | +| Location | Computer Configuration | +| Path | System > Shutdown Options | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowBlockingAppsAtShutdown | +| ADMX File Name | Winsrv.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 0fcca414cc04f85486956a5c4e4f98ee70e7c74b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:46:43 -0800 Subject: [PATCH 047/152] add admx_wpn csp --- .../mdm/policy-csp-admx-wpn.md | 647 ++++++++++-------- 1 file changed, 351 insertions(+), 296 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 2e7baef0be..8fefa46f8c 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,361 +1,416 @@ --- -title: Policy CSP - ADMX_WPN -description: Policy CSP - ADMX_WPN +title: ADMX_WPN Policy CSP +description: Learn more about the ADMX_WPN Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WPN ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## NoToastNotification - -## ADMX_WPN policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WPN/NoCallsDuringQuietHours -
    -
    - ADMX_WPN/NoLockScreenToastNotification -
    -
    - ADMX_WPN/NoQuietHours -
    -
    - ADMX_WPN/NoToastNotification -
    -
    - ADMX_WPN/QuietHoursDailyBeginMinute -
    -
    - ADMX_WPN/QuietHoursDailyEndMinute -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification +``` +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification +``` + -
    - - -**ADMX_WPN/NoCallsDuringQuietHours** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting blocks voice and video calls during Quiet Hours. - -If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users won't be able to customize any other Quiet Hours settings. - -If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users won't be able to customize this or any other Quiet Hours settings. - -If you don't configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting. - - - - - -ADMX Info: -- GP Friendly name: *Turn off calls during Quiet Hours* -- GP name: *NoCallsDuringQuietHours* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* - - - -
    - - -**ADMX_WPN/NoLockScreenToastNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off toast notifications on the lock screen. - -If you enable this policy setting, applications won't be able to raise toast notifications on the lock screen. - -If you disable or don't configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. - -No reboots or service restarts are required for this policy setting to take effect. - - - - - -ADMX Info: -- GP Friendly name: *Turn off toast notifications on the lock screen* -- GP name: *NoLockScreenToastNotification* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* - - - -
    - - -**ADMX_WPN/NoQuietHours** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off Quiet Hours functionality. - -If you enable this policy setting, toast notifications won't be suppressed and some background tasks won't be deferred during the designated Quiet Hours time window each day. - -If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users won't be able to change this or any other Quiet Hours settings. - -If you don't configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Quiet Hours* -- GP name: *NoQuietHours* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* - - - -
    - - -**ADMX_WPN/NoToastNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off toast notifications for applications. -If you enable this policy setting, applications won't be able to raise toast notifications. +If you enable this policy setting, applications will not be able to raise toast notifications. -This policy doesn't affect taskbar notification balloons. +Note that this policy does not affect taskbar notification balloons. -Windows system features aren't affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. +Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. -If you disable or don't configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. +If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off toast notifications* -- GP name: *NoToastNotification* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WPN/QuietHoursDailyBeginMinute** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoToastNotification | +| Friendly Name | Turn off toast notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoToastApplicationNotification | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## NoCallsDuringQuietHours - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoCallsDuringQuietHours +``` + -
    + + +This policy setting blocks voice and video calls during Quiet Hours. - - +If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. + +If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. + +If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Adminstrators and users will be able to modify this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoCallsDuringQuietHours | +| Friendly Name | Turn off calls during Quiet Hours | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| Registry Value Name | AllowCalls | +| ADMX File Name | WPN.admx | + + + + + + + + + +## NoLockScreenToastNotification + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoLockScreenToastNotification +``` + + + + +This policy setting turns off toast notifications on the lock screen. + +If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. + +If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoLockScreenToastNotification | +| Friendly Name | Turn off toast notifications on the lock screen | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoToastApplicationNotificationOnLockScreen | +| ADMX File Name | WPN.admx | + + + + + + + + + +## NoQuietHours + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoQuietHours +``` + + + + +This policy setting turns off Quiet Hours functionality. + +If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. + +If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. + +If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoQuietHours | +| Friendly Name | Turn off Quiet Hours | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| Registry Value Name | Enable | +| ADMX File Name | WPN.admx | + + + + + + + + + +## QuietHoursDailyBeginMinute + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/QuietHoursDailyBeginMinute +``` + + + + This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. -If you enable this policy setting, the specified time will be used, and users won't be able to customize any Quiet Hours settings. +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. -If you disable this policy setting, a default value will be used, and users won't be able to change it or any other Quiet Hours setting. +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. -If you don't configure this policy setting, a default value will be used, which administrators and users will be able to modify. +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the time Quiet Hours begins each day* -- GP name: *QuietHoursDailyBeginMinute* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WPN/QuietHoursDailyEndMinute** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | QuietHoursDailyBeginMinute | +| Friendly Name | Set the time Quiet Hours begins each day | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| ADMX File Name | WPN.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## QuietHoursDailyEndMinute - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/QuietHoursDailyEndMinute +``` + -
    - - - + + This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. -If you enable this policy setting, the specified time will be used, and users won't be able to customize any Quiet Hours settings. +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. -If you disable this policy setting, a default value will be used, and users won't be able to change it or any other Quiet Hours setting. +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. -If you don't configure this policy setting, a default value will be used, which administrators and users will be able to modify. +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the time Quiet Hours ends each day* -- GP name: *QuietHoursDailyEndMinute* -- GP path: *Start Menu and Taskbar\Notifications* -- GP ADMX file name: *WPN.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | QuietHoursDailyEndMinute | +| Friendly Name | Set the time Quiet Hours ends each day | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours | +| ADMX File Name | WPN.admx | + + + + + - \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 3f8b8276ba004ed30ec209b6dcd0a72be04f1d08 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:53:49 -0800 Subject: [PATCH 048/152] add admx_workfolders csp --- .../mdm/policy-csp-admx-workfoldersclient.md | 343 ++++++++++-------- 1 file changed, 186 insertions(+), 157 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 5bd6d30977..5f53daeea8 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,196 +1,225 @@ --- -title: Policy CSP - ADMX_WorkFoldersClient -description: Policy CSP - ADMX_WorkFoldersClient +title: ADMX_WorkFoldersClient Policy CSP +description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WorkFoldersClient > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WorkFoldersClient policies + +## Pol_MachineEnableWorkFolders -
    -
    - ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker -
    -
    - ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders -
    -
    - ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders +``` + -
    - - -**ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. -- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. +If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up. -This folder creation prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting doesn't apply to a user, Work Folders isn't automatically set up. -- If you disable or don't configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. +If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Force automatic setup for all users* -- GP name: *Pol_UserEnableTokenBroker* -- GP path: *Windows Components\Work Folders* -- GP ADMX file name: *WorkFoldersClient.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Pol_MachineEnableWorkFolders | +| Friendly Name | Force automatic setup for all users | +| Location | Computer Configuration | +| Path | Windows Components > Work Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows\WorkFolders | +| Registry Value Name | AutoProvision | +| ADMX File Name | WorkFolders-Client.admx | + - -**ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Pol_UserEnableTokenBroker - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker +``` + -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies the Work Folders server for affected users, and whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. - -- If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. - -If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables. - -> [!NOTE] -> In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. - -The “On-demand file access preference” option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up any space on the PC, but the user must be connected to the Internet to access them. If you enable this policy setting, on-demand file access is enabled. - -- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user’s files is required on each of their PCs. - -If you specify User choice or don't configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. - -The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This automatic setup prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option isn't specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. - - - - - -ADMX Info: -- GP Friendly name: *Specify Work Folders settings* -- GP name: *Pol_UserEnableWorkFolders* -- GP path: *Windows Components\Work Folders* -- GP ADMX file name: *WorkFoldersClient.admx* - - - -
    - - -**ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OAuth2 token flow used in previous versions. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enables the use of Token Broker for AD FS authentication* -- GP name: *Pol_MachineEnableWorkFolders* -- GP path: *Windows Components\Work Folders* -- GP ADMX file name: *WorkFoldersClient.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | Pol_UserEnableTokenBroker | +| Friendly Name | Enables the use of Token Broker for AD FS authentication | +| Location | User Configuration | +| Path | Windows Components > Work Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows\WorkFolders | +| Registry Value Name | EnableTokenBroker | +| ADMX File Name | WorkFolders-Client.admx | + + + + + + + + + +## Pol_UserEnableWorkFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders +``` + + + + +This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. + +If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. + +The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. + +The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables. + +**Note**: In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. + +The “On-demand file access preference” option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up any space on the PC, but the user must be connected to the Internet to access them. + +If you enable this policy setting, on-demand file access is enabled. +If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user’s files is required on each of their PCs. +If you specify User choice or do not configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. + +The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_UserEnableWorkFolders | +| Friendly Name | Specify Work Folders settings | +| Location | User Configuration | +| Path | Windows Components > Work Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows\WorkFolders | +| ADMX File Name | WorkFolders-Client.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From d5e95924e7bcdf5c62e745f4e41e2d5ce83694aa Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:54:54 -0800 Subject: [PATCH 049/152] add admx_wordwheel csp --- .../mdm/policy-csp-admx-wordwheel.md | 131 ++++++++++-------- 1 file changed, 71 insertions(+), 60 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 07a3a84c12..a0f517b1cc 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,86 +1,97 @@ --- -title: Policy CSP - ADMX_WordWheel -description: Policy CSP - ADMX_WordWheel +title: ADMX_WordWheel Policy CSP +description: Learn more about the ADMX_WordWheel Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/22/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WordWheel > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WordWheel policies + +## CustomSearch -
    -
    - ADMX_WordWheel/CustomSearch -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WordWheel/CustomSearch +``` + -
    - - -**ADMX_WordWheel/CustomSearch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Set up the menu name and URL for the custom Internet search provider. -- If you enable this setting, the specified menu name and URL will be used for Internet searches. -- If you disable or not configure this setting, the default Internet search provider will be used. +If you enable this setting, the specified menu name and URL will be used for Internet searches. - +If you disable or not configure this setting, the default Internet search provider will be used. + + + + - -ADMX Info: -- GP Friendly name: *Custom Instant Search Internet search provider* -- GP name: *CustomSearch* -- GP path: *Windows Components\Instant Search* -- GP ADMX file name: *WordWheel.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | CustomSearch | +| Friendly Name | Custom Instant Search Internet search provider | +| Location | User Configuration | +| Path | Windows Components > Instant Search | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions | +| ADMX File Name | WordWheel.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From d2ea1bfe56e3d1a8a9ba2de9d22a999aee4b647e Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 11:56:41 -0800 Subject: [PATCH 050/152] add admx_wlansvc csp --- .../mdm/policy-csp-admx-wlansvc.md | 293 ++++++++++-------- 1 file changed, 163 insertions(+), 130 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 4fc49cd363..bc73ff959e 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,190 +1,223 @@ --- -title: Policy CSP - ADMX_wlansvc -description: Policy CSP - ADMX_wlansvc +title: ADMX_wlansvc Policy CSP +description: Learn more about the ADMX_wlansvc Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/27/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_wlansvc ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## SetCost - -## ADMX_wlansvc policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_wlansvc/SetCost -
    -
    - ADMX_wlansvc/SetPINEnforced -
    -
    - ADMX_wlansvc/SetPINPreferred -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_wlansvc/SetCost +``` + - -
    - - -**ADMX_wlansvc/SetCost** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. -- Fixed: Use of this connection isn't restricted by usage charges and capacity constraints up to a certain data limit. -- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or isn't configured, the cost of Wireless LAN connections is Unrestricted by default. - +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. +- Variable: This connection is costed on a per byte basis. - -ADMX Info: -- GP Friendly name: *Set Cost* -- GP name: *IncludeCmdLine* -- GP path: *Network\WLAN Service\WLAN Media Cost* -- GP ADMX file name: *wlansvc.admx* +If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. + - - -
    + + + - -**ADMX_wlansvc/SetPINEnforced** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | SetCost | +| Friendly Name | Set Cost | +| Location | Computer Configuration | +| Path | Network > WLAN Service > WLAN Media Cost | +| Registry Key Name | Software\Policies\Microsoft\Windows\Wireless\NetCost | +| ADMX File Name | wlansvc.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## SetPINEnforced + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_wlansvc/SetPINEnforced +``` + + + + This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. Conversely it means that Push Button is NOT allowed. -If this policy setting is disabled or isn't configured, by default Push Button pairing is allowed (but not necessarily preferred). +If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require PIN pairing* -- GP name: *SetPINEnforced* -- GP path: *Network\Wireless Display* -- GP ADMX file name: *wlansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_wlansvc/SetPINPreferred** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Wireless_Display_PINEnforced | +| Friendly Name | Require PIN pairing | +| Location | Computer Configuration | +| Path | Network > Wireless Display | +| Registry Key Name | SOFTWARE\Policies\Microsoft\WirelessDisplay | +| Registry Value Name | EnforcePinBasedPairing | +| ADMX File Name | wlansvc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetPINPreferred -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_wlansvc/SetPINPreferred +``` + - - + + This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. -If this policy setting is disabled or isn't configured, by default Push Button pairing is preferred (if allowed by other policies). +If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prefer PIN pairing* -- GP name: *SetPINPreferred* -- GP path: *Network\Wireless Display* -- GP ADMX file name: *wlansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Wireless_Display_PINPreferred | +| Friendly Name | Prefer PIN pairing | +| Location | Computer Configuration | +| Path | Network > Wireless Display | +| Registry Key Name | SOFTWARE\Policies\Microsoft\WirelessDisplay | +| Registry Value Name | PreferPinBasedPairing | +| ADMX File Name | wlansvc.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 0c4ee800a28004c11b48ec4aa35b4668c0a73c5e Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 12:03:39 -0800 Subject: [PATCH 051/152] add admx_winlogon csp --- .../mdm/policy-csp-admx-winlogon.md | 667 ++++++++++-------- 1 file changed, 361 insertions(+), 306 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index b5f0a3c887..36ae26d939 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,363 +1,418 @@ --- -title: Policy CSP - ADMX_WinLogon -description: Policy CSP - ADMX_WinLogon +title: ADMX_WinLogon Policy CSP +description: Learn more about the ADMX_WinLogon Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WinLogon ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -
    - - -## ADMX_WinLogon policies - -
    -
    - ADMX_WinLogon/CustomShell -
    -
    - ADMX_WinLogon/DisplayLastLogonInfoDescription -
    -
    - ADMX_WinLogon/LogonHoursNotificationPolicyDescription -
    -
    - ADMX_WinLogon/LogonHoursPolicyDescription -
    -
    - ADMX_WinLogon/ReportCachedLogonPolicyDescription -
    -
    - ADMX_WinLogon/SoftwareSASGeneration -
    -
    - - -
    - - -**ADMX_WinLogon/CustomShell** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. - -If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file isn't located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. - -If you disable this setting or don't configure it, the setting is ignored and the system displays the Explorer interface. > [!TIP] -> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + + + + +## DisplayLastLogonInfoDescription - -ADMX Info: -- GP Friendly name: *Custom User Interface* -- GP name: *CustomShell* -- GP path: *System* -- GP ADMX file name: *WinLogon.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/DisplayLastLogonInfoDescription +``` + - -**ADMX_WinLogon/DisplayLastLogonInfoDescription** + + +This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. - +For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. +If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting controls whether or not the system displays information about previous sign-ins and sign-in failures to the user. +**ADMX mapping**: -For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful sign in by that user, the date and time of the last unsuccessful sign in attempted with that user name, and the number of unsuccessful logons since the last successful sign in by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop. +| Name | Value | +|:--|:--| +| Name | DisplayLastLogonInfoDescription | +| Friendly Name | Display information about previous logons during user logon | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisplayLastLogonInfo | +| ADMX File Name | WinLogon.admx | + -For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows couldn't retrieve the information and the user won't be able to sign in. Therefore, you shouldn't enable this policy setting if the domain isn't at the Windows Server 2008 domain functional level. + + + -If you disable or don't configure this setting, messages about the previous sign in or sign-in failures aren't displayed. + - + +## ReportCachedLogonPolicyDescription + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Display information about previous logons during user logon* -- GP name: *DisplayLastLogonInfoDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/ReportCachedLogonPolicyDescription +``` - - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/ReportCachedLogonPolicyDescription +``` + - - -**ADMX_WinLogon/LogonHoursNotificationPolicyDescription** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy controls whether the signed-in user should be notified when their sign-in hours are about to expire. By default, a user is notified before sign-in hours expire, if actions have been set to occur when the sign-in hours expire. - -If you enable this setting, warnings aren't displayed to the user before the sign-in hours expire. - -If you disable or don't configure this setting, users receive warnings before the sign-in hours expire, if actions have been set to occur when the sign-in hours expire. - -> [!NOTE] -> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration - - - - - -ADMX Info: -- GP Friendly name: *Remove logon hours expiration warnings* -- GP name: *LogonHoursNotificationPolicyDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* - - - -
    - - -**ADMX_WinLogon/LogonHoursPolicyDescription** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy controls which action will be taken when the sign-in hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. - -If you choose to lock or disconnect a session, the user can't unlock the session or reconnect except during permitted sign-in hours. - -If you choose to sign out a user, the user can't sign in again except during permitted sign-in hours. If you choose to sign out a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s sign-in hours expire. - -If you disable or don't configure this setting, the system takes no action when the user’s sign-in hours expire. The user can continue the existing session, but can't sign in to a new session. - -> [!NOTE] -> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting. - - - - - -ADMX Info: -- GP Friendly name: *Set action to take when logon hours expire* -- GP name: *LogonHoursPolicyDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* - - - -
    - - -**ADMX_WinLogon/ReportCachedLogonPolicyDescription** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy controls whether the signed-in user should be notified if the sign-in server couldn't be contacted during sign in and if they've been signed in using previously stored account information. + + +This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials. -If disabled or not configured, no pop up will be displayed to the user. +If disabled or not configured, no popup will be displayed to the user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Report when logon server was not available during user logon* -- GP name: *ReportCachedLogonPolicyDescription* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WinLogon/SoftwareSASGeneration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ReportCachedLogonPolicyDescription | +| Friendly Name | Report when logon server was not available during user logon | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | ReportControllerMissing | +| ADMX File Name | WinLogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## SoftwareSASGeneration - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/SoftwareSASGeneration +``` + -
    - - - -This policy setting controls whether the software can simulate the Secure Attention Sequence (SAS). + + +This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). If you enable this policy setting, you have one of four options: -- If you set this policy setting to "None," user mode software can't simulate the SAS. -- If you set this policy setting to "Services," services can simulate the SAS. -- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. -- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. +If you set this policy setting to "None," user mode software cannot simulate the SAS. +If you set this policy setting to "Services," services can simulate the SAS. +If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. +If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. -If you disable or don't configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. +If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable or enable software Secure Attention Sequence* -- GP name: *SoftwareSASGeneration* -- GP path: *Windows Components\Windows Logon Options* -- GP ADMX file name: *WinLogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SoftwareSASGenerationDescription | +| Friendly Name | Disable or enable software Secure Attention Sequence | +| Location | Computer Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + - \ No newline at end of file + + + + + + + +## CustomShell + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/CustomShell +``` + + + + +Specifies an alternate user interface. + +The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the interface you specify instead of Explorer.exe. + +To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. + +If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. + +Tip: To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomShellPolicyDescription | +| Friendly Name | Custom User Interface | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + + + + + + + + + +## LogonHoursNotificationPolicyDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursNotificationPolicyDescription +``` + + + + +This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. + +If you enable this setting, warnings are not displayed to the user before the logon hours expire. + +If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. + +Note: If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LogonHoursNotificationPolicyDescription | +| Friendly Name | Remove logon hours expiration warnings | +| Location | User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DontDisplayLogonHoursWarnings | +| ADMX File Name | WinLogon.admx | + + + + + + + + + +## LogonHoursPolicyDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursPolicyDescription +``` + + + + +This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. + +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. + +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. + +If you enable this setting, the system will perform the action you specify when the user’s logon hours expire. + +If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session. + +Note: If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LogonHoursPolicyDescription | +| Friendly Name | Set action to take when logon hours expire | +| Location | User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From cdf6fd1e89a4616164b57074d3255b0c0ae44c66 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 12:05:02 -0800 Subject: [PATCH 052/152] add admx_wininit csp --- .../mdm/policy-csp-admx-wininit.md | 294 ++++++++++-------- 1 file changed, 160 insertions(+), 134 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index df7be3051f..89b3dac4c2 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,191 +1,217 @@ --- -title: Policy CSP - ADMX_WinInit -description: Policy CSP - ADMX_WinInit +title: ADMX_WinInit Policy CSP +description: Learn more about the ADMX_WinInit Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/29/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WinInit ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisableNamedPipeShutdownPolicyDescription - -## ADMX_WinInit policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription -
    -
    - ADMX_WinInit/Hiberboot -
    -
    - ADMX_WinInit/ShutdownTimeoutHungSessionsDescription -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription +``` + + + +This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. -
    +If you enable this policy setting, the system does not create the named pipe remote shutdown interface. - -**ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription** +If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DisableNamedPipeShutdownPolicyDescription | +| Friendly Name | Turn off legacy remote shutdown interface | +| Location | Computer Configuration | +| Path | Windows Components > Shutdown Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableShutdownNamedPipe | +| ADMX File Name | WinInit.admx | + -
    + + + - - -This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shut down this system from a remote Windows XP or Windows Server 2003 system. + -If you enable this policy setting, the system doesn't create the named pipe remote shutdown interface. + +## Hiberboot -If you disable or don't configure this policy setting, the system creates the named pipe remote shutdown interface. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinInit/Hiberboot +``` + - - -ADMX Info: -- GP Friendly name: *Turn off legacy remote shutdown interface* -- GP name: *DisableNamedPipeShutdownPolicyDescription* -- GP path: *Windows Components\Shutdown Options* -- GP ADMX file name: *WinInit.admx* - - - -
    - - -**ADMX_WinInit/Hiberboot** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. -If you disable or don't configure this policy setting, the local setting is used. +If you disable or do not configure this policy setting, the local setting is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require use of fast startup* -- GP name: *Hiberboot* -- GP path: *System\Shutdown* -- GP ADMX file name: *WinInit.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WinInit/ShutdownTimeoutHungSessionsDescription** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Hiberboot | +| Friendly Name | Require use of fast startup | +| Location | Computer Configuration | +| Path | System > Shutdown | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | HiberbootEnabled | +| ADMX File Name | WinInit.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## ShutdownTimeoutHungSessionsDescription - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinInit/ShutdownTimeoutHungSessionsDescription +``` + -
    - - - + + This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. -If you disable or don't configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. +If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Timeout for hung logon sessions during shutdown* -- GP name: *ShutdownTimeoutHungSessionsDescription* -- GP path: *Windows Components\Shutdown Options* -- GP ADMX file name: *WinInit.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | ShutdownTimeoutHungSessionsDescription | +| Friendly Name | Timeout for hung logon sessions during shutdown | +| Location | Computer Configuration | +| Path | Windows Components > Shutdown Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinInit.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From dd8bb6497db818082b3e742b7ffd96686c5b43c1 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 12:08:05 -0800 Subject: [PATCH 053/152] add admx_windowsstore csp --- .../mdm/policy-csp-admx-windowsstore.md | 480 ++++++++++-------- 1 file changed, 260 insertions(+), 220 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 36044d5475..92abc45d19 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,300 +1,340 @@ --- -title: Policy CSP - ADMX_WindowsStore -description: Policy CSP - ADMX_WindowsStore +title: ADMX_WindowsStore Policy CSP +description: Learn more about the ADMX_WindowsStore Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsStore ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + +## DisableAutoDownloadWin8 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableAutoDownloadWin8 +``` + - -## ADMX_WindowsStore policies + + +Enables or disables the automatic download of app updates on PCs running Windows 8. -
    -
    - ADMX_WindowsStore/DisableAutoDownloadWin8 -
    -
    - ADMX_WindowsStore/DisableOSUpgrade_1 -
    -
    - ADMX_WindowsStore/DisableOSUpgrade_2 -
    -
    - ADMX_WindowsStore/RemoveWindowsStore_1 -
    -
    - ADMX_WindowsStore/RemoveWindowsStore_2 -
    -
    +If you enable this setting, the automatic download of app updates is turned off. +If you disable this setting, the automatic download of app updates is turned on. -
    +If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Microsoft Store. + - -**ADMX_WindowsStore/DisableAutoDownloadWin8** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DisableAutoDownloadWin8 | +| Friendly Name | Turn off Automatic Download of updates on Win8 machines | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | AutoDownload | +| ADMX File Name | WindowsStore.admx | + -
    + + + - - -This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. + -If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. + +## DisableOSUpgrade_2 -If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableOSUpgrade_2 +``` + - - -ADMX Info: -- GP Friendly name: *Turn off Automatic Download of updates on Win8 machines* -- GP name: *DisableAutoDownloadWin8* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - -
    - -
    - - -**ADMX_WindowsStore/DisableOSUpgrade_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting enables or disables the Store offer to update to the latest version of Windows. + + +Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the offer to update to the latest version of Windows* -- GP name: *DisableOSUpgrade_1* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_WindowsStore/DisableOSUpgrade_2** +| Name | Value | +|:--|:--| +| Name | DisableOSUpgradeOption | +| Friendly Name | Turn off the offer to update to the latest version of Windows | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableOSUpgrade | +| ADMX File Name | WindowsStore.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## RemoveWindowsStore_2 - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2 +``` + -> [!div class = "checklist"] -> * Device + + +Denies or allows access to the Store application. -
    +If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. - - -This policy setting enables or disables the Store offer to update to the latest version of Windows. +If you disable or don't configure this setting, access to the Store application is allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemoveWindowsStore | +| Friendly Name | Turn off the Store application | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RemoveWindowsStore | +| ADMX File Name | WindowsStore.admx | + + + + + + + + + +## DisableOSUpgrade_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableOSUpgrade_1 +``` + + + + +Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the offer to update to the latest version of Windows* -- GP name: *DisableOSUpgrade_2* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DisableOSUpgradeOption | +| Friendly Name | Turn off the offer to update to the latest version of Windows | +| Location | User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableOSUpgrade | +| ADMX File Name | WindowsStore.admx | + - -**ADMX_WindowsStore/RemoveWindowsStore_1** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## RemoveWindowsStore_1 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_1 +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting denies or allows access to the Store application. + + +Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application is allowed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the Store application* -- GP name: *RemoveWindowsStore_1* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_WindowsStore/RemoveWindowsStore_2** +| Name | Value | +|:--|:--| +| Name | RemoveWindowsStore | +| Friendly Name | Turn off the Store application | +| Location | User Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RemoveWindowsStore | +| ADMX File Name | WindowsStore.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): +## Related articles -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting denies or allows access to the Store application. - -If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. - -If you disable or don't configure this setting, access to the Store application is allowed. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the Store application* -- GP name: *RemoveWindowsStore_2* -- GP path: *Windows Components\Store* -- GP ADMX file name: *WindowsStore.admx* - - - -
    - - - \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From c69905069277a9965f7ccc91017e7b835184bd64 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 12:09:16 -0800 Subject: [PATCH 054/152] add admx wrm csp --- ...policy-csp-admx-windowsremotemanagement.md | 210 ++++++++++-------- 1 file changed, 114 insertions(+), 96 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 636f40127c..04fc71aad2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,140 +1,158 @@ --- -title: Policy CSP - ADMX_WindowsRemoteManagement -description: Policy CSP - ADMX_WindowsRemoteManagement +title: ADMX_WindowsRemoteManagement Policy CSP +description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsRemoteManagement ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisallowKerberos_1 - -## ADMX_WindowsRemoteManagement policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WindowsRemoteManagement/DisallowKerberos_1 -
    -
    - ADMX_WindowsRemoteManagement/DisallowKerberos_2 -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsRemoteManagement/DisallowKerberos_1 +``` + - -
    - - -**ADMX_WindowsRemoteManagement/DisallowKerberos_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow Kerberos authentication* -- GP name: *DisallowKerberos_1* -- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Service* -- GP ADMX file name: *WindowsRemoteManagement.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_WindowsRemoteManagement/DisallowKerberos_2** +| Name | Value | +|:--|:--| +| Name | DisallowKerberos | +| Friendly Name | Disallow Kerberos authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Service | +| Registry Value Name | AllowKerberos | +| ADMX File Name | WindowsRemoteManagement.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisallowKerberos_2 - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsRemoteManagement/DisallowKerberos_2 +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow Kerberos authentication* -- GP name: *DisallowKerberos_2* -- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Client* -- GP ADMX file name: *WindowsRemoteManagement.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisallowKerberos | +| Friendly Name | Disallow Kerberos authentication | +| Location | Computer Configuration | +| Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | +| Registry Key Name | Software\Policies\Microsoft\Windows\WinRM\Client | +| Registry Value Name | AllowKerberos | +| ADMX File Name | WindowsRemoteManagement.admx | + - \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From f656b4bdd00170774f70a10b3887f126fe13b116 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Wed, 21 Dec 2022 15:21:09 -0500 Subject: [PATCH 055/152] admx fthsvc --- .../mdm/policy-csp-admx-fthsvc.md | 139 ++++++++++-------- 1 file changed, 75 insertions(+), 64 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index 6d52f5da19..74ace3c457 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,95 +1,106 @@ --- -title: Policy CSP - ADMX_FTHSVC -description: Learn about the Policy CSP - ADMX_FTHSVC. +title: ADMX_fthsvc Policy CSP +description: Learn more about the ADMX_fthsvc Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/15/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - ADMX_FTHSVC + + + +# Policy CSP - ADMX_fthsvc > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_FTHSVC policies + +## WdiScenarioExecutionPolicy -
    -
    - ADMX_FTHSVC/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_fthsvc/WdiScenarioExecutionPolicy +``` + - -**ADMX_FTHSVC/WdiScenarioExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - + + This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. -If you disable this policy setting, Windows can't detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. +If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. -If you don't configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. +If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. -This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. -The DPS can be configured with the Services snap-in to the Microsoft Management Console. No system restart or service restart is required for this policy setting to take effect: changes take effect immediately. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Fault Tolerant Heap* -- GP ADMX file name: *FTHSVC.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Fault Tolerant Heap | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | fthsvc.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 5ed83261a7c2ba8a87b75d04b0d0ab05686973a9 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Wed, 21 Dec 2022 15:23:56 -0500 Subject: [PATCH 056/152] admx globalization --- .../mdm/policy-csp-admx-globalization.md | 2397 +++++++++-------- 1 file changed, 1324 insertions(+), 1073 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 663d447e5d..c3bbfb3d75 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,1343 +1,1594 @@ --- -title: Policy CSP - ADMX_Globalization -description: Learn about the Policy CSP - ADMX_Globalization. +title: ADMX_Globalization Policy CSP +description: Learn more about the ADMX_Globalization Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Globalization -
    - - -## ADMX_Globalization policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_Globalization/BlockUserInputMethodsForSignIn -
    -
    - ADMX_Globalization/CustomLocalesNoSelect_1 -
    -
    - ADMX_Globalization/CustomLocalesNoSelect_2 -
    -
    - ADMX_Globalization/HideAdminOptions -
    -
    - ADMX_Globalization/HideCurrentLocation -
    -
    - ADMX_Globalization/HideLanguageSelection -
    -
    - ADMX_Globalization/HideLocaleSelectAndCustomize -
    -
    - ADMX_Globalization/ImplicitDataCollectionOff_1 -
    -
    - ADMX_Globalization/ImplicitDataCollectionOff_2 -
    -
    - ADMX_Globalization/LocaleSystemRestrict -
    -
    - ADMX_Globalization/LocaleUserRestrict_1 -
    -
    - ADMX_Globalization/LocaleUserRestrict_2 -
    -
    - ADMX_Globalization/LockMachineUILanguage -
    -
    - ADMX_Globalization/LockUserUILanguage -
    -
    - ADMX_Globalization/PreventGeoIdChange_1 -
    -
    - ADMX_Globalization/PreventGeoIdChange_2 -
    -
    - ADMX_Globalization/PreventUserOverrides_1 -
    -
    - ADMX_Globalization/PreventUserOverrides_2 -
    -
    - ADMX_Globalization/RestrictUILangSelect -
    -
    - ADMX_Globalization/TurnOffAutocorrectMisspelledWords -
    -
    - ADMX_Globalization/TurnOffHighlightMisspelledWords -
    -
    - ADMX_Globalization/TurnOffInsertSpace -
    -
    - ADMX_Globalization/TurnOffOfferTextPredictions -
    -
    - ADMX_Globalization/Y2K -
    -
    + + + + +## BlockUserInputMethodsForSignIn -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_Globalization/BlockUserInputMethodsForSignIn** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/BlockUserInputMethodsForSignIn +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. -This confinement doesn't affect the availability of user input methods on the lock screen or with the UAC prompt. +Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. -If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page. +If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page. -If the policy is disabled or not configured, then the user will be able to use input methods enabled for their user account on the sign-in page. +If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disallow copying of user input methods to the system account for sign-in* -- GP name: *BlockUserInputMethodsForSignIn* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Globalization/CustomLocalesNoSelect_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BlockUserInputMethodsForSignIn | +| Friendly Name | Disallow copying of user input methods to the system account for sign-in | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | BlockUserInputMethodsForSignIn | +| ADMX File Name | Globalization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomLocalesNoSelect_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_2 +``` + - - + + This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. -This confinement doesn't affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. -The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting isn't configured. +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. -If you enable this policy setting, the user can't select a custom locale as their user locale, but they can still select a replacement locale if one is installed. +If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. -If you disable or don't configure this policy setting, the user can select a custom locale as their user locale. +If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. -If this policy setting is enabled at the machine level, it can't be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting isn't configured at the machine level, restrictions will be based on per-user policy settings. +If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. -To set this policy setting on a per-user basis, make sure that you don't configure the per-machine policy setting. +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow selection of Custom Locales* -- GP name: *CustomLocalesNoSelect_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/CustomLocalesNoSelect_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CustomLocalesNoSelect | +| Friendly Name | Disallow selection of Custom Locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | CustomLocalesNoSelect | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ImplicitDataCollectionOff_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_2 +``` + -This confinement doesn't affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. - -The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting isn't configured. - -If you enable this policy setting, the user can't select a custom locale as their user locale, but they can still select a replacement locale if one is installed. - -If you disable or don't configure this policy setting, the user can select a custom locale as their user locale. - -If this policy setting is enabled at the machine level, it can't be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting isn't configured at the machine level, restrictions will be based on per-user policy settings. - -To set this policy setting on a per-user basis, make sure that you don't configure the per-machine policy setting. - - - - -ADMX Info: -- GP Friendly name: *Disallow selection of Custom Locales* -- GP name: *CustomLocalesNoSelect_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/HideAdminOptions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting removes the Administrative options from the Region settings control panel. - -Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting doesn't, however, prevent an administrator or another application from changing these values programmatically. - -This policy setting is used only to simplify the Regional Options control panel. - -If you enable this policy setting, the user can't see the Administrative options. - -If you disable or don't configure this policy setting, the user can see the Administrative options. - -> [!NOTE] -> Even if a user can see the Administrative options, other policies may prevent them from modifying the values. - - - - - -ADMX Info: -- GP Friendly name: *Hide Regional and Language Options administrative options* -- GP name: *HideAdminOptions* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/HideCurrentLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. - -This policy setting is used only to simplify the Regional Options control panel. - -If you enable this policy setting, the user doesn't see the option to change the GeoID. This lack of display doesn't prevent the user or an application from changing the GeoID programmatically. - -If you disable or don't configure this policy setting, the user sees the option for changing the user location (GeoID). - -> [!NOTE] -> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. - - - - -ADMX Info: -- GP Friendly name: *Hide the geographic location option* -- GP name: *HideCurrentLocation* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/HideLanguageSelection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. - -This policy setting is used only to simplify the Regional Options control panel. - -If you enable this policy setting, the user doesn't see the option for changing the UI language. This lack of display doesn't prevent the user or an application from changing the UI language programmatically. If you disable or don't configure this policy setting, the user sees the option for changing the UI language. - -> [!NOTE] -> Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. - - - - - -ADMX Info: -- GP Friendly name: *Hide the select language group options* -- GP name: *HideLanguageSelection* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/HideLocaleSelectAndCustomize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting removes the regional formats interface from the Region settings control panel. - -This policy setting is used only to simplify the Regional and Language Options control panel. - -If you enable this policy setting, the user doesn't see the regional formats options. This lack of display doesn't prevent the user or an application from changing their user locale or user overrides programmatically. - -If you disable or don't configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. - - - - -ADMX Info: -- GP Friendly name: *Hide user locale selection and customization options* -- GP name: *HideLocaleSelectAndCustomize* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/ImplicitDataCollectionOff_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off the automatic learning component of handwriting recognition personalization. -Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, and URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history doesn't delete the stored personalization data. Ink entered through Input Panel is collected and stored. +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. -> [!NOTE] -> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help. +Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. -If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel. +Note: Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. -If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. +If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. -If you don't configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. +If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. This policy setting is related to the "Turn off handwriting personalization" policy setting. -> [!NOTE] -> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. -> -> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. +Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. - +Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + - -ADMX Info: -- GP Friendly name: *Turn off automatic learning* -- GP name: *ImplicitDataCollectionOff_1* -- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/ImplicitDataCollectionOff_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | ImplicitDataCollectionOff | +| Friendly Name | Turn off automatic learning | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options > Handwriting personalization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## LocaleSystemRestrict - - -This policy setting turns off the automatic learning component of handwriting recognition personalization. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, and URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history doesn't delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleSystemRestrict +``` + -> [!NOTE] -> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help. - -If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel. - -If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. - -If you don't configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. - -This policy setting is related to the "Turn off handwriting personalization" policy setting. - -> [!NOTE] -> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. -> -> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. - - - - -ADMX Info: -- GP Friendly name: *Turn off automatic learning* -- GP name: *ImplicitDataCollectionOff_2* -- GP path: *Control Panel\Regional and Language Options\Handwriting personalization* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/LocaleSystemRestrict** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list. + + +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). If you enable this policy setting, administrators can select a system locale only from the specified system locale list. -If you disable or don't configure this policy setting, administrators can select any system locale shipped with the operating system. +If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict system locales* -- GP name: *LocaleSystemRestrict* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/LocaleUserRestrict_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LocaleSystemRestrict | +| Friendly Name | Restrict system locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictSystemLocales | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## LocaleUserRestrict_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting doesn't change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_2 +``` + -To set this policy setting on a per-user basis, make sure that you don't configure the per-computer policy setting. + + +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). If you enable this policy setting, only locales in the specified locale list can be selected by users. -If you disable or don't configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it can't be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting isn't configured at the computer level, restrictions are based on per-user policies. +If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - +If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + - -ADMX Info: -- GP Friendly name: *Restrict user locales* -- GP name: *LocaleUserRestrict_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/LocaleUserRestrict_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | LocaleUserRestrict | +| Friendly Name | Restrict user locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictUserLocales | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## LockMachineUILanguage - - -This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting doesn't change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -To set this policy setting on a per-user basis, make sure that you don't configure the per-computer policy setting. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockMachineUILanguage +``` + -The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). - -If you enable this policy setting, only locales in the specified locale list can be selected by users. - -If you disable or don't configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - -If this policy setting is enabled at the computer level, it can't be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting isn't configured at the computer level, restrictions are based on per-user policies. - - - - -ADMX Info: -- GP Friendly name: *Restrict user locales* -- GP name: *LocaleUserRestrict_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/LockMachineUILanguage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting restricts the Windows UI language for all users. -This policy setting is meant for computers with more than one UI language installed. +This is a policy setting for computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it's different than any of the system UI languages. +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages. -If you disable or don't configure this policy setting, the user can specify which UI language is used. +If you disable or do not configure this policy setting, the user can specify which UI language is used. + - + + + - -ADMX Info: -- GP Friendly name: *Restricts the UI language Windows uses for all logged users* -- GP name: *LockMachineUILanguage* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/LockUserUILanguage** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LockMachineUILanguage | +| Friendly Name | Restricts the UI language Windows uses for all logged users | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\MUI\Settings | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## PreventGeoIdChange_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_2 +``` + + + + +This policy setting prevents users from changing their user geographical location (GeoID). + +If you enable this policy setting, users cannot change their GeoID. + +If you disable or do not configure this policy setting, users may select any GeoID. + +If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventGeoIdChange | +| Friendly Name | Disallow changing of geographic location | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventGeoIdChange | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## PreventUserOverrides_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_2 +``` + + + + +This policy setting prevents the user from customizing their locale by changing their user overrides. + +Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. + +If this policy setting is disabled or not configured, then the user can customize their user locale overrides. + +If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. + +To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventUserOverrides | +| Friendly Name | Disallow user override of locale settings | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventUserOverrides | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## CustomLocalesNoSelect_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_1 +``` + + + + +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. + +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. + +If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. + +If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. + +If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomLocalesNoSelect | +| Friendly Name | Disallow selection of Custom Locales | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | CustomLocalesNoSelect | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## HideAdminOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideAdminOptions +``` + + + + +This policy setting removes the Administrative options from the Region settings control panel. Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user cannot see the Administrative options. + +If you disable or do not configure this policy setting, the user can see the Administrative options. + +Note: Even if a user can see the Administrative options, other policies may prevent them from modifying the values. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideAdminOptions | +| Friendly Name | Hide Regional and Language Options administrative options | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideAdminOptions | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## HideCurrentLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideCurrentLocation +``` + + + + +This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically. + +If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID). + +Note: Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideCurrentLocation | +| Friendly Name | Hide the geographic location option | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideCurrentLocation | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## HideLanguageSelection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideLanguageSelection +``` + + + + +This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. + +This policy setting is used only to simplify the Regional Options control panel. + +If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. + +If you disable or do not configure this policy setting, the user sees the option for changing the UI language. + +Note: Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideLanguageSelection | +| Friendly Name | Hide the select language group options | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideLanguageSelection | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## HideLocaleSelectAndCustomize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/HideLocaleSelectAndCustomize +``` + + + + +This policy setting removes the regional formats interface from the Region settings control panel. + +This policy setting is used only to simplify the Regional and Language Options control panel. + +If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically. + +If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideLocaleSelectAndCustomize | +| Friendly Name | Hide user locale selection and customization options | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | HideLocaleSelectAndCustomize | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## ImplicitDataCollectionOff_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_1 +``` + + + + +This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. + +Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +Note: Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. + +This policy setting is related to the "Turn off handwriting personalization" policy setting. + +Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. + +Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ImplicitDataCollectionOff | +| Friendly Name | Turn off automatic learning | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options > Handwriting personalization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## LocaleUserRestrict_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_1 +``` + + + + +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. + +The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). + +If you enable this policy setting, only locales in the specified locale list can be selected by users. + +If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. + +If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LocaleUserRestrict | +| Friendly Name | Restrict user locales | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictUserLocales | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## LockUserUILanguage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockUserUILanguage +``` + + + + This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language isn't installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. -If you disable or don't configure this policy setting, there's no restriction on which language users should use. +If you disable or do not configure this policy setting, there is no restriction on which language users should use. To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Restricts the UI languages Windows should use for the selected user* -- GP name: *LockUserUILanguage* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventGeoIdChange_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LockUserUILanguage | +| Friendly Name | Restricts the UI languages Windows should use for the selected user | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\Desktop | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## PreventGeoIdChange_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_1 +``` + + + + This policy setting prevents users from changing their user geographical location (GeoID). -If you enable this policy setting, users can't change their GeoID. +If you enable this policy setting, users cannot change their GeoID. -If you disable or don't configure this policy setting, users may select any GeoID. +If you disable or do not configure this policy setting, users may select any GeoID. -If you enable this policy setting at the computer level, it can't be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you don't configure this policy setting at the computer level, restrictions are based on per-user policy settings. +If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. -To set this policy setting on a per-user basis, make sure that the per-computer policy setting isn't configured. +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow changing of geographic location* -- GP name: *PreventGeoIdChange_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventGeoIdChange_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventGeoIdChange | +| Friendly Name | Disallow changing of geographic location | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventGeoIdChange | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## PreventUserOverrides_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents users from changing their user geographical location (GeoID). + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_1 +``` + -If you enable this policy setting, users can't change their GeoID. - -If you disable or don't configure this policy setting, users may select any GeoID. - -If you enable this policy setting at the computer level, it can't be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you don't configure this policy setting at the computer level, restrictions are based on per-user policy settings. - -To set this policy setting on a per-user basis, make sure that the per-computer policy setting isn't configured. - - - - -ADMX Info: -- GP Friendly name: *Disallow changing of geographic location* -- GP name: *PreventGeoIdChange_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/PreventUserOverrides_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. - -The user can't customize their user locale with user overrides. +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. If this policy setting is disabled or not configured, then the user can customize their user locale overrides. -If this policy is set to Enabled at the computer level, then it can't be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. +If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + - + + + - -ADMX Info: -- GP Friendly name: *Disallow user override of locale settings* -- GP name: *PreventUserOverrides_1* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/PreventUserOverrides_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PreventUserOverrides | +| Friendly Name | Disallow user override of locale settings | +| Location | User Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventUserOverrides | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RestrictUILangSelect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents the user from customizing their locale by changing their user overrides. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/RestrictUILangSelect +``` + -Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + + +This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. - -The user can't customize their user locale with user overrides. - -If this policy setting is disabled or not configured, then the user can customize their user locale overrides. - -If this policy is set to Enabled at the computer level, then it can't be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. - -To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. - - - - -ADMX Info: -- GP Friendly name: *Disallow user override of locale settings* -- GP name: *PreventUserOverrides_2* -- GP path: *System\Locale Services* -- GP ADMX file name: *Globalization.admx* - - - -
    - - -**ADMX_Globalization/RestrictUILangSelect** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language isn't installed on the target computer, the language selection defaults to English. - -If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel aren't accessible to the signed-in user. This prevention of access prevents users from specifying a language different than the one used. +If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting. -If you disable or don't configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. +If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict selection of Windows menus and dialogs language* -- GP name: *RestrictUILangSelect* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/TurnOffAutocorrectMisspelledWords** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RestrictUILangSelect | +| Friendly Name | Restrict selection of Windows menus and dialogs language | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\Desktop | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TurnOffAutocorrectMisspelledWords -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy turns off the autocorrect misspelled words option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffAutocorrectMisspelledWords +``` + + + + +This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. -If the policy is enabled, then the option will be locked to not autocorrect misspelled words. +If the policy is Enabled, then the option will be locked to not autocorrect misspelled words. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. - +Note that the availability and function of this setting is dependent on supported languages being enabled. + - -ADMX Info: -- GP Friendly name: *Turn off autocorrect misspelled words* -- GP name: *TurnOffAutocorrectMisspelledWords* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/TurnOffHighlightMisspelledWords** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TurnOffAutocorrectMisspelledWords | +| Friendly Name | Turn off autocorrect misspelled words | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffAutocorrectMisspelledWords | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## TurnOffHighlightMisspelledWords - - -This policy turns off the highlight misspelled words option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffHighlightMisspelledWords +``` + + + + +This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. -If the policy is enabled, then the option will be locked to not highlight misspelled words. +If the policy is Enabled, then the option will be locked to not highlight misspelled words. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. +Note that the availability and function of this setting is dependent on supported languages being enabled. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off highlight misspelled words* -- GP name: *TurnOffHighlightMisspelledWords* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/TurnOffInsertSpace** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TurnOffHighlightMisspelledWords | +| Friendly Name | Turn off highlight misspelled words | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffHighlightMisspelledWords | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TurnOffInsertSpace -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy turns off the insert a space after selecting a text prediction option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffInsertSpace +``` + + + + +This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. -If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction. +If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. - +Note that the availability and function of this setting is dependent on supported languages being enabled. + - -ADMX Info: -- GP Friendly name: *Turn off insert a space after selecting a text prediction* -- GP name: *TurnOffInsertSpace* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Globalization/TurnOffOfferTextPredictions** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TurnOffInsertSpace | +| Friendly Name | Turn off insert a space after selecting a text prediction | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffInsertSpace | +| ADMX File Name | Globalization.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## TurnOffOfferTextPredictions - - -This policy turns off the offer text predictions as I type option. This turn off doesn't, however, prevent the user or an application from changing the setting programmatically. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/TurnOffOfferTextPredictions +``` + + + + +This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. -If the policy is enabled, then the option will be locked to not offer text predictions. +If the policy is Enabled, then the option will be locked to not offer text predictions. -If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. +If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. -The availability and function of this setting is dependent on supported languages being enabled. +Note that the availability and function of this setting is dependent on supported languages being enabled. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off offer text predictions as I type* -- GP name: *TurnOffOfferTextPredictions* -- GP path: *Control Panel\Regional and Language Options* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Globalization/Y2K** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TurnOffOfferTextPredictions | +| Friendly Name | Turn off offer text predictions as I type | +| Location | User Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | TurnOffOfferTextPredictions | +| ADMX File Name | Globalization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Y2K -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Globalization/Y2K +``` + + + + This policy setting determines how programs interpret two-digit years. -This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program doesn't interpret two-digit years correctly, consult the documentation or manufacturer of the program. +This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999. -If you disable or don't configure this policy setting, Windows doesn't interpret two-digit year formats using this scheme for the program. +If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. + - + + + - -ADMX Info: -- GP Friendly name: *Century interpretation for Year 2000* -- GP name: *Y2K* -- GP path: *System* -- GP ADMX file name: *Globalization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | Y2K | +| Friendly Name | Century interpretation for Year 2000 | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax | +| ADMX File Name | Globalization.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From b935ec3535d6b8b9b4306e66367de7ec0ed337c3 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 14:01:58 -0800 Subject: [PATCH 057/152] add admx wmp csp --- .../mdm/policy-csp-admx-windowsmediaplayer.md | 1931 +++++++++-------- 1 file changed, 1071 insertions(+), 860 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 30ea67c939..6f8ecd7843 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,126 +1,417 @@ --- -title: Policy CSP - ADMX_WindowsMediaPlayer -description: Policy CSP - ADMX_WindowsMediaPlayer +title: ADMX_WindowsMediaPlayer Policy CSP +description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsMediaPlayer + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WindowsMediaPlayer policies + +## DisableAutoUpdate -
    -
    - ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings -
    -
    - ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings -
    -
    - ADMX_WindowsMediaPlayer/DisableAutoUpdate -
    -
    - ADMX_WindowsMediaPlayer/DisableNetworkSettings -
    -
    - ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration -
    -
    - ADMX_WindowsMediaPlayer/DoNotShowAnchor -
    -
    - ADMX_WindowsMediaPlayer/DontUseFrameInterpolation -
    -
    - ADMX_WindowsMediaPlayer/EnableScreenSaver -
    -
    - ADMX_WindowsMediaPlayer/HidePrivacyTab -
    -
    - ADMX_WindowsMediaPlayer/HideSecurityTab -
    -
    - ADMX_WindowsMediaPlayer/NetworkBuffering -
    -
    - ADMX_WindowsMediaPlayer/PolicyCodecUpdate -
    -
    - ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventLibrarySharing -
    -
    - ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut -
    -
    - ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval -
    -
    - ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut -
    -
    - ADMX_WindowsMediaPlayer/SkinLockDown -
    -
    - ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableAutoUpdate +``` + -
    + + +This policy setting allows you to turn off do not show first use dialog boxes. - -**ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings** +If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. - +This policy setting prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoUpdate | +| Friendly Name | Prevent Automatic Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DisableAutoUpdate | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + + +## DisableSetupFirstUseConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration +``` + + + + +This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. + +If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. + +If you disable or do not configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. + +If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSetupFirstUseConfiguration | +| Friendly Name | Do Not Show First Use Dialog Boxes | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | GroupPrivacyAcceptance | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + + +## DontUseFrameInterpolation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DontUseFrameInterpolation +``` + + + + +This policy setting allows you to prevent video smoothing from occurring. + +If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. + +If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and is not available. + +If you do not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. + +Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DontUseFrameInterpolation | +| Friendly Name | Prevent Video Smoothing | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DontUseFrameInterpolation | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + + +## PreventLibrarySharing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventLibrarySharing +``` + + + + +This policy setting allows you to prevent media sharing from Windows Media Player. + +If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. + +If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLibrarySharing | +| Friendly Name | Prevent Media Sharing | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventLibrarySharing | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + + +## PreventQuickLaunchShortcut + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut +``` + + + + +This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. + +If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. + +If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventQuickLaunchShortcut | +| Friendly Name | Prevent Quick Launch Toolbar Shortcut Creation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | QuickLaunchShortcut | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + + +## PreventWMPDeskTopShortcut + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut +``` + + + + +This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. + +If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. + +If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventWMPDeskTopShortcut | +| Friendly Name | Prevent Desktop Shortcut Creation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DesktopShortcut | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + + +## ConfigureHTTPProxySettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings +``` + + + + This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -131,55 +422,68 @@ If you enable this policy setting, select one of the following proxy types: If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected. -The Configure button on the Network tab in the Player isn't available for the HTTP protocol and the proxy can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. +The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP isn't selected. +This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected. -If you disable this policy setting, the HTTP proxy server can't be used and the user can't configure the HTTP proxy. +If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy. -If you don't configure this policy setting, users can configure the HTTP proxy settings. +If you do not configure this policy setting, users can configure the HTTP proxy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure HTTP Proxy* -- GP name: *ConfigureHTTPProxySettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureHTTPProxySettings | +| Friendly Name | Configure HTTP Proxy | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP | +| Registry Value Name | ProxyPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureMMSProxySettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings +``` + - - + + This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -189,55 +493,68 @@ If you enable this policy setting, select one of the following proxy types: If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. -The Configure button on the Network tab in the Player isn't available and the protocol can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. +The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast isn't selected. +This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected. -If you disable this policy setting, the MMS proxy server can't be used and users can't configure the MMS proxy settings. +If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy settings. -If you don't configure this policy setting, users can configure the MMS proxy settings. +If you do not configure this policy setting, users can configure the MMS proxy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure MMS Proxy* -- GP name: *ConfigureMMSProxySettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureMMSProxySettings | +| Friendly Name | Configure MMS Proxy | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS | +| Registry Value Name | ProxyPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureRTSPProxySettings -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings +``` + - - + + This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -247,902 +564,796 @@ If you enable this policy setting, select one of the following proxy types: If the Custom proxy type is selected, the rest of the options on the Setting tab must be specified; otherwise, the default settings are used. The options are ignored if Autodetect is selected. -The Configure button on the Network tab in the Player isn't available and the protocol can't be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. +The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -If you disable this policy setting, the RTSP proxy server can't be used and users can't change the RTSP proxy settings. +If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings. -If you don't configure this policy setting, users can configure the RTSP proxy settings. +If you do not configure this policy setting, users can configure the RTSP proxy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure RTSP Proxy* -- GP name: *ConfigureRTSPProxySettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/DisableAutoUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureRTSPProxySettings | +| Friendly Name | Configure RTSP Proxy | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\RTSP | +| Registry Value Name | ProxyPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableNetworkSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableNetworkSettings +``` + - - -This policy setting allows you to turn off do not show first use dialog boxes. - -If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. - -This policy setting prevents the dialog boxes that allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. - - -If you disable or don't configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. - - - - - -ADMX Info: -- GP Friendly name: *Prevent Automatic Updates* -- GP name: *DisableAutoUpdate* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* - - - -
    - - -**ADMX_WindowsMediaPlayer/DisableNetworkSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. -If you disable or don't configure this policy setting, the Network tab appears and users can use it to configure network settings. +If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Network Tab* -- GP name: *DisableNetworkSettings* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableNetworkSettings | +| Friendly Name | Hide Network Tab | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | HideNetworkTab | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotShowAnchor -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DoNotShowAnchor +``` + - - -This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. + + +Prevents the anchor window from being displayed when Windows Media Player is in skin mode. -If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays isn't available. +This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. -If you disable or don't configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. +When this policy is not configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. -If you don't configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window aren't available. +When this policy is not configured and the Set and Lock Skin policy is enabled, some options in the anchor window are not available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do Not Show First Use Dialog Boxes* -- GP name: *DisableSetupFirstUseConfiguration* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/DoNotShowAnchor** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DoNotShowAnchor | +| Friendly Name | Do Not Show Anchor | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DoNotShowAnchor | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableScreenSaver -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/EnableScreenSaver +``` + - - -This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. - -This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays isn't available. - -When this policy isn't configured or disabled, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. - -When this policy isn't configured and the Set and Lock Skin policy is enabled, some options in the anchor window aren't available. - - - - - -ADMX Info: -- GP Friendly name: *Do Not Show Anchor* -- GP name: *DoNotShowAnchor* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* - - - -
    - - -**ADMX_WindowsMediaPlayer/DontUseFrameInterpolation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to prevent video smoothing from occurring. - -If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and isn't available. - -If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and isn't available. - -If you don't configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. - -Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. - - - - - -ADMX Info: -- GP Friendly name: *Prevent Video Smoothing* -- GP name: *DontUseFrameInterpolation* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* - - - -
    - - -**ADMX_WindowsMediaPlayer/EnableScreenSaver** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows a screen saver to interrupt playback. -If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and isn't available. +If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. -If you disable this policy setting, a screen saver doesn't interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and isn't available. +If you disable this policy setting, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available. -If you don't configure this policy setting, users can change the setting for the Allow screen saver during playback check box. +If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Screen Saver* -- GP name: *EnableScreenSaver* -- GP path: *Windows Components\Windows Media Player\Playback* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/HidePrivacyTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableScreenSaver | +| Friendly Name | Allow Screen Saver | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Playback | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | EnableScreenSaver | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HidePrivacyTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/HidePrivacyTab +``` + - - + + This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. The default privacy settings are used for the options on the Privacy tab unless the user changed the settings previously. -If you disable or don't configure this policy setting, the Privacy tab isn't hidden, and users can configure any privacy settings not configured by other policies. +If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Automatic Updates* -- GP name: *HidePrivacyTab* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/HideSecurityTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HidePrivacyTab | +| Friendly Name | Hide Privacy Tab | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | HidePrivacyTab | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideSecurityTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/HideSecurityTab +``` + - - + + This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. -If you disable or don't configure this policy setting, users can configure the security settings on the Security tab. +If you disable or do not configure this policy setting, users can configure the security settings on the Security tab. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide Security Tab* -- GP name: *HideSecurityTab* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/NetworkBuffering** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HideSecurityTab | +| Friendly Name | Hide Security Tab | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | HideSecurityTab | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NetworkBuffering -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/NetworkBuffering +``` + - - + + This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. -If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it's played. +If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. - Custom: the number of seconds, up to 60, that streaming media is buffered. - Default: default network buffering is used and the number of seconds that is specified is ignored. -The "Use default buffering" and "Buffer" options on the Performance tab in the Player aren't available. +The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available. -If you disable or don't configure this policy setting, users can change the buffering options on the Performance tab. +If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Network Buffering* -- GP name: *NetworkBuffering* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/PolicyCodecUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NetworkBuffering | +| Friendly Name | Configure Network Buffering | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | NetworkBufferingPolicy | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PolicyCodecUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PolicyCodecUpdate +``` + - - + + This policy setting allows you to prevent Windows Media Player from downloading codecs. -If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player isn't available. +If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. -If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box isn't available. +If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available. -If you don't configure this policy setting, users can change the setting for the Download codecs automatically check box. +If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Codec Download* -- GP name: *PolicyCodecUpdate* -- GP path: *Windows Components\Windows Media Player\Playback* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PolicyCodecUpdate | +| Friendly Name | Prevent Codec Download | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Playback | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventCodecDownload | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventCDDVDMetadataRetrieval -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval +``` + - - + + This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player aren't selected and aren't available. +If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. -If you disable or don't configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. +If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent CD and DVD Media Information Retrieval* -- GP name: *PreventCDDVDMetadataRetrieval* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/PreventLibrarySharing** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventCDDVDMetadataRetrieval | +| Friendly Name | Prevent CD and DVD Media Information Retrieval | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventCDDVDMetadataRetrieval | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventMusicFileMetadataRetrieval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval +``` + - - -This policy setting allows you to prevent media sharing from Windows Media Player. - -If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. - -If you disable or don't configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. - - - - - -ADMX Info: -- GP Friendly name: *Prevent Media Sharing* -- GP name: *PreventLibrarySharing* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* - - - -
    - - -**ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to prevent media information for music files from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player aren't selected and aren't available. +If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. -If you disable or don't configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. +If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Music File Media Information Retrieval* -- GP name: *PreventMusicFileMetadataRetrieval* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventMusicFileMetadataRetrieval | +| Friendly Name | Prevent Music File Media Information Retrieval | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventMusicFileMetadataRetrieval | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventRadioPresetsRetrieval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval +``` + - - -This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. - -If you enable this policy setting, the user can't add the shortcut for the Player to the Quick Launch bar. - -If you disable or don't configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. - - - - - -ADMX Info: -- GP Friendly name: *Prevent Quick Launch Toolbar Shortcut Creation* -- GP name: *PreventQuickLaunchShortcut* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* - - - -
    - - -**ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -
    - - - + + This policy setting allows you to prevent radio station presets from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured aren't updated, and the presets that a user adds aren't displayed. +If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. -If you disable or don't configure this policy setting, the Player automatically retrieves radio station presets from the Internet. +If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *PPrevent Radio Station Preset Retrieval* -- GP name: *PreventRadioPresetsRetrieval* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PreventRadioPresetsRetrieval | +| Friendly Name | Prevent Radio Station Preset Retrieval | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventRadioPresetsRetrieval | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SkinLockDown -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/SkinLockDown +``` + - - -This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. - -If you enable this policy setting, users can't add the Player shortcut icon to their desktops. - -If you disable or don't configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. - - - - - -ADMX Info: -- GP Friendly name: *Prevent Desktop Shortcut Creation* -- GP name: *PreventWMPDeskTopShortcut* -- GP path: *Windows Components\Windows Media Player* -- GP ADMX file name: *WindowsMediaPlayer.admx* - - - -
    - - -**ADMX_WindowsMediaPlayer/SkinLockDown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. -You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin isn't installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank. +You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank. -A user has access only to the Player features that are available with the specified skin. Users can't switch the Player to full mode and can't choose a different skin. +A user has access only to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different skin. -If you disable or don't configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. +If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set and Lock Skin* -- GP name: *SkinLockDown* -- GP path: *Windows Components\Windows Media Player\User Interface* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SkinLockDown | +| Friendly Name | Set and Lock Skin | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > User Interface | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | SetAndLockSkin | +| ADMX File Name | windowsmediaplayer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WindowsStreamingMediaProtocols -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols +``` + - - + + This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. -If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user doesn't specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. +If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. -If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator doesn't specify any protocols, the Player can't access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. +If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. -If you don't configure this policy setting, users can select the protocols to use on the Network tab. +If you do not configure this policy setting, users can select the protocols to use on the Network tab. -If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab aren't available and the Player can't receive an MMS or RTSP stream from a Windows Media server. +If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Streaming Media Protocols* -- GP name: *WindowsStreamingMediaProtocols* -- GP path: *Windows Components\Windows Media Player\Networking* -- GP ADMX file name: *WindowsMediaPlayer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WindowsStreamingMediaProtocols | +| Friendly Name | Streaming Media Protocols | +| Location | User Configuration | +| Path | Windows Components > Windows Media Player > Networking | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer\Protocols | +| Registry Value Name | WindowsMediaStreamingProtocols | +| ADMX File Name | windowsmediaplayer.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 1ef959d66f059e0a2082b01754185734ed55118d Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 14:03:20 -0800 Subject: [PATCH 058/152] add admx win media drm csp --- .../mdm/policy-csp-admx-windowsmediadrm.md | 131 ++++++++++-------- 1 file changed, 71 insertions(+), 60 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 4528596266..2f726a8d3a 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,89 +1,100 @@ --- -title: Policy CSP - ADMX_WindowsMediaDRM -description: Policy CSP - ADMX_WindowsMediaDRM +title: ADMX_WindowsMediaDRM Policy CSP +description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsMediaDRM + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WindowsMediaDRM policies + +## DisableOnline -
    -
    - ADMX_WindowsMediaDRM/DisableOnline -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaDRM/DisableOnline +``` + -
    - - -**ADMX_WindowsMediaDRM/DisableOnline** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). + + +Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. -When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario. +When this policy is enabled, programs are not able to acquire licenses for secure content, upgrade Windows Media DRM security components, or restore backed up content licenses. Secure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and play this protected content on their computer, since the license is generated locally in this scenario. When this policy is either disabled or not configured, Windows Media DRM functions normally and will connect to the Internet (or intranet) to acquire licenses, download security upgrades, and perform license restoration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Windows Media DRM Internet Access* -- GP name: *DisableOnline* -- GP path: *Windows Components\Windows Media Digital Rights Management* -- GP ADMX file name: *WindowsMediaDRM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisableOnline | +| Friendly Name | Prevent Windows Media DRM Internet Access | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Digital Rights Management | +| Registry Key Name | Software\Policies\Microsoft\WMDRM | +| Registry Value Name | DisableOnline | +| ADMX File Name | windowsmediadrm.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 7daf1e08dce7dc01a98e60c016f19f1cd5459913 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Wed, 21 Dec 2022 17:19:04 -0500 Subject: [PATCH 059/152] admx grouppolicy --- .../mdm/policy-csp-admx-grouppolicy.md | 4201 +++++++++-------- 1 file changed, 2294 insertions(+), 1907 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index cc8dec4cff..8c9d4e91c9 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,1741 +1,1602 @@ --- -title: Policy CSP - ADMX_GroupPolicy -description: Learn about the Policy CSP - ADMX_GroupPolicy. +title: ADMX_GroupPolicy Policy CSP +description: Learn more about the ADMX_GroupPolicy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_GroupPolicy ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_GroupPolicy policies + +##### AllowX/ForestPolicy/and/RUP -
    -
    - ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP -
    -
    - ADMX_GroupPolicy/CSE_AppMgmt -
    -
    - ADMX_GroupPolicy/CSE_DiskQuota -
    -
    - ADMX_GroupPolicy/CSE_EFSRecovery -
    -
    - ADMX_GroupPolicy/CSE_FolderRedirection -
    -
    - ADMX_GroupPolicy/CSE_IEM -
    -
    - ADMX_GroupPolicy/CSE_IPSecurity -
    -
    - ADMX_GroupPolicy/CSE_Registry -
    -
    - ADMX_GroupPolicy/CSE_Scripts -
    -
    - ADMX_GroupPolicy/CSE_Security -
    -
    - ADMX_GroupPolicy/CSE_Wired -
    -
    - ADMX_GroupPolicy/CSE_Wireless -
    -
    - ADMX_GroupPolicy/CorpConnSyncWaitTime -
    -
    - ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 -
    -
    - ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 -
    -
    - ADMX_GroupPolicy/DisableAOACProcessing -
    -
    - ADMX_GroupPolicy/DisableAutoADMUpdate -
    -
    - ADMX_GroupPolicy/DisableBackgroundPolicy -
    -
    - ADMX_GroupPolicy/DisableLGPOProcessing -
    -
    - ADMX_GroupPolicy/DisableUsersFromMachGP -
    -
    - ADMX_GroupPolicy/EnableCDP -
    -
    - ADMX_GroupPolicy/EnableLogonOptimization -
    -
    - ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU -
    -
    - ADMX_GroupPolicy/EnableMMX -
    -
    - ADMX_GroupPolicy/EnforcePoliciesOnly -
    -
    - ADMX_GroupPolicy/FontMitigation -
    -
    - ADMX_GroupPolicy/GPDCOptions -
    -
    - ADMX_GroupPolicy/GPTransferRate_1 -
    -
    - ADMX_GroupPolicy/GPTransferRate_2 -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRate -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRateDC -
    -
    - ADMX_GroupPolicy/GroupPolicyRefreshRateUser -
    -
    - ADMX_GroupPolicy/LogonScriptDelay -
    -
    - ADMX_GroupPolicy/NewGPODisplayName -
    -
    - ADMX_GroupPolicy/NewGPOLinksDisabled -
    -
    - ADMX_GroupPolicy/OnlyUseLocalAdminFiles -
    -
    - ADMX_GroupPolicy/ProcessMitigationOptions -
    -
    - ADMX_GroupPolicy/RSoPLogging -
    -
    - ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy -
    -
    - ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess -
    -
    - ADMX_GroupPolicy/SlowlinkDefaultToAsync -
    -
    - ADMX_GroupPolicy/SyncWaitTime -
    -
    - ADMX_GroupPolicy/UserPolicyMode -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP +``` + -
    - - -**ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. -This policy setting affects all user accounts that interactively sign in to a computer in a different forest when a trust across forests or a two-way forest trust exists. - -If you don't configure this policy setting: +This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. +If you do not configure this policy setting: - No user-based policy settings are applied from the user's forest. -- Users don't receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. +- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. - Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. - An event log message (1109) is posted, stating that loopback was invoked in Replace mode. If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. -If you disable this policy setting, the behavior is the same as if it isn't configured. +If you disable this policy setting, the behavior is the same as if it is not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow cross-forest user policy and roaming user profiles* -- GP name: *AllowX-ForestPolicy-and-RUP* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_AppMgmt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowX-ForestPolicy-and-RUP | +| Friendly Name | Allow cross-forest user policy and roaming user profiles | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowX-ForestPolicy-and-RUP | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CorpConnSyncWaitTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CorpConnSyncWaitTime +``` + - - + + +This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. + +If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpConnSyncWaitTime | +| Friendly Name | Specify workplace connectivity wait time for policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## CSE_AppMgmt + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_AppMgmt +``` + + + + This policy setting determines when software installation policies are updated. This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer. This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy setting implementations specify that they're updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policy in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure software Installation policy processing* -- GP name: *CSE_AppMgmt* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_DiskQuota** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_AppMgmt | +| Friendly Name | Configure software Installation policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f7} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_DiskQuota -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_DiskQuota +``` + - - + + This policy setting determines when disk quota policies are updated. -This policy setting affects all policies that use the disk quota component of Group Policy, such as those policies in Computer Configuration\Administrative Templates\System\Disk Quotas. +This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas. This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure disk quota policy processing* -- GP name: *CSE_DiskQuota* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_EFSRecovery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_DiskQuota | +| Friendly Name | Configure disk quota policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_EFSRecovery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_EFSRecovery +``` + - - + + This policy setting determines when encryption policies are updated. This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings. It overrides customized settings that the program implementing the encryption policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure EFS recovery policy processing* -- GP name: *CSE_EFSRecovery* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_FolderRedirection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_EFSRecovery | +| Friendly Name | Configure EFS recovery policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_FolderRedirection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_FolderRedirection +``` + - - + + This policy setting determines when folder redirection policies are updated. -This policy setting affects all policies that use the folder redirection component of Group Policy, such as those policies in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. +This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer. This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure folder redirection policy processing* -- GP name: *CSE_FolderRedirection* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_IEM** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_FolderRedirection | +| Friendly Name | Configure folder redirection policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080861} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_IEM -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_IEM +``` + - - + + This policy setting determines when Internet Explorer Maintenance policies are updated. -This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those policies in Windows Settings\Internet Explorer Maintenance. +This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance. This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Internet Explorer Maintenance policy processing* -- GP name: *CSE_IEM* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_IPSecurity** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_IEM | +| Friendly Name | Configure Internet Explorer Maintenance policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_IPSecurity -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_IPSecurity +``` + - - + + This policy setting determines when IP security policies are updated. This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine. This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure IP security policy processing* -- GP name: *CSE_IPSecurity* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_Registry** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_IPSecurity | +| Friendly Name | Configure IP security policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e27} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Registry -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Registry +``` + - - + + This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure registry policy processing* -- GP name: *CSE_Registry* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_Scripts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Registry | +| Friendly Name | Configure registry policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Scripts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Scripts +``` + - - + + This policy setting determines when policies that assign shared scripts are updated. -This policy setting affects all policies that use the scripts component of Group Policy, such as those policies in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. +This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure scripts policy processing* -- GP name: *CSE_Scripts* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_Security** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Scripts | +| Friendly Name | Configure scripts policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571E3} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Security -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Security +``` + - - + + This policy setting determines when security policies are updated. -This policy setting affects all policies that use the security component of Group Policy, such as those policies in Windows Settings\Security Settings. +This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. This policy setting overrides customized settings that the program implementing the security policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system. +If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure security policy processing* -- GP name: *CSE_Security* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_Wired** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Security | +| Friendly Name | Configure security policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Wired -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Wired +``` + - - + + This policy setting determines when policies that assign wired network settings are updated. -This policy setting affects all policies that use the wired network component of Group Policy, such as those policies in Windows Settings\Wired Network Policies. +This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies. It overrides customized settings that the program implementing the wired network set when it was installed. If you enable this policy, you can use the check boxes provided to change the options. -If you disable this setting or don't configure it, it has no effect on the system. +If you disable this setting or do not configure it, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure wired policy processing* -- GP name: *CSE_Wired* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CSE_Wireless** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Wired | +| Friendly Name | Configure wired policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CSE_Wireless -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Wireless +``` + - - + + This policy setting determines when policies that assign wireless network settings are updated. -This policy setting affects all policies that use the wireless network component of Group Policy, such as those policies in WindowsSettings\Wireless Network Policies. +This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies. It overrides customized settings that the program implementing the wireless network set when it was installed. If you enable this policy, you can use the check boxes provided to change the options. -If you disable this setting or don't configure it, it has no effect on the system. +If you disable this setting or do not configure it, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. -The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart. +The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. -The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. +The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure wireless policy processing* -- GP name: *CSE_Wireless* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/CorpConnSyncWaitTime** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CSE_Wireless | +| Friendly Name | Configure wireless policy processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DenyRsopToInteractiveUser_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DenyRsopToInteractiveUser_2 +``` + - - -This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer isn't blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. - -If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. - -If you disable or don't configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. - - - - - -ADMX Info: -- GP Friendly name: *Specify workplace connectivity wait time for policy processing* -- GP name: *CorpConnSyncWaitTime* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/DenyRsopToInteractiveUser_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. -If you enable this policy setting, interactive users can't generate RSoP data. +If you enable this policy setting, interactive users cannot generate RSoP data. -If you disable or don't configure this policy setting, interactive users can generate RSoP. +If you disable or do not configure this policy setting, interactive users can generate RSoP. -> [!NOTE] -> This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. -> -> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. -> -> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. +Note: This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. - +Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc +Note: This policy setting exists as both a User Configuration and Computer Configuration setting. - -ADMX Info: -- GP Friendly name: *Determine if interactive users can generate Resultant Set of Policy data* -- GP name: *DenyRsopToInteractiveUser_1* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + - - -
    + + + - -**ADMX_GroupPolicy/DenyRsopToInteractiveUser_2** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | DenyRsopToInteractiveUser | +| Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyRsopToInteractiveUser | +| ADMX File Name | GroupPolicy.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +## DisableAOACProcessing -By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, interactive users can't generate RSoP data. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableAOACProcessing +``` + -If you disable or don't configure this policy setting, interactive users can generate RSoP - -> [!NOTE] -> This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. -> -> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc. -> -> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. - - - - - -ADMX Info: -- GP Friendly name: *Determine if interactive users can generate Resultant Set of Policy data* -- GP name: *DenyRsopToInteractiveUser_2* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/DisableAOACProcessing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting prevents the Group Policy Client Service from stopping when idle. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Group Policy Client Service AOAC optimization* -- GP name: *DisableAOACProcessing* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/DisableAutoADMUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableAOACProcessing | +| Friendly Name | Turn off Group Policy Client Service AOAC optimization | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableAOACProcessing | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableBackgroundPolicy -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableBackgroundPolicy +``` + - - -Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. - -Administrators might want to use this option if they're concerned about the amount of space used on the system volume of a DC. - -By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. - -If the local files are newer, they're copied into the GPO. - -Changing the status of this setting to Enabled will keep any source files from copying to the GPO. - -Changing the status of this setting to Disabled will enforce the default behavior. - -Files will always be copied to the GPO if they have a later timestamp. - -> [!NOTE] -> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn off automatic update of ADM files* -- GP name: *DisableAutoADMUpdate* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/DisableBackgroundPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. -If you enable this policy setting, the system waits until the current user signs out the system before updating the computer and user settings. +If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. -If you disable or don't configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. +If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. -> [!NOTE] -> If you make changes to this policy setting, you must restart your computer for it to take effect. +Note: If you make changes to this policy setting, you must restart your computer for it to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off background refresh of Group Policy* -- GP name: *DisableBackgroundPolicy* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/DisableLGPOProcessing** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableBackgroundPolicy | +| Friendly Name | Turn off background refresh of Group Policy | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableBkGndGroupPolicy | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableLGPOProcessing -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableLGPOProcessing +``` + - - + + This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied. By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. -If you enable this policy setting, the system doesn't process and apply any Local GPOs. +If you enable this policy setting, the system does not process and apply any Local GPOs. -If you disable or don't configure this policy setting, Local GPOs continue to be applied. +If you disable or do not configure this policy setting, Local GPOs continue to be applied. -> [!NOTE] -> For computers joined to a domain, it's strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. +Note: For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Local Group Policy Objects processing* -- GP name: *DisableLGPOProcessing* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/DisableUsersFromMachGP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLGPOProcessing | +| Friendly Name | Turn off Local Group Policy Objects processing | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableLGPOProcessing | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableUsersFromMachGP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableUsersFromMachGP +``` + - - + + This policy setting allows you to control a user's ability to invoke a computer policy refresh. -If you enable this policy setting, users aren't able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. +If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. -If you disable or don't configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. +If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. -> [!NOTE] -> This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. +Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval. -> [!NOTE] -> If you make changes to this policy setting, you must restart your computer for it to take effect. +Note: If you make changes to this policy setting, you must restart your computer for it to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove users' ability to invoke machine policy refresh* -- GP name: *DisableUsersFromMachGP* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/EnableCDP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableUsersFromMachGP | +| Friendly Name | Remove users' ability to invoke machine policy refresh | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyUsersFromMachGP | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableCDP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableCDP +``` + - - + + This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. -If you disable this policy setting, the Windows device isn't discoverable by other devices, and can't participate in cross-device experiences. +If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences. -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Continue experiences on this device* -- GP name: *EnableCDP* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/EnableLogonOptimization** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableCDP | +| Friendly Name | Continue experiences on this device | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableCdp | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableLogonOptimization -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableLogonOptimization +``` + - - + + This policy setting allows you to configure Group Policy caching behavior. -If you enable or don't configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. -The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there's no network connectivity. This waiting period stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or sign in. The default is 5000 milliseconds. +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. -If you disable this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Group Policy Caching* -- GP name: *EnableLogonOptimization* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableLogonOptimization | +| Friendly Name | Configure Group Policy Caching | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableLogonOptimization | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableLogonOptimizationOnServerSKU -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU +``` + - - + + This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. - If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) - The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. +The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. +If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + -The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there's no network connectivity. This waiting period stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or sign in. The default is 5000 milliseconds. + + + -If you disable or don't configure this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Enable Group Policy Caching for Servers* -- GP name: *EnableLogonOptimizationOnServerSKU* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | EnableLogonOptimizationOnServerSKU | +| Friendly Name | Enable Group Policy Caching for Servers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableLogonOptimizationOnServerSKU | +| ADMX File Name | GroupPolicy.admx | + - -**ADMX_GroupPolicy/EnableMMX** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableMMX - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnableMMX +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that require linking between Phone and PC. + + +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. -If you disable this policy setting, the Windows device isn't allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and can't participate in Continue on PC experiences. +If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Phone-PC linking on this device* -- GP name: *EnableMMX* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/EnforcePoliciesOnly** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableMMX | +| Friendly Name | Phone-PC linking on this device | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableMmx | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FontMitigation -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/FontMitigation +``` + - - -This policy setting prevents administrators from viewing or using Group Policy preferences. + + +This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. + -A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which aren't fully supported, use registry entries in other subkeys. + + + -If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators can't turn it off. As a result, Group Policy Object Editor displays only true settings; preferences don't appear. + +**Description framework properties**: -If you disable or don't configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Font_List | +| Friendly Name | Untrusted Font Blocking | +| Location | Computer Configuration | +| Path | System > Mitigation Options | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions | +| ADMX File Name | GroupPolicy.admx | + + + + - -ADMX Info: -- GP Friendly name: *Enforce Show Policies Only* -- GP name: *EnforcePoliciesOnly* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* + - - -
    + +## GPTransferRate_2 - -**ADMX_GroupPolicy/FontMitigation** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPTransferRate_2 +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. - -This feature can be configured to be in three modes: On, Off, and Audit. By default, it's Off and no fonts are blocked. If you aren't ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues. - - - - - -ADMX Info: -- GP Friendly name: *Untrusted Font Blocking* -- GP name: *DisableUsersFromMachGP* -- GP path: *System\Mitigation Options* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/GPDCOptions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. - -If you enable this setting, you can know which domain controller is used according to these options: - -"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. - -"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use. - -"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. - -If you disable this setting or don't configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. - -> [!NOTE] -> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." - - - - - -ADMX Info: -- GP Friendly name: *Configure Group Policy domain controller selection* -- GP name: *GPDCOptions* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/GPTransferRate_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. -The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder let you override the programs' specified responses to slow links. +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. -If you disable this setting or don't configure it, the system uses the default value of 500 kilobits per second. +If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. -> [!NOTE] -> If the profile server has IP connectivity, the connection speed setting is used. If the profile server doesn't have IP connectivity, the SMB timing is used. +**Note**: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Group Policy slow link detection* -- GP name: *GPTransferRate_1* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/GPTransferRate_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GPTransferRate | +| Friendly Name | Configure Group Policy slow link detection | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GroupPolicyRefreshRate -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRate +``` + - - -This policy setting defines a slow connection for purposes of applying and updating Group Policy. - -If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. - -The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder let you override the programs' specified responses to slow links. - -If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. - -If you disable this setting or don't configure it, the system uses the default value of 500 kilobits per second. - -This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. - -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. - -> [!NOTE] -> If the profile server has IP connectivity, the connection speed setting is used. If the profile server doesn't have IP connectivity, the SMB timing is used. - - - - - -ADMX Info: -- GP Friendly name: *Configure Group Policy slow link detection* -- GP name: *GPTransferRate_2* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/GroupPolicyRefreshRate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. In addition to background updates, Group Policy for the computer is always updated when the system starts. By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. @@ -1743,221 +1604,1135 @@ The Set Group Policy refresh interval for computers policy also lets you specify This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy). -This setting is only used when the "Turn off background refresh of Group Policy" setting isn't enabled. +This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled. -> [!NOTE] -> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. +Note: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Group Policy refresh interval for computers* -- GP name: *GroupPolicyRefreshRate* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/GroupPolicyRefreshRateDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRate | +| Friendly Name | Set Group Policy refresh interval for computers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GroupPolicyRefreshRateDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRateDC +``` + - - -This policy setting specifies how often Group Policy is updated on domain controllers while they're running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. + + +This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. By default, Group Policy on the domain controllers is updated every five minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. -If you disable or don't configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. +If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly. -> [!NOTE] -> This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. +Note: This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Group Policy refresh interval for domain controllers* -- GP name: *GroupPolicyRefreshRateDC* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/GroupPolicyRefreshRateUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRateDC | +| Friendly Name | Set Group Policy refresh interval for domain controllers | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LogonScriptDelay -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/LogonScriptDelay +``` + - - + + +Enter “0” to disable Logon Script Delay. + +This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. + +By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. + +If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. + +If you disable this policy setting, Group Policy will run scripts immediately after logon. + +If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LogonScriptDelay | +| Friendly Name | Configure Logon Script Delay | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableLogonScriptDelay | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## OnlyUseLocalAdminFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/OnlyUseLocalAdminFiles +``` + + + + +This policy setting lets you always use local ADM files for the Group Policy snap-in. + +By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. + +This leads to the following behavior: + +- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files. + +- If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO. + +You can change this behavior by using this setting. + +If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. + +This leads to the following behavior: + +- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. + +If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. + +Note: If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OnlyUseLocalAdminFiles | +| Friendly Name | Always use local ADM files for Group Policy Object Editor | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy | +| Registry Value Name | OnlyUseLocalAdminFiles | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## ProcessMitigationOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/ProcessMitigationOptions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/ProcessMitigationOptions +``` + + + + +This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: + +PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) +Enables data execution prevention (DEP) for the child process + +PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) +Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. + +PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004) +Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. + +PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) +The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that do not have a base relocation section will not be loaded. + +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) +The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. + +For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: +???????????????0???????1???????1 + +Setting flags not specified here to any value other than ? results in undefined behavior. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ProcessMitigationOptions_List | +| Friendly Name | Process Mitigation Options | +| Location | Computer and User Configuration | +| Path | System > Mitigation Options | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## ResetDfsClientInfoDuringRefreshPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy +``` + + + + +Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ResetDfsClientInfoDuringRefreshPolicy | +| Friendly Name | Enable AD/DFS domain controller synchronization during policy refresh | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | ResetDfsClientInfoDuringRefreshPolicy | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## RSoPLogging + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/RSoPLogging +``` + + + + +This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. + +RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. + +If you enable this setting, RSoP logging is turned off. + +If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. + +Note: To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RSoPLogging | +| Friendly Name | Turn off Resultant Set of Policy logging | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | RSoPLogging | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## SlowLinkDefaultForDirectAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess +``` + + + + +This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. + +When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. + +Note: When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). + +If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. + +If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SlowLinkDefaultForDirectAccess | +| Friendly Name | Configure Direct Access connections as a fast network connection | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | SlowLinkDefaultForDirectAccess | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## SlowlinkDefaultToAsync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/SlowlinkDefaultToAsync +``` + + + + +This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. + +If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. +Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, +which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. +Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection +and Drive Maps preference extension will not be applied. + +Note: There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: +1 - At the first computer startup after the client computer has joined the domain. +2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. + +If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SlowlinkDefaultToAsync | +| Friendly Name | Change Group Policy processing to run asynchronously when a slow network connection is detected. | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | SlowlinkDefaultToAsync | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## SyncWaitTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/SyncWaitTime +``` + + + + +This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. + +If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. + +If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SyncWaitTime | +| Friendly Name | Specify startup policy processing wait time | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## UserPolicyMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/UserPolicyMode +``` + + + + +This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. + +By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. + +If you enable this setting, you can select one of the following modes from the Mode box: + +"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. + +"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. + +If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. + +Note: This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | UserPolicyMode | +| Friendly Name | Configure user Group Policy loopback processing mode | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## DenyRsopToInteractiveUser_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +``` + + + + +This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +If you enable this policy setting, interactive users cannot generate RSoP data. + +If you disable or do not configure this policy setting, interactive users can generate RSoP. + +Note: This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. + +Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc + +Note: This policy setting exists as both a User Configuration and Computer Configuration setting. + +Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DenyRsopToInteractiveUser | +| Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyRsopToInteractiveUser | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## DisableAutoADMUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableAutoADMUpdate +``` + + + + +Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. + +By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. If the local files are newer, they are copied into the GPO. + +Changing the status of this setting to Enabled will keep any source files from copying to the GPO. + +Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp. + +NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoADMUpdate | +| Friendly Name | Turn off automatic update of ADM files | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | DisableAutoADMUpdate | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## EnforcePoliciesOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnforcePoliciesOnly +``` + + + + +This policy setting prevents administrators from viewing or using Group Policy preferences. + +A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. + +If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear. + +If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. + +Note: To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." + +In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnforcePoliciesOnly | +| Friendly Name | Enforce Show Policies Only | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | ShowPoliciesOnly | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## GPDCOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPDCOptions +``` + + + + +This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. + +If you enable this setting, you can which domain controller is used according to these options: + +"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. + +"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use. + +"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. + +If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. + +Note: To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | GPDCOptions | +| Friendly Name | Configure Group Policy domain controller selection | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## GPTransferRate_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPTransferRate_1 +``` + + + + +This policy setting defines a slow connection for purposes of applying and updating Group Policy. + +If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. + +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. + +If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. + +If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. + +This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. + +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. + +**Note**: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | GPTransferRate | +| Friendly Name | Configure Group Policy slow link detection | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## GroupPolicyRefreshRateUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRateUser +``` + + + + This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. -In addition to background updates, Group Policy for users is always updated when users sign in. +In addition to background updates, Group Policy for users is always updated when users log on. By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. -> [!IMPORTANT] -> If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. +Important: If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. -> [!NOTE] -> This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). +Note: This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). +Tip: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRateUser | +| Friendly Name | Set Group Policy refresh interval for users | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + - -ADMX Info: -- GP Friendly name: *Set Group Policy refresh interval for users* -- GP name: *GroupPolicyRefreshRateUser* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* + + + - - -
    + - -**ADMX_GroupPolicy/LogonScriptDelay** + +## NewGPODisplayName - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPODisplayName +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enter “0” to disable Logon Script Delay. - -This policy setting allows you to configure how long the Group Policy client waits after a sign in before running scripts. - -By default, the Group Policy client waits 5 minutes before running logon scripts. This 5-minute wait helps create a responsive desktop environment by preventing disk contention. - -If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. - -If you disable this policy setting, Group Policy will run scripts immediately after a sign in. - -If you don't configure this policy setting, Group Policy will wait five minutes before running logon scripts. - - - - - -ADMX Info: -- GP Friendly name: *Configure Logon Script Delay* -- GP name: *LogonScriptDelay* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/NewGPODisplayName** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to set the default display name for new Group Policy objects. This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. @@ -1965,497 +2740,109 @@ This setting allows you to specify the default name for new Group Policy objects The display name can contain environment variables and can be a maximum of 255 characters long. If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set default name for new Group Policy objects* -- GP name: *NewGPODisplayName* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/NewGPOLinksDisabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NewGPODisplayName | +| Friendly Name | Set default name for new Group Policy objects | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NewGPOLinksDisabled -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPOLinksDisabled +``` + - - + + This policy setting allows you to create new Group Policy object links in the disabled state. -If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. +If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. -If you disable this setting or don't configure it, new Group Policy object links are created in the enabled state. If you don't want them to be effective until they're configured and tested, you must disable the object link. +If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Create new Group Policy Object links disabled by default* -- GP name: *NewGPOLinksDisabled* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_GroupPolicy/OnlyUseLocalAdminFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NewGPOLinksDisabled | +| Friendly Name | Create new Group Policy Object links disabled by default | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | NewGPOLinksDisabled | +| ADMX File Name | GroupPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting lets you always use local ADM files for the Group Policy snap-in. - -By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This edit-option allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO. - -This edit-option leads to the following behavior: - -- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files. -- If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO. - -You can change this behavior by using this setting. - -If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. - -This pattern leads to the following behavior: - -If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. - -If you disable or don't configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. - -> [!NOTE] -> If the ADMs that you require aren't all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. - - - - - -ADMX Info: -- GP Friendly name: *Always use local ADM files for Group Policy Object Editor* -- GP name: *OnlyUseLocalAdminFiles* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/ProcessMitigationOptions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This security feature provides a means to override individual process MitigationOptions settings. This security feature can be used to enforce many security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: - -PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001): Enables data execution prevention (DEP) for the child process - -PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002): Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. - -PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004): Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. - -PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100): The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded. - -PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000),PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000): The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. - -For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: -???????????????0???????1???????1 - -Setting flags not specified here to any value other than ? results in undefined behavior. - - - - - -ADMX Info: -- GP Friendly name: *Process Mitigation Options* -- GP name: *ProcessMitigationOptions* -- GP path: *System\Mitigation Options* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/RSoPLogging** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. - -RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. - -If you enable this setting, RSoP logging is turned off. - -If you disable or don't configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. - -> [!NOTE] -> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). - - - - - -ADMX Info: -- GP Friendly name: *Turn off Resultant Set of Policy logging* -- GP name: *RSoPLogging* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory. - - - - - -ADMX Info: -- GP Friendly name: *Enable AD/DFS domain controller synchronization during policy refresh* -- GP name: *ResetDfsClientInfoDuringRefreshPolicy* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. - -When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. - -> [!NOTE] -> When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). - -If you enable this policy, when Group Policy can't determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. - -If you disable this setting or don't configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. - - - - - -ADMX Info: -- GP Friendly name: *Configure Direct Access connections as a fast network connection* -- GP name: *SlowLinkDefaultForDirectAccess* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/SlowlinkDefaultToAsync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in) when a slow network connection is detected. - -If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. -Client computers won't wait for the network to be fully initialized at startup and sign in. Existing users will be signed in using cached credentials, which will result in shorter sign-in times. Group Policy will be applied in the background after the network becomes available. -Because this policy setting enables a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection and Drive Maps preference extension won't be applied. - -> [!NOTE] -> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: -> -> - 1 - At the first computer startup after the client computer has joined the domain. -> - 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. - -If you disable or don't configure this policy setting, detecting a slow network connection won't affect whether Group Policy processing will be synchronous or asynchronous. - - - - - -ADMX Info: -- GP Friendly name: *Change Group Policy processing to run asynchronously when a slow network connection is detected.* -- GP name: *SlowlinkDefaultToAsync* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/SyncWaitTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer isn't blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. - -If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. - -If you disable or don't configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. - - - - - -ADMX Info: -- GP Friendly name: *Specify startup policy processing wait time* -- GP name: *SyncWaitTime* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - -**ADMX_GroupPolicy/UserPolicyMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who signs in to a computer affected by this setting. It's intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. - -By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. - -If you enable this setting, you can select one of the following modes from the Mode box: - -- "Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. -- "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. - -If you disable this setting or don't configure it, the user's Group Policy Objects determines which user settings apply. - -> [!NOTE] -> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. - - - - - -ADMX Info: -- GP Friendly name: *Configure user Group Policy loopback processing mode* -- GP name: *UserPolicyMode* -- GP path: *System\Group Policy* -- GP ADMX file name: *GroupPolicy.admx* - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 81ea384cdc1d051ea0f0a715b6d5de45528821ed Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 21 Dec 2022 15:00:59 -0800 Subject: [PATCH 060/152] add win explorer csp --- .../mdm/policy-csp-admx-windowsexplorer.md | 7020 +++++++++-------- 1 file changed, 3910 insertions(+), 3110 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index f50c1a3948..9c89d2fe84 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,1945 +1,2511 @@ --- -title: Policy CSP - ADMX_WindowsExplorer -description: Policy CSP - ADMX_WindowsExplorer +title: ADMX_WindowsExplorer Policy CSP +description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/21/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/29/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsExplorer > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - + +## CheckSameSourceAndTargetForFRAndDFS -## ADMX_WindowsExplorer policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS -
    -
    - ADMX_WindowsExplorer/ClassicShell -
    -
    - ADMX_WindowsExplorer/ConfirmFileDelete -
    -
    - ADMX_WindowsExplorer/DefaultLibrariesLocation -
    -
    - ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage -
    -
    - ADMX_WindowsExplorer/DisableIndexedLibraryExperience -
    -
    - ADMX_WindowsExplorer/DisableKnownFolders -
    -
    - ADMX_WindowsExplorer/DisableSearchBoxSuggestions -
    -
    - ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath -
    -
    - ADMX_WindowsExplorer/EnableSmartScreen -
    -
    - ADMX_WindowsExplorer/EnforceShellExtensionSecurity -
    -
    - ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized -
    -
    - ADMX_WindowsExplorer/HideContentViewModeSnippets -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted -
    -
    - ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown -
    -
    - ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo -
    -
    - ADMX_WindowsExplorer/MaxRecentDocs -
    -
    - ADMX_WindowsExplorer/NoBackButton -
    -
    - ADMX_WindowsExplorer/NoCDBurning -
    -
    - ADMX_WindowsExplorer/NoCacheThumbNailPictures -
    -
    - ADMX_WindowsExplorer/NoChangeAnimation -
    -
    - ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators -
    -
    - ADMX_WindowsExplorer/NoDFSTab -
    -
    - ADMX_WindowsExplorer/NoDrives -
    -
    - ADMX_WindowsExplorer/NoEntireNetwork -
    -
    - ADMX_WindowsExplorer/NoFileMRU -
    -
    - ADMX_WindowsExplorer/NoFileMenu -
    -
    - ADMX_WindowsExplorer/NoFolderOptions -
    -
    - ADMX_WindowsExplorer/NoHardwareTab -
    -
    - ADMX_WindowsExplorer/NoManageMyComputerVerb -
    -
    - ADMX_WindowsExplorer/NoMyComputerSharedDocuments -
    -
    - ADMX_WindowsExplorer/NoNetConnectDisconnect -
    -
    - ADMX_WindowsExplorer/NoNewAppAlert -
    -
    - ADMX_WindowsExplorer/NoPlacesBar -
    -
    - ADMX_WindowsExplorer/NoRecycleFiles -
    -
    - ADMX_WindowsExplorer/NoRunAsInstallPrompt -
    -
    - ADMX_WindowsExplorer/NoSearchInternetTryHarderButton -
    -
    - ADMX_WindowsExplorer/NoSecurityTab -
    -
    - ADMX_WindowsExplorer/NoShellSearchButton -
    -
    - ADMX_WindowsExplorer/NoStrCmpLogical -
    -
    - ADMX_WindowsExplorer/NoViewContextMenu -
    -
    - ADMX_WindowsExplorer/NoViewOnDrive -
    -
    - ADMX_WindowsExplorer/NoWindowsHotKeys -
    -
    - ADMX_WindowsExplorer/NoWorkgroupContents -
    -
    - ADMX_WindowsExplorer/PlacesBar -
    -
    - ADMX_WindowsExplorer/PromptRunasInstallNetPath -
    -
    - ADMX_WindowsExplorer/RecycleBinSize -
    -
    - ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 -
    -
    - ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 -
    -
    - ADMX_WindowsExplorer/ShowHibernateOption -
    -
    - ADMX_WindowsExplorer/ShowSleepOption -
    -
    - ADMX_WindowsExplorer/TryHarderPinnedLibrary -
    -
    - ADMX_WindowsExplorer/TryHarderPinnedOpenSearch -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS +``` + - -
    - - -**ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. -If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files aren't copied or deleted. The temporary file is deleted. +If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. -> [!NOTE] -> If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. +Note: If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Verify old and new Folder Redirection targets point to the same share before redirecting* -- GP name: *CheckSameSourceAndTargetForFRAndDFS* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_WindowsExplorer/ClassicShell** +| Name | Value | +|:--|:--| +| Name | CheckSameSourceAndTargetForFRAndDFS_DisplayName | +| Friendly Name | Verify old and new Folder Redirection targets point to the same share before redirecting | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | CheckSameSourceAndTargetForFRAndDFS | +| ADMX File Name | WindowsExplorer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DefaultLibrariesLocation - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DefaultLibrariesLocation +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DefaultLibrariesLocation +``` + - - -This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. - -If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. - -Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. - -If you disable or not configure this policy, the default File Explorer behavior is applied to the user. - - - - - -ADMX Info: -- GP Friendly name: *Turn on Classic Shell* -- GP name: *ClassicShell* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/ConfirmFileDelete** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. - -If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. - -If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. - - - - -ADMX Info: -- GP Friendly name: *Display confirmation dialog when deleting files* -- GP name: *ConfirmFileDelete* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/DefaultLibrariesLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting allows you to specify a location where all default Library definition files for users/machines reside. If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. + - + + + - -ADMX Info: -- GP Friendly name: *Location where all default Library definition files for users/machines reside.* -- GP name: *DefaultLibrariesLocation* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DefaultLibrariesLocation | +| Friendly Name | Location where all default Library definition files for users/machines reside. | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## DisableBindDirectlyToPropertySetStorage -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +``` -This behavior is consistent with Windows Vista's behavior in this scenario. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +``` + + + + +Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This behavior is consistent with Windows Vista's behavior in this scenario. This disables access to user-defined properties, and properties stored in NTFS secondary streams. + - + + + - -ADMX Info: -- GP Friendly name: *Disable binding directly to IPropertySetStorage without intermediate layers.* -- GP name: *DisableBindDirectlyToPropertySetStorage* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/DisableIndexedLibraryExperience** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableBindDirectlyToPropertySetStorage_DisplayName | +| Friendly Name | Disable binding directly to IPropertySetStorage without intermediate layers. | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableBindDirectlyToPropertySetStorage | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## EnableShellShortcutIconRemotePath -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath +``` + -If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. - -Setting this policy will: - -- Disable all Arrangement views except for "By Folder" -- Disable all Search filter suggestions other than "Date Modified" and "Size" -- Disable view of file content snippets in Content mode when search results are returned -- Disable ability to stack in the Context menu and Column headers -- Exclude Libraries from the scope of Start search This policy will not enable users to add unsupported locations to Libraries - -If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. - -If you disable or do not configure this policy, all default Windows Libraries features will be enabled. - - - - -ADMX Info: -- GP Friendly name: *Turn off Windows Libraries features that rely on indexed file data* -- GP name: *DisableIndexedLibraryExperience* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - - -
    - - -**ADMX_WindowsExplorer/DisableKnownFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to specify a list of known folders that should be disabled. - -Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. - -You can specify a known folder using its known folder ID or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. - -> [!NOTE] -> Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. - - - - - -ADMX Info: -- GP Friendly name: *Disable Known Folders* -- GP name: *DisableKnownFolders* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/DisableSearchBoxSuggestions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. - -File Explorer shows suggestion pop-ups as users type into the Search Box. - -These suggestions are based on their past entries into the Search Box. - -> [!NOTE] -> If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. - - - - - -ADMX Info: -- GP Friendly name: *Turn off display of recent search entries in the File Explorer search box* -- GP name: *DisableSearchBoxSuggestions* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - - -
    - - -**ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. -- If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. -- If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. +If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. -> [!NOTE] -> Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. +If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. - +Note: Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. + + + + - -ADMX Info: -- GP Friendly name: *Allow the use of remote paths in file shortcut icons* -- GP name: *EnableShellShortcutIconRemotePath* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/EnableSmartScreen** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableShellShortcutIconRemotePath_DisplayName | +| Friendly Name | Allow the use of remote paths in file shortcut icons | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | EnableShellShortcutIconRemotePath | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableSmartScreen -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnableSmartScreen +``` + - - + + This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: -- Warn and prevent bypass -- Warn +• Warn and prevent bypass +• Warn -If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. +If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. + +If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. + - + + +For more information, see [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview). - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *EnableSmartScreen* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/EnforceShellExtensionSecurity** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | EnableSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableSmartScreen | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## ExplorerRibbonStartsMinimized - - -This setting is designed to ensure that shell extensions can operate on a per-user basis. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +``` + + + + +This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ExplorerRibbonStartsMinimized_DisplayName | +| Friendly Name | Start File Explorer with ribbon minimized | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ExplorerRibbonStartsMinimized | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_Internet + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_InternetLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_Intranet + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_IntranetLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_LocalMachine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_LocalMachineLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_Restricted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_RestrictedLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_Trusted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchPreview_TrustedLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +``` + + + + +This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchPreview | +| Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| Registry Value Name | 180F | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_Internet + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_InternetLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_Intranet + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_IntranetLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_LocalMachine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_LocalMachineLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_Restricted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_RestrictedLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_Trusted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## IZ_Policy_OpenSearchQuery_TrustedLockdown + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +``` + + + + +This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_OpenSearchQuery | +| Friendly Name | Allow OpenSearch queries in File Explorer | +| Location | Computer and User Configuration | +| Path | IZ_SecurityPage > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| Registry Value Name | 180E | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## NoNewAppAlert + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoNewAppAlert +``` + + + + +This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) + +If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoNewAppAlert | +| Friendly Name | Do not show the 'new application installed' notification | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoNewAppAlert | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## NoStrCmpLogical + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical +``` + + + + +This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. +If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). +If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoStrCmpLogical_DisplayName | +| Friendly Name | Turn off numerical sorting in File Explorer | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStrCmpLogical | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ShellProtocolProtectedModeTitle_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +``` + + + + +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + +If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. + +If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + +If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellProtocolProtectedModeTitle | +| Friendly Name | Turn off shell protocol protected mode | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreXPSP2ShellProtocolBehavior | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ShowHibernateOption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowHibernateOption +``` + + + + +Shows or hides hibernate from the power options menu. + +If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. + +If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowHibernateOption | +| Friendly Name | Show hibernate in the power options menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowHibernateOption | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ShowSleepOption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowSleepOption +``` + + + + +Shows or hides sleep from the power options menu. + +If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +If you disable this policy setting, the sleep option will never be shown in the Power Options menu. + +If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowSleepOption | +| Friendly Name | Show sleep in the power options menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowSleepOption | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ClassicShell + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ClassicShell +``` + + + + +This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. + +If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. + +If you disable or not configure this policy, the default File Explorer behavior is applied to the user. + +Note: In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. + +Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ClassicShell | +| Friendly Name | Turn on Classic Shell | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClassicShell | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ConfirmFileDelete + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ConfirmFileDelete +``` + + + + +Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. + +If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. + +If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfirmFileDelete | +| Friendly Name | Display confirmation dialog when deleting files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ConfirmFileDelete | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## DisableIndexedLibraryExperience + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableIndexedLibraryExperience +``` + + + + +This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. +Setting this policy will: +* Disable all Arrangement views except for "By Folder" +* Disable all Search filter suggestions other than "Date Modified" and "Size" +* Disable view of file content snippets in Content mode when search results are returned +* Disable ability to stack in the Context menu and Column headers +* Exclude Libraries from the scope of Start search +This policy will not enable users to add unsupported locations to Libraries. + +If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. +If you disable or do not configure this policy, all default Windows Libraries features will be enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableIndexedLibraryExperience_DisplayName | +| Friendly Name | Turn off Windows Libraries features that rely on indexed file data | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableIndexedLibraryExperience | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## DisableKnownFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableKnownFolders +``` + + + + +This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. + +You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. + +Note: Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableKnownFolders_DisplayName | +| Friendly Name | Disable Known Folders | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableKnownFolders | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## DisableSearchBoxSuggestions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableSearchBoxSuggestions +``` + + + + +Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. + +File Explorer shows suggestion pop-ups as users type into the Search Box. These suggestions are based on their past entries into the Search Box. + +Note: If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSearchBoxSuggestions_DisplayName | +| Friendly Name | Turn off display of recent search entries in the File Explorer search box | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableSearchBoxSuggestions | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## EnforceShellExtensionSecurity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnforceShellExtensionSecurity +``` + + + + +This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. + +A shell extension only runs if there is an entry in at least one of the following locations in registry. For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow only per user or approved shell extensions* -- GP name: *EnforceShellExtensionSecurity* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnforceShellExtensionSecurity | +| Friendly Name | Allow only per user or approved shell extensions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | EnforceShellExtensionSecurity | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HideContentViewModeSnippets -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/HideContentViewModeSnippets +``` + - - -This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. - -If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. - -If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. - - - - - -ADMX Info: -- GP Friendly name: *Start File Explorer with ribbon minimized* -- GP name: *ExplorerRibbonStartsMinimized* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/HideContentViewModeSnippets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to turn off the display of snippets in Content view mode. -- If you enable this policy setting, File Explorer will not display snippets in Content view mode. -- If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the display of snippets in Content view mode* -- GP name: *HideContentViewModeSnippets* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Internet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_InternetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Intranet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_IntranetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_LocalMachine* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_LocalMachineLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Restricted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_RestrictedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_Trusted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. - -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. - -Changes to this setting may not be applied until the user logs off from Windows. - - - - - -ADMX Info: -- GP Friendly name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* -- GP name: *IZ_Policy_OpenSearchPreview_TrustedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Internet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_InternetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Intranet* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_IntranetLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_LocalMachine* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_LocalMachineLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Restricted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_RestrictedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_Trusted* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. - -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. - -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. - - - - - -ADMX Info: -- GP Friendly name: *Allow OpenSearch queries in File Explorer* -- GP name: *IZ_Policy_OpenSearchQuery_TrustedLockdown* -- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - +If you enable this policy setting, File Explorer will not display snippets in Content view mode. + +If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideContentViewModeSnippets_DisplayName | +| Friendly Name | Turn off the display of snippets in Content view mode | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideContentViewModeSnippets | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## LinkResolveIgnoreLinkInfo + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo +``` + + + + This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server. @@ -1947,242 +2513,312 @@ Shortcut files typically include an absolute path to the original target file as If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not track Shell shortcuts during roaming* -- GP name: *LinkResolveIgnoreLinkInfo* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/MaxRecentDocs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LinkResolveIgnoreLinkInfo | +| Friendly Name | Do not track Shell shortcuts during roaming | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | LinkResolveIgnoreLinkInfo | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MaxRecentDocs -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/MaxRecentDocs +``` + - - -This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. + + +"This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. + +The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. -If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents. +If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Maximum number of recent documents* -- GP name: *MaxRecentDocs* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoBackButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxRecentDocs | +| Friendly Name | Maximum number of recent documents | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoBackButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoBackButton +``` + - - -Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. + + +Hide the Back button in the Open dialog box. + +This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. If you enable this policy setting, the Back button is removed from the standard Open dialog box. -If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. +If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. - +To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. +Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. + - -ADMX Info: -- GP Friendly name: *Hide the common dialog back button* -- GP name: *NoBackButton* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoCDBurning** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoBackButton | +| Friendly Name | Hide the common dialog back button | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 | +| Registry Value Name | NoBackButton | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoCacheThumbNailPictures - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoCacheThumbNailPictures +``` + + + + +This policy setting allows you to turn off caching of thumbnail pictures. + +If you enable this policy setting, thumbnail views are not cached. + +If you disable or do not configure this policy setting, thumbnail views are cached. + +Note: For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoCacheThumbNailPictures | +| Friendly Name | Turn off caching of thumbnail pictures | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoThumbnailCache | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## NoCDBurning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoCDBurning +``` + + + + This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. -> [!NOTE] -> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. +Note: This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove CD Burning features* -- GP name: *NoCDBurning* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoCacheThumbNailPictures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoCDBurning | +| Friendly Name | Remove CD Burning features | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoCDBurning | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoChangeAnimation -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoChangeAnimation +``` + - - -This policy setting allows you to turn off caching of thumbnail pictures. - -If you enable this policy setting, thumbnail views aren't cached. - -If you disable or do not configure this policy setting, thumbnail views are cached. - -> [!NOTE] -> For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. - - - - - -ADMX Info: -- GP Friendly name: *Turn off caching of thumbnail pictures* -- GP name: *NoCacheThumbNailPictures* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/NoChangeAnimation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. @@ -2190,192 +2826,250 @@ If you enable this policy setting, the "Use transition effects for menus and too Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users. If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove UI to change menu animation setting* -- GP name: *NoChangeAnimation* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoChangeAnimation | +| Friendly Name | Remove UI to change menu animation setting | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeAnimation | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoChangeKeyboardNavigationIndicators -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators +``` + - - -Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. + + +Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. + +When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove UI to change keyboard navigation indicator setting* -- GP name: *NoChangeKeyboardNavigationIndicators* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoDFSTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoChangeKeyboardNavigationIndicators | +| Friendly Name | Remove UI to change keyboard navigation indicator setting | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeKeyboardNavigationIndicators | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoDFSTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoDFSTab +``` + - - + + This policy setting allows you to remove the DFS tab from File Explorer. -If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS. +If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. + +This policy setting does not prevent users from using other methods to configure DFS. If you disable or do not configure this policy setting, the DFS tab is available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove DFS tab* -- GP name: *NoDFSTab* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoDrives** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDFSTab | +| Friendly Name | Remove DFS tab | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDFSTab | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoDrives -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoDrives +``` + - - + + This policy setting allows you to hide these specified drives in My Computer. This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. If you enable this policy setting, select a drive or combination of drives in the drop-down list. -> [!NOTE] -> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +Note: This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. -If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting. +Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. - +If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. +Also, see the "Prevent access to drives from My Computer" policy setting. + - -ADMX Info: -- GP Friendly name: *Hide these specified drives in My Computer* -- GP name: *NoDrives* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoEntireNetwork** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoDrives | +| Friendly Name | Hide these specified drives in My Computer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoEntireNetwork - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoEntireNetwork +``` + + + + Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. @@ -2384,143 +3078,184 @@ This setting does not prevent users from viewing or connecting to computers in t To remove computers in the user's workgroup or domain from lists of network resources, use the "No Computers Near Me in Network Locations" setting. -> [!NOTE] -> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *No Entire Network in Network Locations* -- GP name: *NoEntireNetwork* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoFileMRU** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoEntireNetwork | +| Friendly Name | No Entire Network in Network Locations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Network | +| Registry Value Name | NoEntireNetwork | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoFileMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoFileMenu +``` + - - + + +Removes the File menu from My Computer and File Explorer. + +This setting does not prevent users from using other methods to perform tasks available on the File menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoFileMenu | +| Friendly Name | Remove File menu from File Explorer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFileMenu | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## NoFileMRU + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoFileMRU +``` + + + + Removes the list of most recently used files from the Open dialog box. If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. -To see an example of the standard Open dialog box, start WordPad and, on the **File** menu, click **Open**. +To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. - +Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - -ADMX Info: -- GP Friendly name: *Hide the dropdown list of recent files* -- GP name: *NoFileMRU* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoFileMenu** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoFileMRU | +| Friendly Name | Hide the dropdown list of recent files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 | +| Registry Value Name | NoFileMru | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoFolderOptions - - -Removes the File menu from My Computer and File Explorer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -This setting does not prevent users from using other methods to perform tasks available on the File menu. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoFolderOptions +``` + - - - - -ADMX Info: -- GP Friendly name: *Remove File menu from File Explorer* -- GP name: *NoFileMenu* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/NoFolderOptions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings. @@ -2528,762 +3263,866 @@ Folder Options allows users to change the way files and folders open, what appea If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon* -- GP name: *NoFolderOptions* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoHardwareTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFolderOptions | +| Friendly Name | Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFolderOptions | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoHardwareTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoHardwareTab +``` + - - -Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. + + +Removes the Hardware tab. - +This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. + + + + - -ADMX Info: -- GP Friendly name: *Remove Hardware tab* -- GP name: *NoHardwareTab* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WindowsExplorer/NoManageMyComputerVerb** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoHardwareTab | +| Friendly Name | Remove Hardware tab | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoHardwareTab | +| ADMX File Name | WindowsExplorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoManageMyComputerVerb -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoManageMyComputerVerb +``` + + + + Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools. This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management. -> [!NOTE] -> To hide all context menus, use the "Remove File Explorer's default context menu" setting. +Tip: To hide all context menus, use the "Remove File Explorer's default context menu" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hides the Manage item on the File Explorer context menu* -- GP name: *NoManageMyComputerVerb* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoMyComputerSharedDocuments** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoManageMyComputerVerb | +| Friendly Name | Hides the Manage item on the File Explorer context menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoManageMyComputerVerb | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoMyComputerSharedDocuments -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoMyComputerSharedDocuments +``` + - - -This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. + + +This policy setting allows you to remove the Shared Documents folder from My Computer. -- If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. -- If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. +When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. +If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. - +If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. - -ADMX Info: -- GP Friendly name: *Remove Shared Documents from My Computer* -- GP name: *NoMyComputerSharedDocuments* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +Note: The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. + - - -
    + + + - -**ADMX_WindowsExplorer/NoNetConnectDisconnect** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoMyComputerSharedDocuments | +| Friendly Name | Remove Shared Documents from My Computer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSharedDocuments | +| ADMX File Name | WindowsExplorer.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## NoNetConnectDisconnect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoNetConnectDisconnect +``` + + + + Prevents users from using File Explorer or Network Locations to map or disconnect network drives. -If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the **File Explorer** or **Network Locations** icons. +If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. -> [!NOTE] -> This setting was documented incorrectly on the Explain tab in MDM Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. -> -> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +Note: - +This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - -ADMX Info: -- GP Friendly name: *Remove "Map Network Drive" and "Disconnect Network Drive"* -- GP name: *NoNetConnectDisconnect* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoNewAppAlert** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoNetConnectDisconnect | +| Friendly Name | Remove "Map Network Drive" and "Disconnect Network Drive" | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNetConnectDisconnect | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## NoPlacesBar - - -This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If this MDM Policy is enabled, no notifications will be shown. If the MDM Policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoPlacesBar +``` + - + + +Removes the shortcut bar from the Open dialog box. +This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. - -ADMX Info: -- GP Friendly name: *Do not show the 'new application installed' notification* -- GP name: *NoNewAppAlert* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. - - -
    +Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + - -**ADMX_WindowsExplorer/NoPlacesBar** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | NoPlacesBar | +| Friendly Name | Hide the common dialog places bar | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 | +| Registry Value Name | NoPlacesBar | +| ADMX File Name | WindowsExplorer.admx | + -
    + + + - - -Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + -To see an example of the standard Open dialog box, start WordPad and, on the **File** menu, click **Open**. + +## NoRecycleFiles - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoRecycleFiles +``` + - -ADMX Info: -- GP Friendly name: *Hide the common dialog places bar* -- GP name: *NoPlacesBar* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/NoRecycleFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not move deleted files to the Recycle Bin* -- GP name: *NoRecycleFiles* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoRunAsInstallPrompt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRecycleFiles | +| Friendly Name | Do not move deleted files to the Recycle Bin | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRecycleFiles | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoRunAsInstallPrompt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoRunAsInstallPrompt +``` + - - + + Prevents users from submitting alternate logon credentials to install a program. -This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who aren't administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. +This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. -By default, users aren't prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. +By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not request alternate credentials* -- GP name: *NoRunAsInstallPrompt* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoSearchInternetTryHarderButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRunAsInstallPrompt | +| Friendly Name | Do not request alternate credentials | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRunasInstallPrompt | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSearchInternetTryHarderButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoSearchInternetTryHarderButton +``` + - - + + If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove the Search the Internet "Search again" link* -- GP name: *NoSearchInternetTryHarderButton* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoSecurityTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSearchInternetTryHarderButton | +| Friendly Name | Remove the Search the Internet "Search again" link | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoSearchInternetTryHarderButton | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSecurityTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoSecurityTab +``` + - - + + Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. If you disable or do not configure this setting, users will be able to access the security tab. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Security tab* -- GP name: *NoSecurityTab* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoShellSearchButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSecurityTab | +| Friendly Name | Remove Security tab | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSecurityTab | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoShellSearchButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoShellSearchButton +``` + - - -This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. + + +This policy setting allows you to remove the Search button from the File Explorer toolbar. + +If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. + +Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Search button from File Explorer* -- GP name: *NoShellSearchButton* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoStrCmpLogical** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoShellSearchButton | +| Friendly Name | Remove Search button from File Explorer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoShellSearchButton | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoViewContextMenu -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoViewContextMenu +``` + - - -This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. - -If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). - -If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). - - - - - -ADMX Info: -- GP Friendly name: *Turn off numerical sorting in File Explorer* -- GP name: *NoStrCmpLogical* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/NoViewContextMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove File Explorer's default context menu* -- GP name: *NoViewContextMenu* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoViewOnDrive** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoViewContextMenu | +| Friendly Name | Remove File Explorer's default context menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoViewContextMenu | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoViewOnDrive -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoViewOnDrive +``` + - - + + Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents (open the files in the folders or see the files in the folders). Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. -> [!NOTE] -> The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. -> -> Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting. +Note: The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. - +Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. +Also, see the "Hide these specified drives in My Computer" setting. + - -ADMX Info: -- GP Friendly name: *Prevent access to drives from My Computer* -- GP name: *NoViewOnDrive* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WindowsExplorer/NoWindowsHotKeys** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoViewOnDrive | +| Friendly Name | Prevent access to drives from My Computer | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoWindowsHotKeys - - -Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -By using this setting, you can disable these Windows Key hotkeys. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoWindowsHotKeys +``` + + + + +Turn off Windows Key hotkeys. + +Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. By using this setting, you can disable these Windows Key hotkeys. If you enable this setting, the Windows Key hotkeys are unavailable. If you disable or do not configure this setting, the Windows Key hotkeys are available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Key hotkeys* -- GP name: *NoWindowsHotKeys* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/NoWorkgroupContents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWindowsHotKeys | +| Friendly Name | Turn off Windows Key hotkeys | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWinKeys | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWorkgroupContents -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoWorkgroupContents +``` + - - + + This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. @@ -3293,106 +4132,136 @@ If you disable or do not configure this policy setting, computers in the user's This policy setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box. To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *No Computers Near Me in Network Locations* -- GP name: *NoWorkgroupContents* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/PlacesBar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWorkgroupContents | +| Friendly Name | No Computers Near Me in Network Locations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoComputersNearMe | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PlacesBar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/PlacesBar +``` + - - + + Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: -1. Shortcuts to a local folders -- (example: `C:\Windows`) -2. Shortcuts to remote folders -- (`\\server\share`) -3. FTP folders -4. web folders -5. Common Shell folders. +1) Shortcuts to a local folders -- (ex. C:\Windows) + +2) Shortcuts to remote folders -- (\\server\share) + +3) FTP folders + +4) web folders + +5) Common Shell folders. The list of Common Shell Folders that may be specified: -Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments, and Saved Searches. +Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches. If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. +Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Items displayed in Places Bar* -- GP name: *PlacesBar* -- GP path: *Windows Components\File Explorer\Common Open File Dialog* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/PromptRunasInstallNetPath** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PlacesBar | +| Friendly Name | Items displayed in Places Bar | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Common Open File Dialog | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PromptRunasInstallNetPath -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/PromptRunasInstallNetPath +``` + - - + + Prompts users for alternate logon credentials during network-based installations. This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. @@ -3401,373 +4270,304 @@ If you disable this setting or do not configure it, this dialog box appears only The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. -If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions aren't sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. +If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. -> [!NOTE] -> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users aren't prompted for alternate logon credentials on any installation. +Note: If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Request credentials for network installations* -- GP name: *PromptRunasInstallNetPath* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/RecycleBinSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PromptRunasInstallNetPath | +| Friendly Name | Request credentials for network installations | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PromptRunasInstallNetPath | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RecycleBinSize -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/RecycleBinSize +``` + - - + + Limits the percentage of a volume's disk space that can be used to store deleted files. If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. -> [!NOTE] -> This setting is applied to all volumes. +Note: This setting is applied to all volumes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Maximum allowed Recycle Bin size* -- GP name: *RecycleBinSize* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RecycleBinSize | +| Friendly Name | Maximum allowed Recycle Bin size | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellProtocolProtectedModeTitle_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 +``` + - - -This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications aren't able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + + +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off shell protocol protected mode* -- GP name: *ShellProtocolProtectedModeTitle_1* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellProtocolProtectedModeTitle | +| Friendly Name | Turn off shell protocol protected mode | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreXPSP2ShellProtocolBehavior | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TryHarderPinnedLibrary -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/TryHarderPinnedLibrary +``` + - - -This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications aren't able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. - -If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. - -If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. - -If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. - - - - - -ADMX Info: -- GP Friendly name: *Turn off shell protocol protected mode* -- GP name: *ShellProtocolProtectedModeTitle_2* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/ShowHibernateOption** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Shows or hides hibernate from the power options menu. - -If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). - -If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. - -If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. - - - - - -ADMX Info: -- GP Friendly name: *Show hibernate in the power options menu* -- GP name: *ShowHibernateOption* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/ShowSleepOption** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Shows or hides sleep from the power options menu. - -If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). - -If you disable this policy setting, the sleep option will never be shown in the Power Options menu. - -If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. - - - - - -ADMX Info: -- GP Friendly name: *Show sleep in the power options menu* -- GP name: *ShowSleepOption* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* - - - -
    - - -**ADMX_WindowsExplorer/TryHarderPinnedLibrary** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. -The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. +The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Pin Libraries or Search Connectors to the "Search again" links and the Start menu* -- GP name: *TryHarderPinnedLibrary* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WindowsExplorer/TryHarderPinnedOpenSearch** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TryHarderPinnedLibrary | +| Friendly Name | Pin Libraries or Search Connectors to the "Search again" links and the Start menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TryHarderPinnedLibrary | +| ADMX File Name | WindowsExplorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TryHarderPinnedOpenSearch -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/TryHarderPinnedOpenSearch +``` + - - -This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`). + + +This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, {searchTerms}). You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. -The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via MDM Policy. The "Search the Internet" link is pinned second, if it is pinned via MDM Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" MDM Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. +The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. + - + + + + +**Description framework properties**: - -ADMX Info: ] -- GP Friendly name: *Pin Internet search sites to the "Search again" links and the Start menu* -- GP name: *TryHarderPinnedOpenSearch* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | TryHarderPinnedOpenSearch | +| Friendly Name | Pin Internet search sites to the "Search again" links and the Start menu | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TryHarderPinnedOpenSearch | +| ADMX File Name | WindowsExplorer.admx | + - + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 95c80c07d239164d3e7bd92161f0fda432492282 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 22 Dec 2022 11:27:10 -0800 Subject: [PATCH 061/152] add windowsconnectnow csp --- .../mdm/policy-csp-admx-windowsconnectnow.md | 333 ++++++++++-------- 1 file changed, 179 insertions(+), 154 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 046317d948..46f5bb92e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,199 +1,224 @@ --- -title: Policy CSP - ADMX_WindowsConnectNow -description: Policy CSP - ADMX_WindowsConnectNow +title: ADMX_WindowsConnectNow Policy CSP +description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/22/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/28/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsConnectNow + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WindowsConnectNow policies + +## WCN_DisableWcnUi_2 -
    -
    - ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 -
    -
    - ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 -
    -
    - ADMX_WindowsConnectNow/WCN_EnableRegistrar -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_DisableWcnUi_2 +``` + -
    - - -**ADMX_WindowsConnectNow/WCN_DisableWcnUi_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prohibits access to Windows Connect Now (WCN) wizards. -- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. +If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. +If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + -- If you disable or don't configure this policy setting, users can access the wizard tasks. + + + -They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prohibit access of the Windows Connect Now wizards* -- GP name: *WCN_DisableWcnUi_1* -- GP path: *Network\Windows Connect Now* -- GP ADMX file name: *WindowsConnectNow.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_WindowsConnectNow/WCN_DisableWcnUi_2** +| Name | Value | +|:--|:--| +| Name | WCN_DisableWcnUi | +| Friendly Name | Prohibit access of the Windows Connect Now wizards | +| Location | Computer Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\UI | +| Registry Value Name | DisableWcnUi | +| ADMX File Name | WindowsConnectNow.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## WCN_EnableRegistrar - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_EnableRegistrar +``` + -
    - - - -This policy setting prohibits access to Windows Connect Now (WCN) wizards. - -- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. - -All the configuration-related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. - -- If you disable or don't configure this policy setting, users can access the wizard tasks. - -They are "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit access of the Windows Connect Now wizards* -- GP name: *WCN_DisableWcnUi_2* -- GP path: *Network\Windows Connect Now* -- GP ADMX file name: *WindowsConnectNow.admx* - - - -
    - - -**ADMX_WindowsConnectNow/WCN_EnableRegistrar** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. -More options are available to allow discovery and configuration over a specific medium. +Additional options are available to allow discovery and configuration over a specific medium. -- If you enable this policy setting, more choices are available to turn off the operations over a specific medium. -- If you disable this policy setting, operations are disabled over all media. +If you enable this policy setting, additional choices are available to turn off the operations over a specific medium. -If you don't configure this policy setting, operations are enabled over all media. +If you disable this policy setting, operations are disabled over all media. + +If you do not configure this policy setting, operations are enabled over all media. The default for this policy setting allows operations over all media. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configuration of wireless settings using Windows Connect Now* -- GP name: *WCN_EnableRegistrar* -- GP path: *Network\Windows Connect Now* -- GP ADMX file name: *WindowsConnectNow.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WCN_EnableRegistrar | +| Friendly Name | Configuration of wireless settings using Windows Connect Now | +| Location | Computer Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\Registrars | +| Registry Value Name | EnableRegistrars | +| ADMX File Name | WindowsConnectNow.admx | + - + + + + + + +## WCN_DisableWcnUi_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 +``` + + + + +This policy setting prohibits access to Windows Connect Now (WCN) wizards. + +If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. + +If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WCN_DisableWcnUi | +| Friendly Name | Prohibit access of the Windows Connect Now wizards | +| Location | User Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\UI | +| Registry Value Name | DisableWcnUi | +| ADMX File Name | WindowsConnectNow.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 29d933aecfb7bdd2d18aef33ddf9d03028d0731b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 22 Dec 2022 11:28:37 -0800 Subject: [PATCH 062/152] add admx_wincal csp --- .../mdm/policy-csp-admx-wincal.md | 216 ++++++++++-------- 1 file changed, 120 insertions(+), 96 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index edc0cee9ca..da49521c40 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,138 +1,162 @@ --- -title: Policy CSP - ADMX_WinCal -description: Policy CSP - ADMX_WinCal +title: ADMX_WinCal Policy CSP +description: Learn more about the ADMX_WinCal Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/22/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/28/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WinCal + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WinCal policies + +## TurnOffWinCal_2 -
    -
    - ADMX_WinCal/TurnOffWinCal_1 -
    -
    - ADMX_WinCal/TurnOffWinCal_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinCal/TurnOffWinCal_2 +``` + -
    - - -**ADMX_WinCal/TurnOffWinCal_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. -- If you enable this setting, Windows Calendar will be turned off. -- If you disable or do not configure this setting, Windows Calendar will be turned on. +If you enable this setting, Windows Calendar will be turned off. + +If you disable or do not configure this setting, Windows Calendar will be turned on. The default is for Windows Calendar to be turned on. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Windows Calendar* -- GP name: *TurnOffWinCal_1* -- GP path: *Windows Components\Windows Calendar* -- GP ADMX file name: *WinCal.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WinCal/TurnOffWinCal_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TurnOffWinCal | +| Friendly Name | Turn off Windows Calendar | +| Location | Computer Configuration | +| Path | Windows Components > Windows Calendar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Windows | +| Registry Value Name | TurnOffWinCal | +| ADMX File Name | WinCal.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffWinCal_1 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinCal/TurnOffWinCal_1 +``` + - - + + Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. -- If you enable this setting, Windows Calendar will be turned off. -- If you disable or do not configure this setting, Windows Calendar will be turned on. +If you enable this setting, Windows Calendar will be turned off. + +If you disable or do not configure this setting, Windows Calendar will be turned on. The default is for Windows Calendar to be turned on. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Calendar* -- GP name: *TurnOffWinCal_2* -- GP path: *Windows Components\Windows Calendar* -- GP ADMX file name: *WinCal.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | TurnOffWinCal | +| Friendly Name | Turn off Windows Calendar | +| Location | User Configuration | +| Path | Windows Components > Windows Calendar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Windows | +| Registry Value Name | TurnOffWinCal | +| ADMX File Name | WinCal.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 42b2d58b6e31e724b5f0c0dbb66948ff91cb0a5e Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 22 Dec 2022 11:31:28 -0800 Subject: [PATCH 063/152] add admx_wdi csp --- .../mdm/policy-csp-admx-wdi.md | 227 ++++++++++-------- 1 file changed, 124 insertions(+), 103 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index 97629732ad..2bcd87284a 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,147 +1,168 @@ --- -title: Policy CSP - ADMX_WDI -description: Learn about Policy CSP - ADMX_WDI. +title: ADMX_WDI Policy CSP +description: Learn more about the ADMX_WDI Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/22/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WDI -
    - - -## ADMX_WDI policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_WDI/WdiDpsScenarioExecutionPolicy -
    -
    - ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy -
    -
    + + + + +## WdiDpsScenarioDataSizeLimitPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_WDI/WdiDpsScenarioExecutionPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. -If you disable or don't configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. ->[!NOTE] -> This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenario data won't be deleted. -> -> The DPS can be configured with the Services snap-in to the Microsoft Management Console. +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. - +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenario data will not be deleted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - -ADMX Info: -- GP Friendly name: *Diagnostics: Configure scenario retention* -- GP name: *WdiDpsScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics* -- GP ADMX file name: *WDI.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | WdiDpsScenarioDataSizeLimitPolicy | +| Friendly Name | Diagnostics: Configure scenario retention | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI | +| Registry Value Name | DataRetentionBySizeEnabled | +| ADMX File Name | WDI.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## WdiDpsScenarioExecutionPolicy - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WDI/WdiDpsScenarioExecutionPolicy +``` + + + + This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. -If you enable this policy setting, you must select an execution level from the drop-down menu. +If you enable this policy setting, you must select an execution level from the drop-down menu. If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. -- If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. -- If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. +If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. -If you disable this policy setting, Windows can't detect, troubleshoot, or resolve any problems that are handled by the DPS. +If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. -If you don't configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it's enabled or disabled. Scenario-specific policy settings only take effect if this policy setting isn't configured. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. - +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + - -ADMX Info: -- GP Friendly name: *Diagnostics: Configure scenario execution level* -- GP name: *WdiDpsScenarioDataSizeLimitPolicy* -- GP path: *System\Troubleshooting and Diagnostics* -- GP ADMX file name: *WDI.admx* + + + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiDpsScenarioExecutionPolicy | +| Friendly Name | Diagnostics: Configure scenario execution level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | WDI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 892cefb2f57ab74cdab4ff01e7812b84b6faeb3f Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 22 Dec 2022 11:33:43 -0800 Subject: [PATCH 064/152] add admx_wcm csp --- .../mdm/policy-csp-admx-wcm.md | 296 ++++++++++-------- 1 file changed, 162 insertions(+), 134 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 4a75b6002b..e8d98b99a4 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,118 +1,109 @@ --- -title: Policy CSP - ADMX_WCM -description: Learn about Policy CSP - ADMX_WCM. +title: ADMX_WCM Policy CSP +description: Learn more about the ADMX_WCM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/22/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WCM + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_WCM policies + +## WCM_DisablePowerManagement -
    -
    - ADMX_WCM/WCM_DisablePowerManagement -
    -
    - ADMX_WCM/WCM_EnableSoftDisconnect -
    -
    - ADMX_WCM/WCM_MinimizeConnections -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WCM/WCM_DisablePowerManagement +``` + -
    - - -**ADMX_WCM/WCM_DisablePowerManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies that power management is disabled when the machine enters connected standby mode. -If this policy setting is enabled, Windows Connection Manager doesn't manage adapter radios to reduce power consumption when the machine enters connected standby mode. +If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. -If this policy setting isn't configured or is disabled, power management is enabled when the machine enters connected standby mode. +If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. + - + + + - -ADMX Info: -- GP Friendly name: *Disable power management in connected standby mode* -- GP name: *WCM_DisablePowerManagement* -- GP path: *Network\Windows Connection Manager* -- GP ADMX file name: *WCM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_WCM/WCM_EnableSoftDisconnect** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WCM_DisablePowerManagement | +| Friendly Name | Disable power management in connected standby mode | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fDisablePowerManagement | +| ADMX File Name | WCM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WCM_EnableSoftDisconnect -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WCM/WCM_EnableSoftDisconnect +``` + + + + This policy setting determines whether Windows will soft-disconnect a computer from a network. If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. @@ -120,83 +111,120 @@ If this policy setting is enabled or not configured, Windows will soft-disconnec If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. When soft disconnect is enabled: - -- Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. +- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. - Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. -- Network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they’re not actively using it (for example, email apps) might lose their connection. If this connection loss happens, these apps should re-establish their connection over a different network. +- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they're not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. -This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows won't disconnect from any networks. +This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Windows to soft-disconnect a computer from a network* -- GP name: *WCM_EnableSoftDisconnect* -- GP path: *Network\Windows Connection Manager* -- GP ADMX file name: *WCM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_WCM/WCM_MinimizeConnections** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WCM_EnableSoftDisconnect | +| Friendly Name | Enable Windows to soft-disconnect a computer from a network | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fSoftDisconnectConnections | +| ADMX File Name | WCM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WCM_MinimizeConnections -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WCM/WCM_MinimizeConnections +``` + - - + + This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. -If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This value of 0 was previously the "Disabled" state for this policy setting. This option was first available in Windows 8. +If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. -If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This value of 1 was previously the "Enabled" state for this policy setting. This option was first available in Windows 8. +If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8. If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Minimize the number of simultaneous connections to the Internet or a Windows Domain* -- GP name: *WCM_MinimizeConnections* -- GP path: *Network\Windows Connection Manager* -- GP ADMX file name: *WCM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WCM_MinimizeConnections | +| Friendly Name | Minimize the number of simultaneous connections to the Internet or a Windows Domain | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| ADMX File Name | WCM.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 740405083b701229fed427a554a50ae7ca98f352 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 22 Dec 2022 11:43:37 -0800 Subject: [PATCH 065/152] add admx_w32time csp --- .../mdm/policy-csp-admx-w32time.md | 449 ++++++++++-------- .../mdm/policy-csp-mixedreality.md | 2 +- 2 files changed, 245 insertions(+), 206 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 550c9e6d4c..edcaa8f353 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,337 +1,376 @@ --- -title: Policy CSP - ADMX_W32Time -description: Learn about Policy CSP - ADMX_W32Time. +title: ADMX_W32Time Policy CSP +description: Learn more about the ADMX_W32Time Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 12/22/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/28/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_W32Time + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_W32Time policies + +## W32TIME_POLICY_CONFIG -
    -
    - ADMX_W32Time/W32TIME_POLICY_CONFIG -
    -
    - ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT -
    -
    - ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT -
    -
    - ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_CONFIG +``` + -
    - - -**ADMX_W32Time/W32TIME_POLICY_CONFIG** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. -If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the Service on target machines use locally configured settings values. +If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. -For more information on individual parameters, combinations of parameter values, and definitions of flags, see https://go.microsoft.com/fwlink/?linkid=847809. +For more details on individual parameters, combinations of parameter values as well as definitions of flags, see . -**FrequencyCorrectRate** -This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values cause more frequent corrections. Default: 4 (scalar). +FrequencyCorrectRate +This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause larger corrections; larger values cause smaller corrections. Default: 4 (scalar). -**HoldPeriod** +HoldPeriod This parameter indicates how many consistent time samples the client computer must receive in a series before subsequent time samples are evaluated as potential spikes. Default: 5 -**LargePhaseOffset** +LargePhaseOffset If a time sample differs from the client computer's local clock by more than LargePhaseOffset, the local clock is deemed to have drifted considerably, or in other words, spiked. Default: 50,000,000 100-nanosecond units (ns) or 5 seconds. -**MaxAllowedPhaseOffset** +MaxAllowedPhaseOffset If a response is received that has a time variation that is larger than this parameter value, W32time sets the client computer's local clock immediately to the time that is accepted as accurate from the Network Time Protocol (NTP) server. If the time variation is less than this value, the client computer's local clock is corrected gradually. Default: 300 seconds. -**MaxNegPhaseCorrection** +MaxNegPhaseCorrection If a time sample is received that indicates a time in the past (as compared to the client computer's local clock) that has a time difference that is greater than the MaxNegPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. -**MaxPosPhaseCorrection** +MaxPosPhaseCorrection If a time sample is received that indicates a time in the future (as compared to the client computer's local clock) that has a time difference greater than the MaxPosPhaseCorrection value, the time sample is discarded. Default: 172,800 seconds. -**PhaseCorrectRate** -This parameter controls how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more slowly; larger values cause the clock to correct more quickly. Default: 7 (scalar). +PhaseCorrectRate +This parameter controls how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more quickly; larger values cause the clock to correct more slowly. Default: 7 (scalar). -**PollAdjustFactor** +PollAdjustFactor This parameter controls how quickly W32time changes polling intervals. When responses are considered to be accurate, the polling interval lengthens automatically. When responses are considered to be inaccurate, the polling interval shortens automatically. Default: 5 (scalar). -**SpikeWatchPeriod** +SpikeWatchPeriod This parameter specifies the amount of time that samples with time offset larger than LargePhaseOffset are received before these samples are accepted as accurate. SpikeWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic, inaccurate time samples that are returned from a peer. Default: 900 seconds. -**UpdateInterval** +UpdateInterval This parameter specifies the amount of time that W32time waits between corrections when the clock is being corrected gradually. When it makes a gradual correction, the service adjusts the clock slightly, waits this amount of time, and then checks to see if another adjustment is needed, until the correction is finished. Default: 100 1/100th second units, or 1 second. General parameters: -**AnnounceFlags** +AnnounceFlags This parameter is a bitmask value that controls how time service availability is advertised through NetLogon. Default: 0x0a hexadecimal -**EventLogFlags** +EventLogFlags This parameter controls special events that may be logged to the Event Viewer System log. Default: 0x02 hexadecimal bitmask. -**LocalClockDispersion** +LocalClockDispersion This parameter indicates the maximum error in seconds that is reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock.) Default: 10 seconds. -**MaxPollInterval** -This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Shouldn't be set higher than 15.) +MaxPollInterval +This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Should not be set higher than 15.) -**MinPollInterval** +MinPollInterval This parameter controls the minimum polling interval that defines the minimum amount of time between polls of a peer. Default: 6 in log base-2, or 64 seconds. -**ClockHoldoverPeriod** +ClockHoldoverPeriod This parameter indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7800 seconds. -**RequireSecureTimeSyncRequests** -This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC won't respond to requests using such protocols. Default: 0 Boolean. +RequireSecureTimeSyncRequests +This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. Default: 0 Boolean. -**UtilizeSslTimeData** -This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an extra input for correcting the local clock. Default: 1 (enabled) Boolean +UtilizeSslTimeData +This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 (enabled) Boolean -**ClockAdjustmentAuditLimit** +ClockAdjustmentAuditLimit This parameter specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target machine. Default: 800 Parts per million (PPM). RODC parameters: -**ChainEntryTimeout** +ChainEntryTimeout This parameter specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. Default: 16 seconds. -**ChainMaxEntries** +ChainMaxEntries This parameter controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. Default: 128 entries. -**ChainMaxHostEntries** -This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: Four entries. +ChainMaxHostEntries +This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: 4 entries. -**ChainDisable** -This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that don't have their passwords cached on the RODC won't be able to synchronize with the RODC. Default: 0 Boolean. +ChainDisable +This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. Default: 0 Boolean. -**ChainLoggingRate** +ChainLoggingRate This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Global Configuration Settings* -- GP name: *W32TIME_POLICY_CONFIG* -- GP path: *System\Windows Time Service* -- GP ADMX file name: *W32Time.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_CONFIG | +| Friendly Name | Global Configuration Settings | +| Location | Computer Configuration | +| Path | System > Windows Time Service | +| Registry Key Name | Software\Policies\Microsoft\W32Time\Config | +| ADMX File Name | W32Time.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## W32TIME_POLICY_CONFIGURE_NTPCLIENT -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT +``` + - - + + This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. -If you disable or don't configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. +If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. -**NtpServer** -The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". +NtpServer +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". -**Type** +Type This value controls the authentication that W32time uses. The default value is NT5DS. -**CrossSiteSyncFlags** -This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client shouldn't attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value isn't set. The default value is 2 decimal (0x02 hexadecimal). +CrossSiteSyncFlags +This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). -**ResolvePeerBackoffMinutes** +ResolvePeerBackoffMinutes This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. -**ResolvePeerBackoffMaxTimes** +ResolvePeerBackoffMaxTimes This value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails, the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. -**SpecialPollInterval** +SpecialPollInterval This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. -**EventLogFlags** -This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it's a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. +EventLogFlags +This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Windows NTP Client* -- GP name: *W32TIME_POLICY_CONFIGURE_NTPCLIENT* -- GP path: *System\Windows Time Service\Time Providers* -- GP ADMX file name: *W32Time.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_CONFIGURE_NTPCLIENT | +| Friendly Name | Configure Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| ADMX File Name | W32Time.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## W32TIME_POLICY_ENABLE_NTPCLIENT -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT +``` + - - + + This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. -If you disable or don't configure this policy setting, the local computer clock doesn't synchronize time with NTP servers. +If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Windows NTP Client* -- GP name: *W32TIME_POLICY_ENABLE_NTPCLIENT* -- GP path: *System\Windows Time Service\Time Providers* -- GP ADMX file name: *W32Time.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_ENABLE_NTPCLIENT | +| Friendly Name | Enable Windows NTP Client | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32time\TimeProviders\NtpClient | +| Registry Value Name | Enabled | +| ADMX File Name | W32Time.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## W32TIME_POLICY_ENABLE_NTPSERVER -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER +``` + - - + + This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. -If you disable or don't configure this policy setting, your computer can't service NTP requests from other computers. - +If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. + - -ADMX Info: -- GP Friendly name: *Enable Windows NTP Server* -- GP name: *W32TIME_POLICY_ENABLE_NTPSERVER* -- GP path: *System\Windows Time Service\Time Providers* -- GP ADMX file name: *W32Time.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | W32TIME_POLICY_ENABLE_NTPSERVER | +| Friendly Name | Enable Windows NTP Server | +| Location | Computer Configuration | +| Path | System > Windows Time Service > Time Providers | +| Registry Key Name | Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer | +| Registry Value Name | Enabled | +| ADMX File Name | W32Time.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index a998ae7b42..2a2a81fbdc 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -446,7 +446,7 @@ This value is a bitmask that controls events that may be logged to the System lo You may want to configure a different time server for your device fleet. You can use this policy to configure certain aspects of the NTP client. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. -For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NTPClient](policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient). +For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NTPClient](policy-csp-admx-w32time.md#w32time_policy_configure_ntpclient). > [!NOTE] > This policy also requires enabling [NtpClientEnabled](#ntpclientenabled). From a0816a49acdb9ab3093aa230c37cd209518c2039 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 22 Dec 2022 14:43:16 -0800 Subject: [PATCH 066/152] add auth csp --- .../mdm/policy-csp-authentication.md | 865 +++++++++--------- 1 file changed, 420 insertions(+), 445 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index df32a610d3..ddf90b20be 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,546 +1,521 @@ --- -title: Policy CSP - Authentication -description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen. +title: Authentication Policy CSP +description: Learn more about the Authentication Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/22/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.reviewer: bobgil -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - Authentication + + + + + +## AllowAadPasswordReset + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset +``` + + + + +Specifies whether password reset is enabled for AAD accounts. + + + + + +This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen. + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + + +## AllowFastReconnect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/AllowFastReconnect +``` + + + + +Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSecondaryAuthenticationDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/AllowSecondaryAuthenticationDevice +``` + + + + +This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello. +If you enable or do not configure this policy setting, users can authenticate to Windows Hello using a companion device. -
    - - -## Authentication policies +If you disable this policy, users cannot use a companion device to authenticate with Windows Hello. + -
    -
    - Authentication/AllowAadPasswordReset -
    -
    - Authentication/AllowEAPCertSSO -
    -
    - Authentication/AllowFastReconnect -
    -
    - Authentication/AllowFidoDeviceSignon -
    -
    - Authentication/AllowSecondaryAuthenticationDevice -
    -
    - Authentication/ConfigureWebSignInAllowedUrls -
    -
    - Authentication/ConfigureWebcamAccessDomainNames -
    -
    - Authentication/EnableFastFirstSignIn -
    -
    - Authentication/EnableWebSignIn -
    -
    - Authentication/PreferredAadTenantDomainName -
    -
    + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice | +| Friendly Name | Allow companion device for secondary authentication | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Secondary Authentication Factor | +| Registry Key Name | SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor | +| Registry Value Name | AllowSecondaryAuthenticationDevice | +| ADMX File Name | DeviceCredential.admx | + - -**Authentication/AllowAadPasswordReset** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConfigureWebcamAccessDomainNames + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebcamAccessDomainNames +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies a list of domains that are allowed to access the webcam in Web Sign-in based authentication scenarios. + -> [!div class = "checklist"] -> * Device + + -
    +> [!NOTE] +> Web sign-in is only supported on Azure AD joined PCs. - - -Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the Windows logon screen. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Not allowed. -- 1 – Allowed. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - + + -
    +**Example**: - -**Authentication/AllowEAPCertSSO** +Your organization federates to "Contoso IDP" and your web sign-in portal at `signinportal.contoso.com` requires webcam access. Then the value for this policy should be: - +`contoso.com` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + - -
    + +## ConfigureWebSignInAllowedUrls - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.2145] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls +``` + -
    + + +Specifies a list of URLs that are navigable in Web Sign-in based authentication scenarios. + - - -Allows an EAP cert-based authentication for a Single Sign on (SSO) to access internal resources. + + - - -The following list shows the supported values: +This policy specifies the list of domains that users can access in certain authentication scenarios. For example: -- 0 – Not allowed. -- 1 (default) – Allowed. +- Azure Active Directory (Azure AD) PIN reset +- Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider - - +> [!NOTE] +> This policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). -
    + - -**Authentication/AllowFastReconnect** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +**Example**: - -
    +Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: `accounts.contoso.com` and `signin.contoso.com`. Then the value for this policy should be: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +`accounts.contoso.com;signin.contoso.com` -> [!div class = "checklist"] -> * Device + -
    + - - -Allows EAP Fast Reconnect from being attempted for EAP Method TLS. + +## EnableFastFirstSignIn -Most restricted value is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/EnableFastFirstSignIn +``` + -- 0 – Not allowed. -- 1 (default) – Allowed. + + +Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts + - - + + -
    - - -**Authentication/AllowFidoDeviceSignon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 - -Value type is integer. - -Here's an example scenario: At Contoso, there are many shared devices and kiosks that employees use throughout the day, for example, employees use as many as 20 different devices. To minimize the loss in productivity when employees have to sign in with username and password every time they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs. - - - -The following list shows the supported values: - -- 0 - Don't allow. The FIDO device credential provider disabled. -- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign in to Windows. - - - - -
    - - -**Authentication/AllowSecondaryAuthenticationDevice** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows secondary authentication devices to work with Windows. - -The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD). - -In the next major release of Windows 10, the default for this policy for consumer devices will be changed to off. This change will only affect users that have not already set up a secondary authentication device. - - - -ADMX Info: -- GP Friendly name: *Allow companion device for secondary authentication* -- GP name: *MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice* -- GP path: *Windows Components/Microsoft Secondary Authentication Factor* -- GP ADMX file name: *DeviceCredential.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 – Allowed. - - - - -
    - - -**Authentication/ConfigureWebSignInAllowedUrls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the list of domains that are allowed to be navigated to in Azure Active Directory PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). - -**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". - - - - - - - - - - - - - -
    - - -**Authentication/ConfigureWebcamAccessDomainNames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios. - -Web Sign-in is only supported on Azure AD Joined PCs. - -**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com". - - - - - - - - - - - - - - -
    - - -**Authentication/EnableFastFirstSignIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!Warning] +> [!WARNING] > The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time. This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. -> [!Important] -> Pre-configured candidate local accounts are any local accounts (pre-configured or added) in your device. +> [!IMPORTANT] +> Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device. -Value type is integer. Supported values: + -- 0 - (default) The feature defaults to the existing SKU and device capabilities. -- 1 - Enabled. Auto connect new non-admin Azure AD accounts to pre-configured candidate local accounts -- 2 - Disabled. Don't auto connect new non-admin Azure AD accounts to pre-configured local accounts + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | The feature defaults to the existing SKU and device capabilities. | +| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts | +| 2 | Disabled. Do not auto-connect new non-admin Azure AD accounts to pre-configured local accounts | + - - + + + -
    + - -**Authentication/EnableWebSignIn** + +## EnableWebSignIn - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn +``` + + + +Specifies whether web-based sign-in is allowed for signing in to Windows + - -
    + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): +> [!WARNING] +> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope. -> [!div class = "checklist"] -> * Device +**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass. -
    +> [!NOTE] +> Web sign-in is only supported on Azure AD joined PCs. - - -> [!Warning] -> The Web sign-in feature is intended for recovery purposes in the event a password is not available as an authentication method. Web sign-in only supports Temporary Access Pass as an authentication method for Azure Active Directory, unless it is being used in a limited federated scope. + -"Web sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. + +**Description framework properties**: -> [!Note] -> Web sign-in is only supported on Azure AD Joined PCs. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -Value type is integer. Supported values: + +**Allowed values**: -- 0 - (default) The feature defaults to the existing SKU and device capabilities. -- 1 - Enabled. Web Credential Provider will be enabled for a sign-in. -- 2 - Disabled. Web Credential Provider won't be enabled for a sign-in. +| Value | Description | +|:--|:--| +| 0 (Default) | The feature defaults to the existing SKU and device capabilities. | +| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows | +| 2 | Disabled. Web Sign-in will not be enabled for signing in to Windows | + - - + + + - - + - - + +## PreferredAadTenantDomainName - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName +``` + - -**Authentication/PreferredAadTenantDomainName** + + +Specifies the preferred domain among available domains in the AAD tenant. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**Example**: -> [!div class = "checklist"] -> * Device +Your organization uses the `@contoso.com` tenant domain name. Then the value for this policy should be: -
    +`contoso.com` - - -Specifies the preferred domain among available domains in the Azure AD tenant. +For the user `abby@constoso.com`, a sign-in is done using `abby` in the username field instead of `abby@contoso.com`. -Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", a sign in is done using "abby" in the username field instead of "abby@contoso.com". + + -Value type is string. + +## AllowEAPCertSSO - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO +``` + - - + + +Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. + - - -
    + + + + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From e86c3a2d715869a17ad6856745c6702899c41990 Mon Sep 17 00:00:00 2001 From: Tim Larson <50213291+tilarso@users.noreply.github.com> Date: Thu, 1 Dec 2022 16:30:37 -0600 Subject: [PATCH 067/152] cherry-pick 4cd1fc3 and resolve conflict --- windows/client-management/mdm/policy-csp-authentication.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index ddf90b20be..5996134bbb 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -318,9 +318,6 @@ Specifies whether new non-admin AAD accounts should auto-connect to pre-created -> [!WARNING] -> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time. - This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. > [!IMPORTANT] From 77d5759002f0a7b7ec540b4ea2207d476c25cb2f Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Sat, 24 Dec 2022 15:20:50 -0500 Subject: [PATCH 068/152] audit --- .../client-management/mdm/policy-csp-audit.md | 7430 ++++++++--------- 1 file changed, 3582 insertions(+), 3848 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 4d053f554f..c039ded0e0 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,3859 +1,3593 @@ --- -title: Policy CSP - Audit -description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out. +title: Audit Policy CSP +description: Learn more about the Audit Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/14/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.topic: reference --- + + + # Policy CSP - Audit -
    - - -## Audit policies - -
    -
    - Audit/AccountLogonLogoff_AuditAccountLockout -
    -
    - Audit/AccountLogonLogoff_AuditGroupMembership -
    -
    - Audit/AccountLogonLogoff_AuditIPsecExtendedMode -
    -
    - Audit/AccountLogonLogoff_AuditIPsecMainMode -
    -
    - Audit/AccountLogonLogoff_AuditIPsecQuickMode -
    -
    - Audit/AccountLogonLogoff_AuditLogoff -
    -
    - Audit/AccountLogonLogoff_AuditLogon -
    -
    - Audit/AccountLogonLogoff_AuditNetworkPolicyServer -
    -
    - Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents -
    -
    - Audit/AccountLogonLogoff_AuditSpecialLogon -
    -
    - Audit/AccountLogonLogoff_AuditUserDeviceClaims -
    -
    - Audit/AccountLogon_AuditCredentialValidation -
    -
    - Audit/AccountLogon_AuditKerberosAuthenticationService -
    -
    - Audit/AccountLogon_AuditKerberosServiceTicketOperations -
    -
    - Audit/AccountLogon_AuditOtherAccountLogonEvents -
    -
    - Audit/AccountManagement_AuditApplicationGroupManagement -
    -
    - Audit/AccountManagement_AuditComputerAccountManagement -
    -
    - Audit/AccountManagement_AuditDistributionGroupManagement -
    -
    - Audit/AccountManagement_AuditOtherAccountManagementEvents -
    -
    - Audit/AccountManagement_AuditSecurityGroupManagement -
    -
    - Audit/AccountManagement_AuditUserAccountManagement -
    -
    - Audit/DSAccess_AuditDetailedDirectoryServiceReplication -
    -
    - Audit/DSAccess_AuditDirectoryServiceAccess -
    -
    - Audit/DSAccess_AuditDirectoryServiceChanges -
    -
    - Audit/DSAccess_AuditDirectoryServiceReplication -
    -
    - Audit/DetailedTracking_AuditDPAPIActivity -
    -
    - Audit/DetailedTracking_AuditPNPActivity -
    -
    - Audit/DetailedTracking_AuditProcessCreation -
    -
    - Audit/DetailedTracking_AuditProcessTermination -
    -
    - Audit/DetailedTracking_AuditRPCEvents -
    -
    - Audit/DetailedTracking_AuditTokenRightAdjusted -
    -
    - Audit/ObjectAccess_AuditApplicationGenerated -
    -
    - Audit/ObjectAccess_AuditCentralAccessPolicyStaging -
    -
    - Audit/ObjectAccess_AuditCertificationServices -
    -
    - Audit/ObjectAccess_AuditDetailedFileShare -
    -
    - Audit/ObjectAccess_AuditFileShare -
    -
    - Audit/ObjectAccess_AuditFileSystem -
    -
    - Audit/ObjectAccess_AuditFilteringPlatformConnection -
    -
    - Audit/ObjectAccess_AuditFilteringPlatformPacketDrop -
    -
    - Audit/ObjectAccess_AuditHandleManipulation -
    -
    - Audit/ObjectAccess_AuditKernelObject -
    -
    - Audit/ObjectAccess_AuditOtherObjectAccessEvents -
    -
    - Audit/ObjectAccess_AuditRegistry -
    -
    - Audit/ObjectAccess_AuditRemovableStorage -
    -
    - Audit/ObjectAccess_AuditSAM -
    -
    - Audit/PolicyChange_AuditAuthenticationPolicyChange -
    -
    - Audit/PolicyChange_AuditAuthorizationPolicyChange -
    -
    - Audit/PolicyChange_AuditFilteringPlatformPolicyChange -
    -
    - Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange -
    -
    - Audit/PolicyChange_AuditOtherPolicyChangeEvents -
    -
    - Audit/PolicyChange_AuditPolicyChange -
    -
    - Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse -
    -
    - Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents -
    -
    - Audit/PrivilegeUse_AuditSensitivePrivilegeUse -
    -
    - Audit/System_AuditIPsecDriver -
    -
    - Audit/System_AuditOtherSystemEvents -
    -
    - Audit/System_AuditSecurityStateChange -
    -
    - Audit/System_AuditSecuritySystemExtension -
    -
    - Audit/System_AuditSystemIntegrity -
    -
    - - -
    - - -**Audit/AccountLogonLogoff_AuditAccountLockout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by a failed attempt to sign in to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account can't sign in to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Sign-in events are essential for understanding user activity and to detect potential attacks. - -Volume: Low. - - - -GP Info: -- GP Friendly name: *Audit Account Lockout* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditGroupMembership** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to audit the group membership information in the user's sign-in token. Events in this subcategory are generated on the computer on which a sign-in session is created. For an interactive sign in, the security audit event is generated on the computer that the user logged on to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful sign in. Enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information can't fit in a single security audit event. - -Volume: Low on a client computer. Medium on a domain controller or a network server. - - - -GP Info: -- GP Friendly name: *Audit Group Membership* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditIPsecExtendedMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - -Volume: High. - - - -GP Info: -- GP Friendly name: *Audit IPsec Extended Mode* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditIPsecMainMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit IPsec Main Mode* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditIPsecQuickMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you don't configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit IPsec Quick Mode* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditLogoff** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by the closing of a sign-in session. These events occur on the computer that was accessed. For an interactive sign out the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a sign-in session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you don't configure this policy setting, no audit event is generated when a sign-in session is closed. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Logoff* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by user account sign-in attempts on the computer. -Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -The following events are included: -- Successful sign in attempts. -- Failed sign in attempts. -- Sign-in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that account’s credentials. This process most commonly occurs in batch sign-in configurations, such as scheduled tasks or when using the RUNAS command. -- Security identifiers (SIDs) were filtered and not allowed to sign in. - -Volume: Low on a client computer. Medium on a domain controller or a network server. - - - -GP Info: -- GP Friendly name: *Audit Logon* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditNetworkPolicyServer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you don't configure this policy settings, IAS and NAP user access requests aren't audited. - -Volume: Medium or High on NPS and IAS server. No volume on other computers. - - - -GP Info: -- GP Friendly name: *Audit Network Policy Server* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3 (default)—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following: -- Terminal Services session disconnections. -- New Terminal Services sessions. -- Locking and unlocking a workstation. -- Invoking a screen saver. -- Dismissal of a screen saver. -- Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. -- Access to a wireless network granted to a user or computer account. -- Access to a wired 802.1x network granted to a user or computer account. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Logon Logoff Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following values are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditSpecialLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by special sign ins, such as: -- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon). - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Special Logon* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogonLogoff_AuditUserDeviceClaims** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to audit user and device claims information in the user's sign-in token. Events in this subcategory are generated on the computer on which a sign-in session is created. For an interactive sign in, the security audit event is generated on the computer that the user signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a sign-in token when claims are included with a user's account attributes in Active Directory. Device claims are added to the sign-in token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful sign in. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information can't fit in a single security audit event. - -Volume: Low on a client computer. Medium on a domain controller or a network server. - - - -GP Info: -- GP Friendly name: *Audit User Device Claims* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogon_AuditCredentialValidation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by validation tests on user account sign-in credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - -Volume: High on domain controllers. - - - -GP Info: -- GP Friendly name: *Audit Credential Validation* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* - - -] -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogon_AuditKerberosAuthenticationService** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - -Volume: High on Kerberos Key Distribution Center servers. - - - -GP Info: -- GP Friendly name: *Audit Kerberos Authentication Service* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogon_AuditKerberosServiceTicketOperations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Kerberos Service Ticket Operations* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountLogon_AuditOtherAccountLogonEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by responses to credential requests submitted for a user account sign in that aren't credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - -GP Info: -- GP Friendly name: *Audit Other Account Logon Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditApplicationGroupManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to application groups as follows: -- Application group is created, changed, or deleted. -- Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an application group changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Application Group Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditComputerAccountManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a computer account changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Computer Account Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditDistributionGroupManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to distribution groups as follows: -- Distribution group is created, changed, or deleted. -- Member is added or removed from a distribution group. -- Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a distribution group changes. - -> [!Note] -> Events in this subcategory are logged only on domain controllers. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Distribution Group Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditOtherAccountManagementEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by other user account changes that aren't covered in this category, such as: -- The password hash of a user account was accessed. This change happens during an Active Directory Management Tool password migration. -- The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. -- Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. - -> [!Note] -> The security audit event is logged when the policy setting is applied. It doesn't occur at the time when the settings are modified. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Account Management Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditSecurityGroupManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to security groups, such as: -- Security group is created, changed, or deleted. -- Member is added or removed from a security group. -- Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a security group changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Security Group Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/AccountManagement_AuditUserAccountManagement** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit changes to user accounts. -The events included are as follows: -- A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. -- A user account’s password is set or changed. -- A security identifier (SID) is added to the SID History of a user account. -- The Directory Services Restore Mode password is configured. -- Permissions on administrative user accounts are changed. -- Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a user account changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit User Account Management* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DSAccess_AuditDetailedDirectoryServiceReplication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - -Volume: High. - - - -GP Info: -- GP Friendly name: *Audit Detailed Directory Service Replication* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DSAccess_AuditDirectoryServiceAccess** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - -Volume: High on domain controllers. None on client computers. - - -GP Info: -- GP Friendly name: *Audit Directory Service Access* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DSAccess_AuditDirectoryServiceChanges** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -> [!Note] -> Actions on some objects and properties don't cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you don't configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - -Volume: High on domain controllers only. - - -GP Info: -- GP Friendly name: *Audit Directory Service Changes* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DSAccess_AuditDirectoryServiceReplication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you don't configure this policy setting, no audit event is generated during AD DS replication. - ->[!Note] -> Events in this subcategory are logged only on domain controllers. - -Volume: Medium on domain controllers. None on client computers. - - -GP Info: -- GP Friendly name: *Audit Directory Service Replication* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditDPAPIActivity** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to use Data Protection](/dotnet/standard/security/how-to-use-data-protection). - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit DPAPI Activity* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditPNPActivity** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit PNP Activity* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditProcessCreation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a process is created. - -Volume: Depends on how the computer is used. - - -GP Info: -- GP Friendly name: *Audit Process Creation* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditProcessTermination** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a process ends. - -Volume: Depends on how the computer is used. - - -GP Info: -- GP Friendly name: *Audit Process Termination* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* - - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditRPCEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - -Volume: High on RPC servers. - - -GP Info: -- GP Friendly name: *Audit RPC Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/DetailedTracking_AuditTokenRightAdjusted** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + +## AccountLogon_AuditCredentialValidation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation +``` + + + + +This policy setting allows you to audit events generated by validation tests on user account logon credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Credential Validation | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + + + + + + + + + +## AccountLogon_AuditKerberosAuthenticationService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditKerberosAuthenticationService +``` + + + + +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Kerberos Authentication Service | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + + + + + + + + + +## AccountLogon_AuditKerberosServiceTicketOperations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditKerberosServiceTicketOperations +``` + + + + +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Kerberos Service Ticket Operations | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + + + + + + + + + +## AccountLogon_AuditOtherAccountLogonEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditOtherAccountLogonEvents +``` + + + + +This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Account Logon Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Logon | + + + + + + + + + +## AccountLogonLogoff_AuditAccountLockout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout +``` + + + + +This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. Logon events are essential for understanding user activity and to detect potential attacks. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Account Lockout | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditGroupMembership + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership +``` + + + + +This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Group Membership | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditIPsecExtendedMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditIPsecExtendedMode +``` + + + + +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit IPsec Extended Mode | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditIPsecMainMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditIPsecMainMode +``` + + + + +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit IPsec Main Mode | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditIPsecQuickMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditIPsecQuickMode +``` + + + + +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit IPsec Quick Mode | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditLogoff + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogoff +``` + + + + +This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. If you do not configure this policy setting, no audit event is generated when a logon session is closed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Logoff | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon +``` + + + + +This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: Successful logon attempts. Failed logon attempts. Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. Security identifiers (SIDs) were filtered and not allowed to log on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Logon | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditNetworkPolicyServer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditNetworkPolicyServer +``` + + + + +This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. If you do not configure this policy settings, IAS and NAP user access requests are not audited. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 (Default) | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Network Policy Server | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditOtherLogonLogoffEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents +``` + + + + +This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. Access to a wireless network granted to a user or computer account. Access to a wired 802.1x network granted to a user or computer account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Logon Logoff Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditSpecialLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon +``` + + + + +This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Special Logon | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountLogonLogoff_AuditUserDeviceClaims + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditUserDeviceClaims +``` + + + + +This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit User Device Claims | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff | + + + + + + + + + +## AccountManagement_AuditApplicationGroupManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditApplicationGroupManagement +``` + + + + +This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an application group changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Application Group Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditComputerAccountManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditComputerAccountManagement +``` + + + + +This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a computer account changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Computer Account Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditDistributionGroupManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditDistributionGroupManagement +``` + + + + +This policy setting allows you to audit events generated by changes to distribution groups such as the following: Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a distribution group changes. + +**Note**: Events in this subcategory are logged only on domain controllers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Distributio Group Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditOtherAccountManagementEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditOtherAccountManagementEvents +``` + + + + +This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. Changes to the Default Domain Group Policy under the following Group Policy paths: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Account Management Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditSecurityGroupManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement +``` + + + + +This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a security group changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Security Group Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## AccountManagement_AuditUserAccountManagement + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement +``` + + + + +This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account’s password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit User Account Management | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | + + + + + + + + + +## DetailedTracking_AuditDPAPIActivity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditDPAPIActivity +``` + + + + +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see . If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit DPAPI Activity | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditPNPActivity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity +``` + + + + +This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit PNP Activity | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditProcessCreation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation +``` + + + + +This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process is created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Process Creation | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditProcessTermination + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessTermination +``` + + + + +This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process ends. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Process Termination | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditRPCEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditRPCEvents +``` + + + + +This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit RPC Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DetailedTracking_AuditTokenRightAdjusted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditTokenRightAdjusted +``` + + + + This policy setting allows you to audit events generated by adjusting the privileges of a token. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit Token Right Adjusted* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditApplicationGenerated** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: -- Creation of an application client context. -- Deletion of an application client context. -- Initialization of an application client context. -- Other application operations using the Windows Auditing APIs. - -Volume: Depends on the applications that are generating them. - - -GP Info: -- GP Friendly name: *Audit Application Generated* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditCentralAccessPolicyStaging** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that of the permission granted by the proposed policy. The resulting audit event will be generated as follows: -1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2. Failure audits when configured records access attempts when: - - The current central access policy doesn't grant access but the proposed policy grants access. - - A principal requests the maximum access rights they're allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - -GP Info: -- GP Friendly name: *Audit Central Access Policy Staging* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditCertificationServices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include: - -- AD CS startup/shutdown/backup/restore. -- Changes to the certificate revocation list (CRL). -- New certificate requests. -- Issuing of a certificate. -- Revocation of a certificate. -- Changes to the Certificate Manager settings for AD CS. -- Changes in the configuration of AD CS. -- Changes to a Certificate Services template. -- Importing of a certificate. -- Publishing of a certification authority certificate is to Active Directory Domain Services. -- Changes to the security permissions for AD CS. -- Archival of a key. -- Importing of a key. -- Retrieval of a key. -- Starting of Online Certificate Status Protocol (OCSP) Responder Service. -- Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - -Volume: Medium or Low on computers running Active Directory Certificate Services. - - -GP Info: -- GP Friendly name: *Audit Certification Services* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditDetailedFileShare** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -> [!Note] -> There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - -Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. - - -GP Info: -- GP Friendly name: *Audit Detailed File Share* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditFileShare** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -> [!Note] -> There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - -Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. - - -GP Info: -- GP Friendly name: *Audit File Share* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditFileSystem** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder). - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -> [!Note] -> You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - -Volume: Depends on how the file system SACLs are configured. - - -GP Info: -- GP Friendly name: *Audit File System* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditFilteringPlatformConnection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). -The following events are included: -- The Windows Firewall Service blocks an application from accepting incoming connections on the network. -- The WFP allows a connection. -- The WFP blocks a connection. -- The WFP permits a bind to a local port. -- The WFP blocks a bind to a local port. -- The WFP allows a connection. -- The WFP blocks a connection. -- The WFP permits an application or service to listen on a port for incoming connections. -- The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. - -If you don't configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit Filtering Platform Connection* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditFilteringPlatformPacketDrop** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Token Right Adjusted | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking | + + + + + + + + + +## DSAccess_AuditDetailedDirectoryServiceReplication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDetailedDirectoryServiceReplication +``` + + + + +This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Detailed Directory Service Replication | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## DSAccess_AuditDirectoryServiceAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDirectoryServiceAccess +``` + + + + +This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Directory Service Access | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## DSAccess_AuditDirectoryServiceChanges + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDirectoryServiceChanges +``` + + + + +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object’s properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. + +**Note**: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Directory Service Changes | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## DSAccess_AuditDirectoryServiceReplication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/DSAccess_AuditDirectoryServiceReplication +``` + + + + +This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. If you do not configure this policy setting, no audit event is generated during AD DS replication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Directory Service Replication | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > DS Access | + + + + + + + + + +## ObjectAccess_AuditApplicationGenerated + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditApplicationGenerated +``` + + + + +This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Events in this subcategory include: Creation of an application client context. Deletion of an application client context. Initialization of an application client context. Other application operations using the Windows Auditing APIs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Application Generated | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditCentralAccessPolicyStaging + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditCentralAccessPolicyStaging +``` + + + + +This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: 1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. 2) Failure audits when configured records access attempts when: a) The current central access policy does not grant access but the proposed policy grants access. b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Central Access Policy Staging | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditCertificationServices + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditCertificationServices +``` + + + + +This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. AD CS operations include the following: AD CS startup/shutdown/backup/restore. Changes to the certificate revocation list (CRL). New certificate requests. Issuing of a certificate. Revocation of a certificate. Changes to the Certificate Manager settings for AD CS. Changes in the configuration of AD CS. Changes to a Certificate Services template. Importing of a certificate. Publishing of a certification authority certificate is to Active Directory Domain Services. Changes to the security permissions for AD CS. Archival of a key. Importing of a key. Retrieval of a key. Starting of Online Certificate Status Protocol (OCSP) Responder Service. Stopping of Online Certificate Status Protocol (OCSP) Responder Service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Certification Services | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditDetailedFileShare + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare +``` + + + + +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. + +**Note**: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Detailed File Share | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditFileShare + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare +``` + + + + +This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. + +**Note**: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit File Share | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditFileSystem + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileSystem +``` + + + + +This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. + +**Note**: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit File System | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditFilteringPlatformConnection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFilteringPlatformConnection +``` + + + + +This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Filtering Platform Connection | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditFilteringPlatformPacketDrop + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFilteringPlatformPacketDrop +``` + + + + This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - -Volume: High. - - - -GP Info: -- GP Friendly name: *Audit Filtering Platform Packet Drop* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditHandleManipulation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a handle is manipulated. - -> [!Note] -> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access isn't enabled, handle manipulation security audit events will not be generated. - -Volume: Depends on how SACLs are configured. - - -GP Info: -- GP Friendly name: *Audit Handle Manipulation* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditKernelObject** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores. -Only kernel objects with a matching System Access Control List (SACL) generate security audit events. - -> [!Note] -> The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - -Volume: High if auditing access of global system objects is enabled. - - -GP Info: -- GP Friendly name: *Audit Kernel Object* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditOtherObjectAccessEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: -- Job created. -- Job deleted. -- Job enabled. -- Job disabled. -- Job updated. - -For COM+ objects, the following are audited: -- Catalog object added. -- Catalog object updated. -- Catalog object deleted. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Object Access Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditRegistry** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have SACLs specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -> [!Note] -> You can set a SACL on a registry object using the Permissions dialog box. - -Volume: Depends on how registry SACLs are configured. - - -GP Info: -- GP Friendly name: *Audit Registry* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditRemovableStorage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you don't configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - -GP Info: -- GP Friendly name: *Audit Removable Storage* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/ObjectAccess_AuditSAM** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include: -- SAM_ALIAS -- A local group. -- SAM_GROUP -- A group that isn't a local group. -- SAM_USER – A user account. -- SAM_DOMAIN – A domain. -- SAM_SERVER – A computer account. - -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. - -> [!Note] -> Only the System Access Control List (SACL) for SAM_SERVER can be modified. - -Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects). - - - -GP Info: -- GP Friendly name: *Audit SAM* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/PolicyChange_AuditAuthenticationPolicyChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to the authentication policy, such as: -- Creation of forest and domain trusts. -- Modification of forest and domain trusts. -- Removal of forest and domain trusts. -- Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. -- Granting of any of the following user rights to a user or group: - - Access This Computer From the Network. - - Allow Logon Locally. - - Allow Logon Through Terminal Services. - - Logon as a Batch Job. - - Logon a Service. -- Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when the authentication policy is changed. - -> [!Note] -> The security audit event is logged when the group policy is applied. It doesn't occur at the time when the settings are modified. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Authentication Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/PolicyChange_AuditAuthorizationPolicyChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to the authorization policy, such as: -- Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory. -- Removal of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory. -- Changes in the Encrypted File System (EFS) policy. -- Changes to the Resource attributes of an object. -- Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when the authorization policy changes. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Authorization Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/PolicyChange_AuditFilteringPlatformPolicyChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as: -- IPsec services status. -- Changes to IPsec policy settings. -- Changes to Windows Firewall policy settings. -- Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when a change occurs to the WFP. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Filtering Platform Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. -Events include: -- Reporting of active policies when Windows Firewall service starts. -- Changes to Windows Firewall rules. -- Changes to Windows Firewall exception list. -- Changes to Windows Firewall settings. -- Rules ignored or not applied by Windows Firewall Service. -- Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit MPSSVC Rule Level Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/PolicyChange_AuditOtherPolicyChangeEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by other security policy changes that aren't audited in the policy change category, such as: -- Trusted Platform Module (TPM) configuration changes. -- Kernel-mode cryptographic self tests. -- Cryptographic provider operations. -- Cryptographic context operations or modifications. -- Applied Central Access Policies (CAPs) changes. -- Boot Configuration Data (BCD) modifications. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other Policy Change Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/PolicyChange_AuditPolicyChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit changes in the security audit policy settings, such as: -- Settings permissions and audit settings on the Audit Policy object. -- Changes to the system audit policy. -- Registration of security event sources. -- De-registration of security event sources. -- Changes to the per-user audit settings. -- Changes to the value of CrashOnAuditFail. -- Changes to the system access control list on a file system or registry object. -- Changes to the Special Groups list. - -> [!Note] -> System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Policy Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: -- Access Credential Manager as a trusted caller. -- Access this computer from the network. -- Add workstations to domain. -- Adjust memory quotas for a process. -- Allow Logon Locally. -- Allow Logon Through Terminal Services. -- Bypass traverse checking. -- Change the system time. -- Create a pagefile. -- Create global objects. -- Create permanent shared objects. -- Create symbolic links. -- Deny access this computer from the network. -- Deny log on as a batch job. -- Deny log on as a service. -- Deny log on locally. -- Deny log on through Terminal Services. -- Force shutdown from a remote system. -- Increase a process working set. -- Increase scheduling priority. -- Lock pages in memory. -- Log on as a batch job. -- Log on as a service. -- Modify an object label. -- Perform volume maintenance tasks. -- Profile single process. -- Profile system performance. -- Remove computer from docking station. -- Shut down the system. -- Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you don't configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - -Volume: Very High. - - -GP Info: -- GP Friendly name: *Audit Non Sensitive Privilege Use* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Filtering Platform Packet Drop | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditHandleManipulation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditHandleManipulation +``` + + + + +This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a handle is manipulated. + +**Note**: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Handle Manipulation | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditKernelObject + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditKernelObject +``` + + + + +This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. + +**Note**: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Kernel Object | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditOtherObjectAccessEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents +``` + + + + +This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: Catalog object added. Catalog object updated. Catalog object deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Object Access Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditRegistry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRegistry +``` + + + + +This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. + +**Note**: You can set a SACL on a registry object using the Permissions dialog box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Registry | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditRemovableStorage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage +``` + + + + +This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Removable Storage | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## ObjectAccess_AuditSAM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditSAM +``` + + + + +This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER – A user account. SAM_DOMAIN – A domain. SAM_SERVER – A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. + +**Note**: Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit SAM | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access | + + + + + + + + + +## PolicyChange_AuditAuthenticationPolicyChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange +``` + + + + +This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group: Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. + +**Note**: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Authentication Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + + + + + + + + + +## PolicyChange_AuditAuthorizationPolicyChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthorizationPolicyChange +``` + + + + +This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when the authorization policy changes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Authorization Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + + + + + + + + + +## PolicyChange_AuditFilteringPlatformPolicyChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditFilteringPlatformPolicyChange +``` + + + + +This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Filtering Platform Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + + + + + + + + + +## PolicyChange_AuditMPSSVCRuleLevelPolicyChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange +``` + + + + +This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit MPSSVC Rule Level Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + + + + + + + + + +## PolicyChange_AuditOtherPolicyChangeEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents +``` + + + + +This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: Trusted Platform Module (TPM) configuration changes. Kernel-mode cryptographic self tests. Cryptographic provider operations. Cryptographic context operations or modifications. Applied Central Access Policies (CAPs) changes. Boot Configuration Data (BCD) modifications. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Policy Change Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + + + + + + + + + +## PolicyChange_AuditPolicyChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange +``` + + + + +This policy setting allows you to audit changes in the security audit policy settings such as the following: Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. + +**Note**: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Policy Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Policy Change | + + + + + + + + + +## PrivilegeUse_AuditNonSensitivePrivilegeUse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse +``` + + + + +This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Non Sensitive Privilege Use | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Privilege Use | + + + + + + + + + +## PrivilegeUse_AuditOtherPrivilegeUseEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents +``` + + + + Not used. - - - -GP Info: -- GP Friendly name: *Audit Other Privilege Use Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/PrivilegeUse_AuditSensitivePrivilegeUse** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as: -- A privileged service is called. -- One of the following privileges is called: - - Act as part of the operating system. - - Back up files and directories. - - Create a token object. - - Debug programs. - - Enable computer and user accounts to be trusted for delegation. - - Generate security audits. - - Impersonate a client after authentication. - - Load and unload device drivers. - - Manage auditing and security log. - - Modify firmware environment values. - - Replace a process-level token. - - Restore files and directories. - - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you don't configure this policy setting, no audit event is generated when sensitive privilege requests are made. - -Volume: High. - - -GP Info: -- GP Friendly name: *Audit Sensitive Privilege Use* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - -
    - - -**Audit/System_AuditIPsecDriver** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by the IPsec filter driver, such as: -- Startup and shutdown of the IPsec services. -- Network packets dropped due to integrity check failure. -- Network packets dropped due to replay check failure. -- Network packets dropped due to being in plaintext. -- Network packets received with incorrect Security Parameter Index (SPI). This incorrect value may indicate that either the network card isn't working correctly or the driver needs to be updated. -- Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated on an IPSec filter driver operation. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit IPsec Driver* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/System_AuditOtherSystemEvents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit any of the following events: -- Startup and shutdown of the Windows Firewall service and driver. -- Security policy processing by the Windows Firewall Service. -- Cryptography key file and migration operations. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Other System Events* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* - - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3 (default)—Success+Failure - - - - - - - - - - -
    - - -**Audit/System_AuditSecurityStateChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events: -- Startup and shutdown of the computer. -- Change of system time. -- Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit Security State Change* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* - - - -The following are the supported values: -- 0—Off/None -- 1 (default)—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/System_AuditSecuritySystemExtension** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events related to security system extensions or services, such as the following: -- A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It's used to authenticate sign-in attempts, submit sign-in requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. -- A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. - -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you don't configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - -Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers. - - -GP Info: -- GP Friendly name: *Audit Security System Extension* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* - - - -The following are the supported values: -- 0 (default)—Off/None -- 1—Success -- 2—Failure -- 3—Success+Failure - - - - - - - - - - -
    - - -**Audit/System_AuditSystemIntegrity** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to audit events that violate the integrity of the security subsystem, such as: -- Events that couldn't be written to the event log because of a problem with the auditing system. -- A process that uses a local procedure call (LPC) port that isn't valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. -- The detection of a Remote Procedure Call (RPC) that compromises system integrity. -- The detection of a hash value of an executable file that isn't valid as determined by Code Integrity. -- Cryptographic operations that compromise system integrity. - -Volume: Low. - - -GP Info: -- GP Friendly name: *Audit System Integrity* -- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System* - - - -The following are the supported values: -- 0—Off/None -- 1—Success -- 2—Failure -- 3 (default)—Success+Failure - - - - - - - - - -
    - - - - \ No newline at end of file + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other Privilege Use Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Privilege Use | + + + + + + + + + +## PrivilegeUse_AuditSensitivePrivilegeUse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse +``` + + + + +This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Sensitive Privilege Use | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Privilege Use | + + + + + + + + + +## System_AuditIPsecDriver + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditIPsecDriver +``` + + + + +This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit IPsec Driver | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + + + + + + + + + +## System_AuditOtherSystemEvents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents +``` + + + + +This policy setting allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 (Default) | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Other System Events | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + + + + + + + + + +## System_AuditSecurityStateChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange +``` + + + + +This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 (Default) | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Security State Change | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + + + + + + + + + +## System_AuditSecuritySystemExtension + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension +``` + + + + +This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit Security System Extension | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + + + + + + + + + +## System_AuditSystemIntegrity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1039] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.774] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.329] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity +``` + + + + +This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: Events that could not be written to the event log because of a problem with the auditing system. A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. The detection of a Remote Procedure Call (RPC) that compromises system integrity. The detection of a hash value of an executable file that is not valid as determined by Code Integrity. Cryptographic operations that compromise system integrity. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Off/None | +| 1 | Success | +| 2 | Failure | +| 3 (Default) | Success+Failure | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Audit System Integrity | +| Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > System | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 98b22f88555aa80c8a0b01caad43ecd4a87c5d3f Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Sat, 24 Dec 2022 15:38:50 -0500 Subject: [PATCH 069/152] autoplay --- .../mdm/policy-csp-autoplay.md | 313 ++++++++++-------- 1 file changed, 171 insertions(+), 142 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 4404ad9edb..662c33b3c1 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,134 +1,124 @@ --- -title: Policy CSP - Autoplay -description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones. +title: Autoplay Policy CSP +description: Learn more about the Autoplay Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/24/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Autoplay ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisallowAutoplayForNonVolumeDevices - -## Autoplay policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - Autoplay/DisallowAutoplayForNonVolumeDevices -
    -
    - Autoplay/SetDefaultAutoRunBehavior -
    -
    - Autoplay/TurnOffAutoPlay -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/Autoplay/DisallowAutoplayForNonVolumeDevices +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Autoplay/DisallowAutoplayForNonVolumeDevices +``` + -
    - - -**Autoplay/DisallowAutoplayForNonVolumeDevices** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting disallows AutoPlay for MTP devices like cameras or phones. -If you enable this policy setting, AutoPlay isn't allowed for MTP devices like cameras or phones. +If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. -If you disable or don't configure this policy setting, AutoPlay is enabled for non-volume devices. +If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Disallow Autoplay for non-volume devices* -- GP name: *NoAutoplayfornonVolume* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | NoAutoplayfornonVolume | +| Friendly Name | Disallow Autoplay for non-volume devices | +| Location | Computer and User Configuration | +| Path | Windows Components > AutoPlay Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoAutoplayfornonVolume | +| ADMX File Name | AutoPlay.admx | + - -**Autoplay/SetDefaultAutoRunBehavior** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SetDefaultAutoRunBehavior + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior +``` + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting sets the default behavior for Autorun commands. -Autorun commands are stored in autorun.inf files. They often launch the installation program or other routines. +Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. -This automatic execution creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. +This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: @@ -136,83 +126,122 @@ a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the default behavior for AutoRun* -- GP name: *NoAutorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**Autoplay/TurnOffAutoPlay** +| Name | Value | +|:--|:--| +| Name | NoAutorun | +| Friendly Name | Set the default behavior for AutoRun | +| Location | Computer and User Configuration | +| Path | Windows Components > AutoPlay Policies | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | AutoPlay.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## TurnOffAutoPlay - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay +``` + -
    - - - + + This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. -With Windows XP SP2 onward, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. +Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. -This policy setting disables Autoplay on other types of drives. You can't use this setting to enable Autoplay on drives on which it's disabled by default. +This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. -If you disable or don't configure this policy setting, AutoPlay is enabled. +If you disable or do not configure this policy setting, AutoPlay is enabled. -> [!Note] -> This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. +Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Autoplay* -- GP name: *Autorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Autorun | +| Friendly Name | Turn off Autoplay | +| Location | Computer and User Configuration | +| Path | Windows Components > AutoPlay Policies | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | AutoPlay.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 7b8c532779d3c67680d2b2adbf23950965905040 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Sat, 24 Dec 2022 15:43:36 -0500 Subject: [PATCH 070/152] bitlocker --- .../mdm/policy-csp-bitlocker.md | 116 ++++++++---------- 1 file changed, 52 insertions(+), 64 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 5b9b63de9c..18b0deb48c 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,84 +1,72 @@ --- -title: Policy CSP - BitLocker -description: Use the Policy configuration service provider (CSP) - BitLocker to manage encryption of PCs and devices. +title: Bitlocker Policy CSP +description: Learn more about the Bitlocker Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/24/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - BitLocker + + +# Policy CSP - Bitlocker + + + -> [!NOTE] -> To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md). + +## EncryptionMethod -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -## BitLocker policies + +```Device +./Device/Vendor/MSFT/Policy/Config/Bitlocker/EncryptionMethod +``` + -
    -
    - Bitlocker/EncryptionMethod -
    -
    - - -
    - - -**Bitlocker/EncryptionMethod** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy specifies the BitLocker Drive Encryption method and cipher strength. + -> [!NOTE] -> XTS-AES 128-bit and XTS-AES 256-bit values are supported only on Windows 10 for desktop. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 3 - AES-CBC 128-bit -- 4 - AES-CBC 256-bit -- 6 - XTS-AES 128-bit (Desktop only) -- 7 - XTS-AES 256-bit (Desktop only) +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 6 | + - - -
    + + + + + + + - \ No newline at end of file + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 6effac33cc2b0fcaeedeee1b534c8421c9d1044a Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Sat, 24 Dec 2022 15:53:55 -0500 Subject: [PATCH 071/152] bits: git add -A; git commit -m bits: --- .../client-management/mdm/policy-csp-bits.md | 798 ++++++++---------- 1 file changed, 370 insertions(+), 428 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 500ed33aa8..d7d50fe51a 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,449 +1,391 @@ --- -title: Policy CSP - BITS -description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. +title: BITS Policy CSP +description: Learn more about the BITS Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/24/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - BITS -The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate. - -- BITS/BandwidthThrottlingEndTime -- BITS/BandwidthThrottlingStartTime -- BITS/BandwidthThrottlingTransferRate - -If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8 AM and 5 PM respectively). The time policies are based on the 24-hour clock. - -
    - - -## BITS policies - -
    -
    - BITS/BandwidthThrottlingEndTime -
    -
    - BITS/BandwidthThrottlingStartTime -
    -
    - BITS/BandwidthThrottlingTransferRate -
    -
    - BITS/CostedNetworkBehaviorBackgroundPriority -
    -
    - BITS/CostedNetworkBehaviorForegroundPriority -
    -
    - BITS/JobInactivityTimeout -
    -
    - - -
    - - -**BITS/BandwidthThrottlingEndTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. This policy is based on the 24-hour clock. - -Value type is integer. Default value is 17 (5 PM). - -Supported value range: 0 - 23 - -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - -Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. - -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth. - -> [!NOTE] -> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. - -Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56 Kbs). - - - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers* -- GP name: *BITS_MaxBandwidth* -- GP element: *BITS_BandwidthLimitSchedTo* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* - - - - - - - - - - - - - -
    - - -**BITS/BandwidthThrottlingStartTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. This policy is based on the 24-hour clock. - -Value type is integer. Default value is 8 (8 am). - -Supported value range: 0 - 23 - -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - -BITS, by using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. - -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth. - -> [!NOTE] -> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting doesn't affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. - -Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56 Kbs). - - - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers* -- GP name: *BITS_MaxBandwidth* -- GP element: *BITS_BandwidthLimitSchedFrom* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* - - - - - - - - - - - - - -
    - - -**BITS/BandwidthThrottlingTransferRate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting doesn't affect foreground transfers. - -Value type is integer. Default value is 1000. - -Supported value range: 0 - 4294967200 - -You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours. - -BITS, by using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. - -If you disable or don't configure this policy setting, BITS uses all available unused bandwidth. - -> [!NOTE] - -> You should base the limit on the speed of the network link, not the computer's Network Interface Card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. - -Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). - - - -ADMX Info: -- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers* -- GP name: *BITS_MaxBandwidth* -- GP element: *BITS_MaxTransferRateText* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* - - - - - - - - - - - - - -
    - - -**BITS/CostedNetworkBehaviorBackgroundPriority** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers. - -If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting doesn't override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. - -For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: -- 1 - Always transfer -- 2 - Transfer unless roaming -- 3 - Transfer unless surcharge applies (when not roaming or overcap) -- 4 - Transfer unless nearing limit (when not roaming or nearing cap) -- 5 - Transfer only if unconstrained - - - -ADMX Info: -- GP Friendly name: *Set default download behavior for BITS jobs on costed networks* -- GP name: *BITS_SetTransferPolicyOnCostedNetwork* -- GP element: *BITS_TransferPolicyNormalPriorityValue* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* - - - - - - - - - - - - - -
    - - -**BITS/CostedNetworkBehaviorForegroundPriority** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers. - -If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting doesn't override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. - -For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are: -- 1 - Always transfer -- 2 - Transfer unless roaming -- 3 - Transfer unless surcharge applies (when not roaming or overcap) -- 4 - Transfer unless nearing limit (when not roaming or nearing cap) -- 5 - Transfer only if unconstrained - - - -ADMX Info: -- GP Friendly name: *Set default download behavior for BITS jobs on costed networks* -- GP name: *BITS_SetTransferPolicyOnCostedNetwork* -- GP element: *BITS_TransferPolicyForegroundPriorityValue* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* - - - - - - - - - - - - - -
    - - -**BITS/JobInactivityTimeout** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + + + + +## BandwidthThrottlingEndTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/BandwidthThrottlingEndTime +``` + + + + +This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 17 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidth | +| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | +| Element Name | to | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + + + + + + + + + +## BandwidthThrottlingStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/BandwidthThrottlingStartTime +``` + + + + +This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 8 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidth | +| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | +| Element Name | From | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + + + + + + + + + +## BandwidthThrottlingTransferRate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/BandwidthThrottlingTransferRate +``` + + + + +This policy specifies the bandwidth throttling transfer rate in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. Value type is integer. Default value is 1000. Supported value range: 0 - 4294967200. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. + +**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967200]` | +| Default Value | 1000 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BITS_MaxBandwidth | +| Friendly Name | Limit the maximum network bandwidth for BITS background transfers | +| Element Name | Limit background transfer rate (Kbps) to | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + + + + + + + + + +## CostedNetworkBehaviorBackgroundPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/CostedNetworkBehaviorBackgroundPriority +``` + + + + +This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of background transfers. If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Always transfer | +| 2 | Transfer unless roaming | +| 3 | Transfer unless surcharge applies (when not roaming or over cap) | +| 4 | Transfer unless nearing limit (when not roaming or nearing cap) | +| 5 | Transfer only if unconstrained | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BITS_SetTransferPolicyOnCostedNetwork | +| Friendly Name | Set default download behavior for BITS jobs on costed networks | +| Element Name | Normal | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy | +| ADMX File Name | Bits.admx | + + + + + + + + + +## CostedNetworkBehaviorForegroundPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/CostedNetworkBehaviorForegroundPriority +``` + + + + +This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of foreground transfers. If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Always transfer | +| 2 | Transfer unless roaming | +| 3 | Transfer unless surcharge applies (when not roaming or over cap) | +| 4 | Transfer unless nearing limit (when not roaming or nearing cap) | +| 5 | Transfer only if unconstrained | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | BITS_SetTransferPolicyOnCostedNetwork | +| Friendly Name | Set default download behavior for BITS jobs on costed networks | +| Element Name | Foreground | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS\TransferPolicy | +| ADMX File Name | Bits.admx | + + + + + + + + + +## JobInactivityTimeout + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/BITS/JobInactivityTimeout +``` + + + + This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. -> [!NOTE] -> Any property changes to the job or any successful download action will reset this timeout. +**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + -Value type is integer. Default is 90 days. + + + -Supported values range: 0 - 999 + +**Description framework properties**: -Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. -Consider decreasing this value if you're concerned about orphaned jobs occupying disk space. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-999]` | +| Default Value | 90 | + -If you disable or don't configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Timeout for inactive BITS jobs* -- GP name: *BITS_Job_Timeout* -- GP element: *BITS_Job_Timeout_Time* -- GP path: *Network/Background Intelligent Transfer Service (BITS)* -- GP ADMX file name: *Bits.admx* +| Name | Value | +|:--|:--| +| Name | BITS_Job_Timeout | +| Friendly Name | Timeout for inactive BITS jobs | +| Element Name | Inactive Job Timeout in Days | +| Location | Computer Configuration | +| Path | Network > Background Intelligent Transfer Service (BITS) | +| Registry Key Name | Software\Policies\Microsoft\Windows\BITS | +| ADMX File Name | Bits.admx | + - - -Value type is integer. Default is 90 days. + + + -Supported values range: 0 - 999 + + + + - - + - - - - - -
    - - - - +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) From 6bf0c642357b819d48ad975f599f1dc86e96a688 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 27 Dec 2022 11:56:13 -0500 Subject: [PATCH 072/152] bluetooth browser --- .../mdm/policy-csp-bluetooth.md | 643 +- .../mdm/policy-csp-browser.md | 6753 +++++++++-------- 2 files changed, 3893 insertions(+), 3503 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 80872eeb7d..9930397327 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,466 +1,347 @@ --- -title: Policy CSP - Bluetooth -description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements. +title: Bluetooth Policy CSP +description: Learn more about the Bluetooth Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/24/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 02/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Bluetooth -
    + + + - -## Bluetooth policies + +## AllowAdvertising -
    -
    - Bluetooth/AllowAdvertising -
    -
    - Bluetooth/AllowDiscoverableMode -
    -
    - Bluetooth/AllowPrepairing -
    -
    - Bluetooth/AllowPromptedProximalConnections -
    -
    - Bluetooth/LocalDeviceName -
    -
    - Bluetooth/ServicesAllowedList -
    -
    - Bluetooth/SetMinimumEncryptionKeySize -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowAdvertising +``` + -
    + + +Specifies whether the device can send out Bluetooth advertisements. If this is not set or it is deleted, the default value of 1 (Allow) is used. Most restricted value is 0. + - -**Bluetooth/AllowAdvertising** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral. | +| 1 (Default) | Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowDiscoverableMode - - -This policy specifies whether the device can send out Bluetooth advertisements. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -If this policy isn't set or is deleted, the default value of 1 (Allow) is used. + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowDiscoverableMode +``` + -Most restricted value is 0. + + +Specifies whether other Bluetooth-enabled devices can discover the device. If this is not set or it is deleted, the default value of 1 (Allow) is used. Most restricted value is 0. + - - -The following list shows the supported values: + + + -- 0 – Not allowed. When set to 0, the device won't send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement isn't received by the peripheral. -- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Bluetooth/AllowDiscoverableMode** +| Value | Description | +|:--|:--| +| 0 | Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device. | +| 1 (Default) | Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## AllowPrepairing - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowPrepairing +``` + -> [!div class = "checklist"] -> * Device + + +Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. + -
    + + + - - -This policy specifies whether other Bluetooth-enabled devices can discover the device. + +**Description framework properties**: -If this policy isn't set or is deleted, the default value of 1 (Allow) is used. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -Most restricted value is 0. + +**Allowed values**: - - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -- 0 – Not allowed. When set to 0, other devices won't be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you can't see the name of the device. -- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. + + + - - + -
    + +## AllowPromptedProximalConnections - -**Bluetooth/AllowPrepairing** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/AllowPromptedProximalConnections +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default)– Allowed. - - - - -
    - - -**Bluetooth/AllowPromptedProximalConnections** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios. + - - -The following list shows the supported values: + + + -- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios -- 1 - Allow (default). Allow users on these managed devices to use Swift Pair and other proximity based scenarios + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - -**Bluetooth/LocalDeviceName** +| Value | Description | +|:--|:--| +| 0 | Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios | +| 1 (Default) | Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## LocalDeviceName - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/LocalDeviceName +``` + -> [!div class = "checklist"] -> * Device + + +Sets the local Bluetooth device name. If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. If this policy is not set or it is deleted, the default local radio name is used. + -
    + + + - - -Sets the local Bluetooth device name. + +**Description framework properties**: -If this name is set, the value that it's set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If this policy isn't set or is deleted, the default local radio name is used. + + + - - + -
    + +## ServicesAllowedList - -**Bluetooth/ServicesAllowedList** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/ServicesAllowedList +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. + +## SetMinimumEncryptionKeySize -The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide) + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Bluetooth/SetMinimumEncryptionKeySize +``` + -
    - - -**Bluetooth/SetMinimumEncryptionKeySize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. + - - -The following list shows the supported values: -- 0 (default) - All Bluetooth traffic is allowed. -- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N. + + + -For more information on allowed key sizes, see Bluetooth Core Specification v5.1. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-16]` | +| Default Value | 0 | + - - + + + - - -
    + + + + - + -
    - -## ServicesAllowedList usage guide - -When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It's an allowed list, enabling admins to still allow custom Bluetooth profiles that aren't defined by the Bluetooth Special Interests Group (SIG). - -- Disabling a service shall block incoming and outgoing connections for such services -- Disabling a service shall not publish an SDP record containing the service being blocked -- Disabling a service shall not allow SDP to expose a record for a blocked service -- Disabling a service shall log when a service is blocked for auditing purposes -- Disabling a service shall take effect upon reload of the stack or system reboot - -To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. - -These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID. - -Here are some examples: - -**Example of how to enable Hands Free Profile (HFP)** - -BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB - -|UUID name |Protocol specification |UUID | -|---------|---------|---------| -|HFP(Hands Free Profile) |Hands-Free Profile (HFP) * |0x111E | - -Footnote: * Used as both Service Class Identifier and Profile Identifier. - -Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB - -**Allow Audio Headsets (Voice)** - -|Profile|Reasoning|UUID| -|-|-|-| -|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E| -|Generic Audio Service|Generic audio service|0x1203| -|Headset Service Class|For older voice-enabled headsets|0x1108| -|PnP Information|Used to identify devices occasionally|0x1200| - -If you only want Bluetooth headsets, the UUIDs to include are: - -{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} - - - -**Allow Audio Headsets and Speakers (Voice & Music)** - -|Profile |Reasoning |UUID | -|---------|---------|---------| -|HFP (Hands Free Profile) |For voice enabled headsets |0x111E | -|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B| -|Generic Audio Service|Generic service used by Bluetooth|0x1203| -|Headset Service Class|For older voice-enabled headsets|0x1108| -|AV Remote Control Target Service|For controlling audio remotely|0x110C| -|AV Remote Control Service|For controlling audio remotely|0x110E| -|AV Remote Control Controller Service|For controlling audio remotely|0x110F| -|PnP Information|Used to identify devices occasionally|0x1200| - -{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; - -**Classic Keyboards and Mice** - -|Profile |Reasoning |UUID | -|---------|---------|---------| -|HID (Human Interface Device) |For classic BR/EDR keyboards and mice |0x1124 | -|PnP Information|Used to identify devices occasionally|0x1200| - -{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; - - -**LE Keyboards and Mice** - -|Profile |Reasoning |UUID | -|---------|---------|---------| -|Generic Access Attribute |For the LE Protocol |0x1801 | -|HID Over GATT * |For LE keyboards and mice |0x1812 | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|DID (Device ID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | - -Footnote: * The Surface pen uses the HID over GATT profile - -{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} - -**Allow File Transfer** - -|Profile |Reasoning |UUID | -|---------|---------|---------| -|OBEX Object Push (OPP) |For file transfer |0x1105 | -|Object Exchange (OBEX) |Protocol for file transfer |0x0008 | -|PnP Information|Used to identify devices occasionally|0x1200| - -{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} - -Disabling file transfer shall have the following effects -- Fsquirt shall not allow sending of files -- Fsquirt shall not allow receiving of files -- Fsquirt shall display error message informing user of policy preventing file transfer -- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index f408ee3d3b..d522163ea8 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,3327 +1,3796 @@ --- -title: Policy CSP - Browser -description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier. -ms.topic: article +title: Browser Policy CSP +description: Learn more about the Browser Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 12/24/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz -ms.localizationpriority: medium +ms.topic: reference --- + + + # Policy CSP - Browser -> [!NOTE] -> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm). + + + + +## AllowAddressBarDropdown - -## Browser policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - Browser/AllowAddressBarDropdown -
    -
    - Browser/AllowAutofill -
    -
    - Browser/AllowConfigurationUpdateForBooksLibrary -
    -
    - Browser/AllowCookies -
    -
    - Browser/AllowDeveloperTools -
    -
    - Browser/AllowDoNotTrack -
    -
    - Browser/AllowExtensions -
    -
    - Browser/AllowFlash -
    -
    - Browser/AllowFlashClickToRun -
    -
    - Browser/AllowFullScreenMode -
    -
    - Browser/AllowInPrivate -
    -
    - Browser/AllowMicrosoftCompatibilityList -
    -
    - Browser/AllowPasswordManager -
    -
    - Browser/AllowPopups -
    -
    - Browser/AllowPrelaunch -
    -
    - Browser/AllowPrinting -
    -
    - Browser/AllowSavingHistory -
    -
    - Browser/AllowSearchEngineCustomization -
    -
    - Browser/AllowSearchSuggestionsinAddressBar -
    -
    - Browser/AllowSideloadingOfExtensions -
    -
    - Browser/AllowSmartScreen -
    -
    - Browser/AllowTabPreloading -
    -
    - Browser/AllowWebContentOnNewTabPage -
    -
    - Browser/AlwaysEnableBooksLibrary -
    -
    - Browser/ClearBrowsingDataOnExit -
    -
    - Browser/ConfigureAdditionalSearchEngines -
    -
    - Browser/ConfigureFavoritesBar -
    -
    - Browser/ConfigureHomeButton -
    -
    - Browser/ConfigureKioskMode -
    -
    - Browser/ConfigureKioskResetAfterIdleTimeout -
    -
    - Browser/ConfigureOpenMicrosoftEdgeWith -
    -
    - Browser/ConfigureTelemetryForMicrosoft365Analytics -
    -
    - Browser/DisableLockdownOfStartPages -
    -
    - Browser/EnableExtendedBooksTelemetry -
    -
    - Browser/EnterpriseModeSiteList -
    -
    - Browser/EnterpriseSiteListServiceUrl -
    -
    - Browser/HomePages -
    -
    - Browser/LockdownFavorites -
    -
    - Browser/PreventAccessToAboutFlagsInMicrosoftEdge -
    -
    - Browser/PreventCertErrorOverrides -
    -
    - Browser/PreventFirstRunPage -
    -
    - Browser/PreventLiveTileDataCollection -
    -
    - Browser/PreventSmartScreenPromptOverride -
    -
    - Browser/PreventSmartScreenPromptOverrideForFiles -
    -
    - Browser/PreventTurningOffRequiredExtensions -
    -
    - Browser/PreventUsingLocalHostIPAddressForWebRTC -
    -
    - Browser/ProvisionFavorites -
    -
    - Browser/SendIntranetTraffictoInternetExplorer -
    -
    - Browser/SetDefaultSearchEngine -
    -
    - Browser/SetHomeButtonURL -
    -
    - Browser/SetNewTabPageURL -
    -
    - Browser/ShowMessageWhenOpeningSitesInInternetExplorer -
    + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +``` -
    - Browser/SuppressEdgeDeprecationNotification -
    -
    - Browser/SyncFavoritesBetweenIEAndMicrosoftEdge -
    -
    - Browser/UnlockHomeButton -
    -
    - Browser/UseSharedFolderForBooks -
    -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown +``` + + + +This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. -
    +Note: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. - -**Browser/AllowAddressBarDropdown** +If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge. - +If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User -> * Device +| Value | Description | +|:--|:--| +| 0 | Prevented/not allowed. Hide the Address bar drop-down functionality and disable the Show search and site suggestions as I type toggle in Settings. | +| 1 (Default) | Allowed. Show the Address bar drop-down list and make it available. | + -
    + +**Group policy mapping**: - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +| Name | Value | +|:--|:--| +| Name | AllowAddressBarDropdown | +| Friendly Name | Allow Address bar drop-down list suggestions | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\ServiceUI | +| Registry Value Name | ShowOneBox | +| ADMX File Name | MicrosoftEdge.admx | + -[!INCLUDE [allow-address-bar-drop-down-shortdesc](../includes/allow-address-bar-drop-down-shortdesc.md)] + + + + - - -ADMX Info: -- GP Friendly name: *Allow Address bar drop-down list suggestions* -- GP name: *AllowAddressBarDropdown* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +## AllowAutofill - - -Supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -- 0 – Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings.  -- 1 (default) – Allowed. Show the Address bar drop-down list and make it available. + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowAutofill +``` -Most restricted value: 0 - - +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowAutofill +``` + -
    + + +This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. - -**Browser/AllowAutofill** +If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. - +If you disable this setting, employees can't use Autofill to automatically fill in forms while using Microsoft Edge. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +If you don't configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * User -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/Not allowed. | +| 1 | Allowed. | + - - + +**Group policy mapping**: -[!INCLUDE [configure-autofill-shortdesc](../includes/configure-autofill-shortdesc.md)] +| Name | Value | +|:--|:--| +| Name | AllowAutofill | +| Friendly Name | Configure Autofill | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | Use FormSuggest | +| ADMX File Name | MicrosoftEdge.admx | + - - -ADMX Info: -- GP Friendly name: *Configure Autofill* -- GP name: *AllowAutofill* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose to use AutoFill. -- 0 – Prevented/not allowed. -- 1 (default) – Allowed. - -Most restricted value: 0 - - + + +**Verify**: To verify AllowAutofill is set to 0 (not allowed): 1. Open Microsoft Edge. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. 4. Verify the setting **Save form entries** is grayed out. + - - + -
    + +## AllowBrowser - -**Browser/AllowConfigurationUpdateForBooksLibrary** +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowBrowser +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowBrowser +``` + - -
    + + +This policy is deprecated + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -[!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../includes/allow-configuration-updates-for-books-library-shortdesc.md)] +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + - - -ADMX Info: -- GP Friendly name: *Allow configuration updates for the Books Library* -- GP name: *AllowConfigurationUpdateForBooksLibrary* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + - - -Supported values: + +## AllowConfigurationUpdateForBooksLibrary -- 0 - Prevented/not allowed. -- 1 (default). Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary +``` + - -**Browser/AllowCookies** + + +This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + - - -[!INCLUDE [configure-cookies-shortdesc](../includes/configure-cookies-shortdesc.md)] + +## AllowCookies - - -ADMX Info: -- GP Friendly name: *Configure cookies* -- GP name: *Cookies* -- GP element: *CookiesListBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -Supported values: + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowCookies +``` -- 0 – Block all cookies from all sites -- 1 – Block only cookies from third party websites -- 2 - Allow all cookies from all sites +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowCookies +``` + -Most restricted value: 0 - - + + +This setting lets you configure how your company deals with cookies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Block all cookies from all sites | +| 1 | Block only cookies from third party websites | +| 2 (Default) | Allow all cookies from all sites | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Cookies | +| Friendly Name | Configure cookies | +| Element Name | Configure Cookies | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowCookies is set to 0 (not allowed): 1. Open Microsoft Edge. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. 4. Verify the setting **Cookies** is disabled. + - - + -
    + +## AllowDeveloperTools - -**Browser/AllowDeveloperTools** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +``` + + + +This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. - -
    +If you enable or don't configure this setting, the F12 Developer Tools are available in Microsoft Edge. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable this setting, the F12 Developer Tools aren't available in Microsoft Edge. + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -[!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)] + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Allow Developer Tools* -- GP name: *AllowDeveloperTools* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + - - -Supported values: + +**Group policy mapping**: -- 0 – Prevented/not allowed. -- 1 (default) – Allowed. +| Name | Value | +|:--|:--| +| Name | AllowDeveloperTools | +| Friendly Name | Allow Developer Tools | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\F12 | +| Registry Value Name | AllowDeveloperTools | +| ADMX File Name | MicrosoftEdge.admx | + -Most restricted value: 0 - - + + + -
    + - -**Browser/AllowDoNotTrack** + +## AllowDoNotTrack - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack +``` + - -
    + + +This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren't sent, but employees can choose to turn on and send requests. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you enable this setting, Do Not Tracker requests are always sent to websites asking for tracking info. -> [!div class = "checklist"] -> * User -> * Device +If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. -
    +If you don't configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. + - - -[!INCLUDE [configure-do-not-track-shortdesc](../includes/configure-do-not-track-shortdesc.md)] + + + - - -ADMX Info: -- GP Friendly name: *Configure Do Not Track* -- GP name: *AllowDoNotTrack* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Description framework properties**: - - -Supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- Blank (default) - Don't send tracking information but let users choose to send tracking information to sites they visit. -- 0 - Never send tracking information. -- 1 - Send tracking information. + +**Allowed values**: -Most restricted value: 1 - - +| Value | Description | +|:--|:--| +| 0 (Default) | Never send tracking information. | +| 1 | Send tracking information. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowDoNotTrack | +| Friendly Name | Configure Do Not Track | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | DoNotTrack | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowDoNotTrack is set to 0 (not allowed): 1. Open Microsoft Edge. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. 4. Verify the setting **Send Do Not Track requests** is grayed out. + + + + + +## AllowExtensions - - - -
    - - -**Browser/AllowExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1607* - -[!INCLUDE [allow-extensions-shortdesc](../includes/allow-extensions-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Extensions* -- GP name: *AllowExtensions* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - - - - -
    - - -**Browser/AllowFlash** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-adobe-flash-shortdesc](../includes/allow-adobe-flash-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Adobe Flash* -- GP name: *AllowFlash* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - - - - -
    - - -**Browser/AllowFlashClickToRun** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../includes/configure-adobe-flash-click-to-run-setting-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure the Adobe Flash Click-to-Run setting* -- GP name: *AllowFlashClickToRun* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Load and run Adobe Flash content automatically. -- 1 (default) – Doesn't load or run Adobe Flash content automatically. Requires action from the user. - -Most restricted value: 1 - - - - -
    - - -**Browser/AllowFullScreenMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-fullscreen-mode-shortdesc](../includes/allow-fullscreen-mode-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow FullScreen Mode* -- GP name: *AllowFullScreenMode* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowInPrivate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [allow-inprivate-browsing-shortdesc](../includes/allow-inprivate-browsing-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow InPrivate browsing* -- GP name: *AllowInPrivate* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowMicrosoftCompatibilityList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../includes/allow-microsoft-compatibility-list-shortdesc.md)] - - - - -ADMX Info: -- GP Friendly name: *Allow Microsoft Compatibility List* -- GP name: *AllowCVList* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowPasswordManager** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [configure-password-manager-shortdesc](../includes/configure-password-manager-shortdesc.md)] - - - - -ADMX Info: -- GP Friendly name: *Configure Password Manager* -- GP name: *AllowPasswordManager* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose to save and manage passwords locally. -- 0 – Not allowed. -- 1 (default) – Allowed. - -Most restricted value: 0 - - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowExtensions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowExtensions +``` + + + + +This setting lets you decide whether employees can load extensions in Microsoft Edge. + +If you enable or don't configure this setting, employees can use Microsoft Edge Extensions. + +If you disable this setting, employees can't use Microsoft Edge Extensions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowExtensions | +| Friendly Name | Allow Extensions | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Extensions | +| Registry Value Name | ExtensionsEnabled | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowFlash + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowFlash +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowFlash +``` + + + + +This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + +If you enable or don't configure this setting, employees can use Adobe Flash. + +If you disable this setting, employees can't use Adobe Flash. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFlash | +| Friendly Name | Allow Adobe Flash | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Addons | +| Registry Value Name | FlashPlayerEnabled | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowFlashClickToRun + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun +``` + + + + +If you enable or don’t configure the Adobe Flash Click-to-Run setting, Microsoft Edge will require a user to click the Click-to-Run button, to click the content, or for the site to appear on the auto-allowed list, before loading and running the content. + +Sites get onto the auto-allowed list based on user feedback, specifically by how often the content is allowed to load and run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Load and run Adobe Flash content automatically. | +| 1 (Default) | Does not load or run Adobe Flash content automatically. Requires action from the user. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFlashClickToRun | +| Friendly Name | Configure the Adobe Flash Click-to-Run setting | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Security | +| Registry Value Name | FlashClickToRunMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowFullScreenMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowFullScreenMode +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowFullScreenMode +``` + + + + +With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. + +If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. + +If disabled, full-screen mode is unavailable for use in Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowFullScreenMode | +| Friendly Name | Allow FullScreen Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowFullScreenMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowInPrivate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowInPrivate +``` + + + + +This policy setting lets you decide whether employees can browse using InPrivate website browsing. + +If you enable or don't configure this setting, employees can use InPrivate website browsing. + +If you disable this setting, employees can't use InPrivate website browsing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowInPrivate | +| Friendly Name | Allow InPrivate browsing | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowInPrivate | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowMicrosoftCompatibilityList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList +``` + + + + +This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. + +If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. + +If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCVList | +| Friendly Name | Allow Microsoft Compatibility List | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BrowserEmulation | +| Registry Value Name | MSCompatibilityMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowPasswordManager + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager +``` + + + + +This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. + +If you enable this setting, employees can use Password Manager to save their passwords locally. + +If you disable this setting, employees can't use Password Manager to save their passwords locally. + +If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowPasswordManager | +| Friendly Name | Configure Password Manager | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | FormSuggest Passwords | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowPasswordManager is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. 2. Verify the settings **Save Password** is disabled. + - - + -
    + +## AllowPopups - -**Browser/AllowPopups** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPopups +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPopups +``` + + + +This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.. - -
    +If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. -> [!div class = "checklist"] -> * User -> * Device +If you don't configure this setting, employees can choose whether to use Pop-up Blocker. + -
    + + + - - + +**Description framework properties**: -[!INCLUDE [configure-pop-up-blocker-shortdesc](../includes/configure-pop-up-blocker-shortdesc.md)] +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -ADMX Info: -- GP Friendly name: *Configure Pop-up Blocker* -- GP name: *AllowPopups* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Allowed values**: - - -Supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | Turn off Pop-up Blocker letting pop-up windows open. | +| 1 | Turn on Pop-up Blocker stopping pop-up windows from opening. | + -- Blank - Users can choose to use Pop-up Blocker. -- 0 (default) – Turn off Pop-up Blocker letting pop-up windows open. -- 1 – Turn on Pop-up Blocker stopping pop-up windows from opening. + +**Group policy mapping**: -Most restricted value: 1 +| Name | Value | +|:--|:--| +| Name | AllowPopups | +| Friendly Name | Configure Pop-up Blocker | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowPopups | +| ADMX File Name | MicrosoftEdge.admx | + - - + + +**Verify**: To verify AllowPopups is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. 2. Verify whether the setting **Block pop-ups** is disabled. + - - + + + +## AllowPrelaunch -
    - - -**Browser/AllowPrelaunch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - - -[!INCLUDE [allow-prelaunch-shortdesc](../includes/allow-prelaunch-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed* -- GP name: *AllowPrelaunch* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowPrinting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-printing-shortdesc](../includes/allow-printing-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow printing* -- GP name: *AllowPrinting* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowSavingHistory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-saving-history-shortdesc](../includes/allow-saving-history-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Saving History* -- GP name: *AllowSavingHistory* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed -- 1 (default) - Allowed - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowSearchEngineCustomization** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [allow-search-engine-customization-shortdesc](../includes/allow-search-engine-customization-shortdesc.md)] - - - - - -ADMX Info: -- GP Friendly name: *Allow search engine customization* -- GP name: *AllowSearchEngineCustomization* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – Prevented/not allowed -- 1 (default) – Allowed - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowSearchSuggestionsinAddressBar** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../includes/configure-search-suggestions-in-address-bar-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure search suggestions in Address bar* -- GP name: *AllowSearchSuggestionsinAddressBar* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Users can choose to see search suggestions. -- 0 – Prevented/not allowed. Hide the search suggestions. -- 1 – Allowed. Show the search suggestions. - -Most restricted value: 0 - - - - -
    - - -**Browser/AllowSideloadingOfExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../includes/allow-sideloading-of-extensions-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow sideloading of Extensions* -- GP name: *AllowSideloadingOfExtensions* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed. Disabling doesn't prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this sideloading, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). -- 1 (default) - Allowed. - -Most restricted value: 0 - - - - - - - - - - -
    - - -**Browser/AllowSmartScreen** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [configure-windows-defender-smartscreen-shortdesc](../includes/configure-windows-defender-smartscreen-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure Windows Defender SmartScreen* -- GP name: *AllowSmartScreen* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose to use Windows Defender SmartScreen. -- 0 – Turned off. Don't protect users from potential threats and prevent users from turning it on. -- 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off. - -Most restricted value: 1 - - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch +``` + + + + +This policy setting lets you decide whether Microsoft Edge can pre-launch during Windows sign in, when the system is idle, and each time Microsoft Edge is closed. By default this setting is to allow pre-launch. + +If you allow pre-launch, disable, or don’t configure this policy setting, Microsoft Edge pre-launches during Windows sign in, when the system is idle, and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge. + +If you prevent pre-launch, Microsoft Edge won’t pre-launch during Windows sign in, when the system is idle, or each time Microsoft Edge is closed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowPrelaunch | +| Friendly Name | Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowPrinting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowPrinting +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowPrinting +``` + + + + +With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. + +If enabled, printing is allowed. + +If disabled, printing is not allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowPrinting | +| Friendly Name | Allow printing | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowPrinting | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSavingHistory + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory +``` + + + + +Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. + +If enabled or not configured, the browsing history is saved and visible in the History pane. + +If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSavingHistory | +| Friendly Name | Allow Saving History | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AllowSavingHistory | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSearchEngineCustomization + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization +``` + + + + +This policy setting lets you decide whether users can change their search engine. If you disable this setting, users can't add new search engines or change the default used in the address bar. + +Important +This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. + +If you disable this setting, users can't add search engines or change the default used in the address bar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchEngineCustomization | +| Friendly Name | Allow search engine customization | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | +| Registry Value Name | AllowSearchEngineCustomization | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSearchSuggestionsinAddressBar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar +``` + + + + +This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + +If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. + +If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. + +If you don't configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. Hide the search suggestions. | +| 1 (Default) | Allowed. Show the search suggestions. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSearchSuggestionsinAddressBar | +| Friendly Name | Configure search suggestions in Address bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\SearchScopes | +| Registry Value Name | ShowSearchSuggestionsGlobal | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSideloadingOfExtensions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSideloadingOfExtensions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSideloadingOfExtensions +``` + + + + +Sideloading installs and runs unverified extensions in Microsoft Edge. With this policy, you can specify whether unverified extensions can be sideloaded in Microsoft Edge. + +If enabled or not configured, sideloading of unverified extensions in Microsoft Edge is allowed. + +If disabled, sideloading of unverified extensions in Microsoft Edge is not allowed. Extensions can be installed only through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled, this policy does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, in Group Policy Editor, enable Allows development of Windows Store apps and installing them from an integrated development environment (IDE), which is located at: + +Computer Configuration > Administrative Templates > Windows Components > App Package Deployment + +Supported versions: Microsoft Edge on Windows 10, version 1809 +Default setting: Disabled or not configured +Related policies: +- Allows development of Windows Store apps and installing them from an integrated development environment (IDE) +- Allow all trusted apps to install​ + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via Powershell. To prevent this, set the ApplicationManagement/AllowDeveloperUnlock policy to 1 (enabled). | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSideloadingOfExtensions | +| Friendly Name | Allow Sideloading of extension | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Extensions | +| Registry Value Name | AllowSideloadingOfExtensions | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowSmartScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +``` + + + + +This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. + +If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. + +If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. + +If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | +| 1 (Default) | Turned on. Protect users from potential threats and prevent users from turning it off. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSmartScreen | +| Friendly Name | Configure Windows Defender SmartScreen | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter | +| Registry Value Name | EnabledV9 | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify AllowSmartScreen is set to 0 (not allowed): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. 2. Verify that the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled. + - - + -
    + +## AllowTabPreloading - -**Browser/AllowTabPreloading** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading +``` + + + +This policy setting lets you decide whether Microsoft Edge can load the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed. By default this setting is to allow preloading. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-tab-preloading-shortdesc](../includes/allow-tab-preloading-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow Microsoft Edge to start and load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed* -- GP name: *AllowTabPreloading* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 - Prevented/not allowed. -- 1 (default) - Allowed. Preload Start and New tab pages. - -Most restricted value: 1 - - - - - - - - - -
    - - -**Browser/AllowWebContentOnNewTabPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - - -[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../includes/allow-web-content-on-new-tab-page-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow web content on New Tab page* -- GP name: *AllowWebContentOnNewTabPage* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - Users can choose what loads on the New tab page. -- 0 - Load a blank page instead of the default New tab page and prevent users from changing it. -- 1 (default) - Load the default New tab page. - - - - - - - - - - -
    - - -**Browser/AlwaysEnableBooksLibrary** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [always-show-books-library-shortdesc](../includes/always-show-books-library-shortdesc.md)] - - - - - -ADMX Info: -- GP Friendly name: *Always show the Books Library in Microsoft Edge* -- GP name: *AlwaysEnableBooksLibrary* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Show the Books Library only in countries or regions where supported. -- 1 - Show the Books Library, regardless of the device’s country or region. - -Most restricted value: 0 - - - - -
    - - -**Browser/ClearBrowsingDataOnExit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - -[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../includes/allow-clearing-browsing-data-on-exit-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow clearing browsing data on exit* -- GP name: *AllowClearingBrowsingDataOnExit* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 – (default) Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. -- 1 – Allowed. Clear the browsing data upon exit automatically. - -Most restricted value: 1 - - - +If you allow preloading, disable, or don’t configure this policy setting, Microsoft Edge loads the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge and to start a new tab. + +If you prevent preloading, Microsoft Edge won’t load the Start or New Tab page during Windows sign in and each time Microsoft Edge is closed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevented/Not allowed. | +| 1 (Default) | Allowed. Preload Start and New tab pages. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowTabPreloading | +| Friendly Name | Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\TabPreloader | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AllowWebContentOnNewTabPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage +``` + + + + +This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. + +If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + +If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. + +If you don't configure this setting, employees can choose how new tabs appears. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Load a blank page instead of the default New tab page and prevent users from changing it. | +| 1 (Default) | Load the default New tab page. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowWebContentOnNewTabPage | +| Friendly Name | Allow web content on New Tab page | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\ServiceUI | +| Registry Value Name | AllowWebContentOnNewTabPage | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## AlwaysEnableBooksLibrary + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary +``` + + + + +This policy setting helps you to decide whether to make the Books tab visible, regardless of a device's country or region setting, as configured in the Country or region area of Windows settings. + +If you enable this setting, Microsoft Edge shows the Books Library, regardless of the device's country or region. + +If you disable or don't configure this setting, Microsoft Edge shows the Books Library only in countries or regions where it's supported. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Show the Books Library only in countries or regions where supported. | +| 1 | Show the Books Library, regardless of the device's country or region. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AlwaysEnableBooksLibrary | +| Friendly Name | Always show the Books Library in Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | AlwaysEnableBooksLibrary | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## ClearBrowsingDataOnExit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit +``` + + + + +This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. + +If you enable this policy setting, clearing browsing history on exit is turned on. + +If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options under Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed. Users can configure the 'Clear browsing data' option in Settings. | +| 1 | Allowed. Clear the browsing data upon exit automatically. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowClearingBrowsingDataOnExit | +| Friendly Name | Allow clearing browsing data on exit | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Privacy | +| Registry Value Name | ClearBrowsingHistoryOnExit | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): 1. Open Microsoft Edge and browse to websites. 2. Close the Microsoft Edge window. 3. Open Microsoft Edge and start typing the same URL in address bar. 4. Verify that it doesn't auto-complete from history. + - - + -
    + +## ConfigureAdditionalSearchEngines - -**Browser/ConfigureAdditionalSearchEngines** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines +``` + + + +Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +**Group policy mapping**: - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* +| Name | Value | +|:--|:--| +| Name | ConfigureAdditionalSearchEngines | +| Friendly Name | Configure additional search engines | +| Element Name | Use this format to specify the link(s) you wish to add: `<>` `<>` | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch | +| ADMX File Name | MicrosoftEdge.admx | + -[!INCLUDE [configure-additional-search-engines-shortdesc](../includes/configure-additional-search-engines-shortdesc.md)] + + + -> [!IMPORTANT] -> Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled.  + + +## ConfigureFavoritesBar - - -ADMX Info: -- GP Friendly name: *Configure additional search engines* -- GP name: *ConfigureAdditionalSearchEngines* -- GP element: *ConfigureAdditionalSearchEngines_Prompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - -Supported values: + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +``` -- 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

    If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. -- 1 – Allowed. Add up to five more search engines and set any one of them as the default.

    For each search engine added, you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar +``` + -Most restricted value: 0 - - + + +The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. -


    +If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -**Browser/ConfigureFavoritesBar** +If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - +If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +| 1 | Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | + -
    + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigureFavoritesBar | +| Friendly Name | Configure Favorites Bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | ConfigureFavoritesBar | +| ADMX File Name | MicrosoftEdge.admx | + + + + -[!INCLUDE [configure-favorites-bar-shortdesc](../includes/configure-favorites-bar-shortdesc.md)] + - - -ADMX Info: -- GP Friendly name: *Configure Favorites Bar* -- GP name: *ConfigureFavoritesBar* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +## ConfigureHomeButton - - -Supported values: + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -- Blank (default) - Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. -- 0 - Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. -- 1 - Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +``` +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton +``` + - - + + +The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. By default, this policy is disabled or not configured and clicking the home button loads the default Start page. When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. If Enabled AND: - Show home button & set to Start page is selected, clicking the home button loads the Start page. - Show home button & set to New tab page is selected, clicking the home button loads a New tab page. - Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. - Hide home button is selected, the home button is hidden in Microsoft Edge. Default setting: Disabled or not configured Related policies: - Set Home Button URL - Unlock Home Button + - - + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Browser/ConfigureHomeButton** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Show home button and load the Start page | +| 1 | Show home button and load the New tab page | +| 2 | Show home button and load the custom URL defined in the Set Home Button URL policy | +| 3 | Hide home button | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | ConfigureHomeButton | +| Friendly Name | Configure Home Button | +| Element Name | Configure the Home Button | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-home-button-shortdesc](../includes/configure-home-button-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure Home Button* -- GP name: *ConfigureHomeButton* -- GP element: *ConfigureHomeButtonDropdown* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Show home button and load the Start page. -- 1 - Show home button and load the New tab page. -- 2 - Show home button and load the custom URL defined in the Set Home Button URL policy. -- 3 - Hide home button. - + + >[!TIP] >If you want to make changes to this policy:
    1. Set **UnlockHomeButton** to 1 (enabled).
    2. Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.
    3. Set **UnlockHomeButton** 0 (disabled).
    + + - - + +## ConfigureKioskMode - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode +``` + - -**Browser/ConfigureKioskMode** + + +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + -> [!div class = "checklist"] -> * User -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | ConfigureKioskMode | +| Friendly Name | Configure kiosk mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\KioskMode | +| ADMX File Name | MicrosoftEdge.admx | + - - + + + -[!INCLUDE [configure-kiosk-mode-shortdesc](../includes/configure-kiosk-mode-shortdesc.md)] + -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). + +## ConfigureKioskResetAfterIdleTimeout + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +``` - - -ADMX Info: -- GP Friendly name: *Configure kiosk mode* -- GP name: *ConfigureKioskMode* -- GP element: *ConfigureKioskMode_TextBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout +``` + - - -Supported values: + + +You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. + -**0 (Default or not configured)**: -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. + + + -**1**: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you don't configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 5 | +| Dependency [Browser_ConfigureKioskResetAfterIdleTimeout_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigureKioskResetAfterIdleTimeout | +| Friendly Name | Configure kiosk reset after idle timeout | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\KioskMode | +| ADMX File Name | MicrosoftEdge.admx | + -
    + + + - -**Browser/ConfigureKioskResetAfterIdleTimeout** + - + +## ConfigureOpenMicrosoftEdgeWith -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureOpenMicrosoftEdgeWith +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureOpenMicrosoftEdgeWith +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. If enabled, you can choose one of the following options: - Start page: the Start page loads ignoring the Configure Start Pages policy. - New tab page: the New tab page loads ignoring the Configure Start Pages policy. - Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. - A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. Default setting: A specific page or pages (default) Related policies: -Disable Lockdown of Start Pages -Configure Start Pages + -> [!div class = "checklist"] -> * User -> * Device + + + -
    + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + +**Allowed values**: -[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] +| Value | Description | +|:--|:--| +| 0 | Load the Start page | +| 1 | Load the New tab page | +| 2 | Load the previous pages | +| 3 (Default) | Load a specific page or pages | + -You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc). + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Configure kiosk reset after idle timeout* -- GP name: *ConfigureKioskResetAfterIdleTimeout* -- GP element: *ConfigureKioskResetAfterIdleTimeout_TextBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. - -- **0** – No idle timer. - - - - - - - - - - -
    - - -**Browser/ConfigureOpenMicrosoftEdgeWith** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../includes/configure-open-microsoft-edge-with-shortdesc.md)] - -**Version 1703 or later**:
    -If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. - - -**version 1809**:
    -When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages. - - - -ADMX Info: -- GP Friendly name: *Configure Open Microsoft Edge With* -- GP name: *ConfigureOpenEdgeWith* -- GP element: *ConfigureOpenEdgeWithListBox* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page. -- 0 - Load the Start page. -- 1 - Load the New tab page. -- 2 - Load the previous pages. -- 3 (default) - Load a specific page or pages. +| Name | Value | +|:--|:--| +| Name | ConfigureOpenEdgeWith | +| Friendly Name | Configure Open Microsoft Edge With | +| Element Name | Configure Open Microsoft Edge With | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + >[!TIP] >If you want to make changes to this policy:
    1. Set DisableLockdownOfStartPages to 0 (not configured).
    2. Make changes to ConfigureOpenEdgeWith.
    3. Set DisableLockdownOfStartPages to 1 (enabled).
    + + - - + +## ConfigureTelemetryForMicrosoft365Analytics - - +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +``` - -**Browser/ConfigureTelemetryForMicrosoft365Analytics** +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics +``` + - + + +Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | No data collected or sent | +| 1 | Send intranet history only | +| 2 | Send Internet history only | +| 3 | Send both intranet and Internet history | + -
    + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | ConfigureTelemetryForMicrosoft365Analytics | +| Friendly Name | Configure collection of browsing data for Desktop Analytics | +| Element Name | Configure telemetry collection | +| Location | Computer and User Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | +| ADMX File Name | MicrosoftEdge.admx | + -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + + + - - -ADMX Info: -- GP Friendly name: *Configure collection of browsing data for Microsoft 365 Analytics* -- GP name: *ConfigureTelemetryForMicrosoft365Analytics* -- GP element: *ZonesListBox* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *MicrosoftEdge.admx* + - - -Supported values: + +## DisableLockdownOfStartPages -- 0 (default) - No data collected or sent -- 1 - Send intranet history only -- 2 - Send Internet history only -- 3 - Send both intranet and Internet history + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -Most restricted value: 0 - - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages +``` + - - + + +You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Start Pages - Configure Open Microsoft Edge With + -
    - - -**Browser/DisableLockdownOfStartPages** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10* - -[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../includes/disable-lockdown-of-start-pages-shortdesc.md)] -   + + > [!NOTE] > This policy has no effect when the Browser/HomePages policy isn't configured.  > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). - - -ADMX Info: -- GP Friendly name: *Disable lockdown of Start pages* -- GP name: *DisableLockdownOfStartPages* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. -- 1 – Unlocked. Users can make changes to all configured start pages.

    When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy. - -Most restricted value: 0 - - - -


    - - -**Browser/EnableExtendedBooksTelemetry** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../includes/allow-extended-telemetry-for-books-tab-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Allow extended telemetry for the Books tab* -- GP name: *EnableExtendedBooksTelemetry* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Gather and send only basic diagnostic data, depending on the device configuration. -- 1 - Gather all diagnostic data. - -Most restricted value: 0 - - - -
    - - -**Browser/EnterpriseModeSiteList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Configure the Enterprise Mode Site List* -- GP name: *EnterpriseModeSiteList* -- GP element: *EnterSiteListPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Turned off. Microsoft Edge doesn't check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. -- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

    For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). - - - - - -


    - - -**Browser/EnterpriseSiteListServiceUrl** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -> [!IMPORTANT] -> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. - - - - -
    - - -**Browser/HomePages** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] - -**Version 1607**
    -From this version, the HomePages policy enforces that users can't change the Start pages settings. - -**Version 1703**
    -If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL. - -**Version 1809**
    -When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages you want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. - - -> [!NOTE] -> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - -ADMX Info: -- GP Friendly name: *Configure Start pages* -- GP name: *HomePages* -- GP element: *HomePagesPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Load the pages specified in App settings as the default Start pages. -- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets and comma:

          \,\ - - - - -


    - - -**Browser/LockdownFavorites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709* - -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../includes/prevent-changes-to-favorites-shortdesc.md)] - - - - -ADMX Info: -- GP Friendly name: *Prevent changes to Favorites on Microsoft Edge* -- GP name: *LockdownFavorites* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Allowed/not locked down. Users can add, import, and make changes to the favorites. -- 1 - Prevented/locked down. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../includes/prevent-access-to-about-flags-page-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent access to the about:flags page in Microsoft Edge* -- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. -- 1 – Prevents users from accessing the about:flags page. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventCertErrorOverrides** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../includes/prevent-certificate-error-overrides-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent certificate error overrides* -- GP name: *PreventCertErrorOverrides* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - Allowed/turned on. Override the security warning to sites that have SSL errors. -- 1 - Prevented/turned on. - -Most restricted value: 1 - - - - - - - - - -
    - - -**Browser/PreventFirstRunPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703* - -[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../includes/prevent-first-run-webpage-from-opening-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent the First Run webpage from opening on Microsoft Edge* -- GP name: *PreventFirstRunPage* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. Load the First Run webpage. -- 1 – Prevented/not allowed. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventLiveTileDataCollection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - -[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start* -- GP name: *PreventLiveTileDataCollection* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Collect and send Live Tile metadata. -- 1 – No data collected. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventSmartScreenPromptOverride** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-sites-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for sites* -- GP name: *PreventSmartScreenPromptOverride* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to the site. -- 1 – Prevented/turned on. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventSmartScreenPromptOverrideForFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-bypassing-windows-defender-prompts-for-files-shortdesc](../includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for files* -- GP name: *PreventSmartScreenPromptOverrideForFiles* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). -- 1 – Prevented/turned on. - -Most restricted value: 1 - - - -
    - - -**Browser/PreventTurningOffRequiredExtensions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../includes/prevent-turning-off-required-extensions-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent turning off required extensions* -- GP name: *PreventTurningOffRequiredExtensions* -- GP element: *PreventTurningOffRequiredExtensions_Prompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. - -- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:

          _Microsoft.OneNoteWebClipper8wekyb3d8bbwe_

    After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

    Removing extensions from the list doesn't uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy doesn't prevent users from debugging and altering the logic on an extension. - - - - - - - - - - -


    - - -**Browser/PreventUsingLocalHostIPAddressForWebRTC** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Prevent using Localhost IP address for WebRTC* -- GP name: *HideLocalHostIPAddress* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. Show localhost IP addresses. -- 1 – Prevented/not allowed. - -Most restricted value: 1 - - - -
    - - -**Browser/ProvisionFavorites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* - -[!INCLUDE [provision-favorites-shortdesc](../includes/provision-favorites-shortdesc.md)] - - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. | +| 1 | Unlocked. Users can make changes to all configured start pages. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLockdownOfStartPages | +| Friendly Name | Disable lockdown of Start pages | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## EnableExtendedBooksTelemetry + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry +``` + + + + +This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge. + +If you enable this setting, Microsoft Edge sends additional telemetry data, on top of the basic telemetry data, from the Books tab. + +If you disable or don't configure this setting, Microsoft Edge only sends basic telemetry data, depending on your device configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Gather and send only basic diagnostic data, depending on the device configuration. | +| 1 | Gather all diagnostic data. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableExtendedBooksTelemetry | +| Friendly Name | Allow extended telemetry for the Books tab | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary | +| Registry Value Name | EnableExtendedBooksTelemetry | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## EnterpriseModeSiteList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList +``` + + + + +This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnterpriseModeSiteList | +| Friendly Name | Configure the Enterprise Mode Site List | +| Element Name | Type the location (URL) of your Enterprise Mode IE website list | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## EnterpriseSiteListServiceUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/EnterpriseSiteListServiceUrl +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/EnterpriseSiteListServiceUrl +``` + + + + +Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## FirstRunURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/FirstRunURL +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/FirstRunURL +``` + + + + +Configure first run URL. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [Browser_FirstRunURL_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## HomePages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/HomePages +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/HomePages +``` + + + + +When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HomePages | +| Friendly Name | Configure Start pages | +| Element Name | Use this format: `` `<>` | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## LockdownFavorites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/LockdownFavorites +``` + + + + +This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. + +If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. + +Important +Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/not locked down. Users can add, import, and make changes to the favorites. | +| 1 | Prevented/locked down. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | LockdownFavorites | +| Friendly Name | Prevent changes to Favorites on Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | +| Registry Value Name | LockdownFavorites | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventAccessToAboutFlagsInMicrosoftEdge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge +``` + + + + +This policy settings lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. + +If you enable this policy setting, employees can't access the about:flags page. + +If you disable or don't configure this setting, employees can access the about:flags page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. | +| 1 | Prevents users from accessing the about:flags page. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventAccessToAboutFlagsInMicrosoftEdge | +| Friendly Name | Prevent access to the about:flags page in Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | PreventAccessToAboutFlagsInMicrosoftEdge | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventCertErrorOverrides + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides +``` + + + + +Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. + +If enabled, overriding certificate errors are not allowed. + +If disabled or not configured, overriding certificate errors are allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/turned on. Override the security warning to sites that have SSL errors. | +| 1 | Prevented/turned on. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventCertErrorOverrides | +| Friendly Name | Prevent certificate error overrides | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| Registry Value Name | PreventCertErrorOverrides | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventFirstRunPage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage +``` + + + + +This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. + +If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. + +If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. Load the First Run webpage. | +| 1 | Prevented/Not allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFirstRunPage | +| Friendly Name | Prevent the First Run webpage from opening on Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | PreventFirstRunPage | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventLiveTileDataCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection +``` + + + + +This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + +If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. + +If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Collect and send Live Tile metadata. | +| 1 | No data collected. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLiveTileDataCollection | +| Friendly Name | Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | PreventLiveTileDataCollection | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventSmartScreenPromptOverride + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverride +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverride +``` + + + + +This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. + +If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from continuing to the site. + +If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/turned off. Users can ignore the warning and continue to the site. | +| 1 | Prevented/turned on. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventSmartScreenPromptOverride | +| Friendly Name | Prevent bypassing Windows Defender SmartScreen prompts for sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter | +| Registry Value Name | PreventOverride | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventSmartScreenPromptOverrideForFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles +``` + + + + +This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. + +If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. + +If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | +| 1 | Prevented/turned on. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventSmartScreenPromptOverrideForFiles | +| Friendly Name | Prevent bypassing Windows Defender SmartScreen prompts for files | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter | +| Registry Value Name | PreventOverrideAppRepUnknown | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventTurningOffRequiredExtensions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions +``` + + + + +You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune ( + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventTurningOffRequiredExtensions | +| Friendly Name | Prevent turning off required extensions | +| Element Name | In the space below, enter extension package family names (PFNs) separated by semi-colons. | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Extensions | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## PreventUsingLocalHostIPAddressForWebRTC + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC +``` + + + + +This policy setting lets you decide whether an employee's LocalHost IP address shows while making calls using the WebRTC protocol. + +If you enable this setting, LocalHost IP addresses are hidden while making calls using the WebRTC protocol. + +If you disable or don't configure this setting, LocalHost IP addresses are shown while making calls using the WebRTC protocol. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed. Show localhost IP addresses. | +| 1 | Prevented/Not allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideLocalHostIPAddress | +| Friendly Name | Prevent using Localhost IP address for WebRTC | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | HideLocalHostIP | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## ProvisionFavorites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites +``` + + + + +This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. + +**Important**: Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfiguredFavorites | +| Friendly Name | Provision Favorites | +| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.

    URL can be specified as
    1. HTTP location: https://localhost:8080/URLs.html
    2. Local network: \\network\shares\URLs.html
    3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Example**: Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. To define a default list of favorites: 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. 2. Click **Import from another browser**, click **Export to file** and save the file. 3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

    Specify the URL as:

    • HTTP location: "SiteList"=``
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
    - - ->[!IMPORTANT] ->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. - - - - - - -ADMX Info: -- GP Friendly name: *Provision Favorites* -- GP name: *ConfiguredFavorites* -- GP element: *ConfiguredFavoritesPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - - -
    - - -**Browser/SendIntranetTraffictoInternetExplorer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Send all intranet sites to Internet Explorer 11* -- GP name: *SendIntranetTraffictoInternetExplorer* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. -- 1 - Only intranet sites open in Internet Explorer 11 automatically.

    Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

    1. In Group Policy Editor, navigate to:

      **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.

    2. Refresh the policy and then view the affected sites in Microsoft Edge.

      A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it isn't yet running, or in a new tab.

    - -Most restricted value: 0 - - - - -
    - - -**Browser/SetDefaultSearchEngine** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703* - -[!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)] - -> [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). - - -Most restricted value: 0 - - - -ADMX Info: -- GP Friendly name: *Set default search engine* -- GP name: *SetDefaultSearchEngine* -- GP element: *SetDefaultSearchEngine_Prompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users can't make changes. -- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. -- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users can't change the default search engine.

    Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

    If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

    If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. - -Most restricted value: 1 - - - -


    - - -**Browser/SetHomeButtonURL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [set-home-button-url-shortdesc](../includes/set-home-button-url-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Set Home Button URL* -- GP name: *SetHomeButtonURL* -- GP element: *SetHomeButtonURLPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. -- String - Load a custom URL for the home button. You must also enable the Configure Home Button policy and select the _Show home button & set a specific page_ option.

    Enter a URL in string format, for example, https://www.msn.com. - - - - - - - - - - -


    - - -**Browser/SetNewTabPageURL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - - -[!INCLUDE [set-new-tab-url-shortdesc](../includes/set-new-tab-url-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Set New Tab page URL* -- GP name: *SetNewTabPageURL* -- GP element: *SetNewTabPageURLPrompt* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- Blank (default) - Load the default New tab page. -- String - Prevent users from changing the New tab page.

    Enter a URL in string format, for example, https://www.msn.com. - - - - - - - - - -


    - - -**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Show message when opening sites in Internet Explorer* -- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – No other message displays. -- 1 – Show another message stating that a site has opened in IE11. -- 2 - Show another message with a "Keep going in Microsoft Edge" link. - -Most restricted value: 0 - - - -
    - - -**Browser/SuppressEdgeDeprecationNotification** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls. -By default, a notification will be presented to the user informing them of this update upon application startup. -With this policy, you can either allow (default) or suppress this notification. - - - -ADMX Info: -- GP Friendly name: *Suppress Edge Deprecation Notification* -- GP name: *SuppressEdgeDeprecationNotification* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Allowed. Notification will be shown at application startup. -- 1 – Prevented/not allowed. - -
    - -Browser/SyncFavoritesBetweenIEAndMicrosoftEdge - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* - - -[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] - - - -ADMX Info: -- GP Friendly name: *Keep favorites in sync between Internet Explorer and Microsoft Edge* -- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* - - - -Supported values: - -- 0 (default) – Turned off/not syncing -- 1 – Turned on/syncing - - - + + + + + +## SendIntranetTraffictoInternetExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer +``` + + + + +This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. + +If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. + +If you disable or don't configure this setting, all intranet sites are automatically opened using Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | All sites, including intranet sites, open in Microsoft Edge automatically. | +| 1 | Only intranet sites open in Internet Explorer 11 automatically. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SendIntranetTraffictoInternetExplorer | +| Friendly Name | Send all intranet sites to Internet Explorer 11 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | SendIntranetTraffictoInternetExplorer | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SetDefaultSearchEngine + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine +``` + + + + +Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetDefaultSearchEngine | +| Friendly Name | Set default search engine | +| Element Name | Use this format to specify the link you wish to add: `<>` | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\OpenSearch | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SetHomeButtonURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL +``` + + + + +The home button can be configured to load a custom URL when your user clicks the home button. If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. Default setting: Blank or not configured Related policy: Configure Home Button + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetHomeButtonURL | +| Friendly Name | Set Home Button URL | +| Element Name | Enter a URL in string format. For example: | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SetNewTabPageURL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL +``` + + + + +You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. If enabled, you can set the default New Tab page URL. If disabled or not configured, the default Microsoft Edge new tab page is used. Default setting: Disabled or not configured Related policy: Allow web content on New Tab page + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetNewTabPageURL | +| Friendly Name | Set New Tab page URL | +| Element Name | Enter a URL in string format. For example: | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## ShowMessageWhenOpeningSitesInInternetExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer +``` + + + + +You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. + +If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. + +If disabled or not configured, the default app behavior occurs and no additional page displays. + +Default setting: Disabled or not configured +Related policies: +-Configure the Enterprise Mode Site List +-Send all intranet sites to Internet Explorer 11 + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No additional message displays. | +| 1 | Show an additional message stating that a site has opened in IE11. | +| 2 | Show an additional message with a "Keep going in Microsoft Edge" link. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowMessageWhenOpeningSitesInInternetExplorer | +| Friendly Name | Show message when opening sites in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | ShowMessageWhenOpeningSitesInInternetExplorer | +| ADMX File Name | MicrosoftEdge.admx | + + + + + + + + + +## SyncFavoritesBetweenIEAndMicrosoftEdge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +``` + + + + +This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge. + +If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. + +If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Turned off/not syncing. | +| 1 | Turned on/syncing. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SyncFavoritesBetweenIEAndMicrosoftEdge | +| Friendly Name | Keep favorites in sync between Internet Explorer and Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Main | +| Registry Value Name | SyncFavoritesBetweenIEAndMicrosoftEdge | +| ADMX File Name | MicrosoftEdge.admx | + + + + +**Verify**: To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
      @@ -3329,123 +3798,163 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
    1. Open Microsoft Edge, then select Hub > Favorites.
    2. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
    + - - + -
    + +## UnlockHomeButton - -**Browser/UnlockHomeButton** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton +``` + + + +By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -
    +If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. -> [!div class = "checklist"] -> * User -> * Device +Default setting: Disabled or not configured +Related policy: +-Configure Home Button +-Set Home Button URL + -
    + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -[!INCLUDE [unlock-home-button-shortdesc](../includes/unlock-home-button-shortdesc.md)] + +**Allowed values**: - - -ADMX Info: -- GP Friendly name: *Unlock Home Button* -- GP name: *UnlockHomeButton* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* +| Value | Description | +|:--|:--| +| 0 (Default) | Lock down and prevent users from making changes to the settings. | +| 1 | Let users make changes. | + - - -Supported values: + +**Group policy mapping**: -- 0 (default) - Lock down and prevent users from making changes to the settings. -- 1 - Let users make changes. +| Name | Value | +|:--|:--| +| Name | UnlockHomeButton | +| Friendly Name | Unlock Home Button | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Internet Settings | +| Registry Value Name | UnlockHomeButton | +| ADMX File Name | MicrosoftEdge.admx | + - - + + + - - + - - + +## UseSharedFolderForBooks -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -**Browser/UseSharedFolderForBooks** + +```User +./User/Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + +This policy setting lets you decide whether Microsoft Edge stores books from the Books tab to a default, shared folder for Windows. +If you enable this setting, Microsoft Edge automatically downloads book files to a common, shared folder and prevents students and teachers from removing the book from the Books tab. For this to work properly, your students and teachers must be signed in using a school account. - -
    +If you disable or don't configure this setting, Microsoft Edge downloads book files to a per-user folder for each student or teacher. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -[!INCLUDE [allow-a-shared-books-folder-shortdesc](../includes/allow-a-shared-books-folder-shortdesc.md)] +| Value | Description | +|:--|:--| +| 0 (Default) | Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. | +| 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. | + - - -ADMX Info: -- GP Friendly name: *Allow a shared Books folder* -- GP name: *UseSharedFolderForBooks* -- GP path: *Windows Components/Microsoft Edge* -- GP ADMX file name: *MicrosoftEdge.admx* + +**Group policy mapping**: - - -Supported values: +| Name | Value | +|:--|:--| +| Name | UseSharedFolderForBooks | +| Friendly Name | Allow a shared Books folder | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft Edge | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary | +| Registry Value Name | UseSharedFolderForBooks | +| ADMX File Name | MicrosoftEdge.admx | + -- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. + + + -Most restricted value: 0 - - -
    + + + + + - +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 2b6f8f2e53f0644946418ac70472792bc3784ec3 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 27 Dec 2022 12:26:52 -0500 Subject: [PATCH 073/152] camera cellular --- .../mdm/policy-csp-camera.md | 130 ++--- .../mdm/policy-csp-cellular.md | 460 ++++++++++-------- 2 files changed, 317 insertions(+), 273 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 8c04fb2ffd..5f0caf30c8 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,86 +1,98 @@ --- -title: Policy CSP - Camera -description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera. +title: Camera Policy CSP +description: Learn more about the Camera Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Camera + + + + +## AllowCamera -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -## Camera policies + +```Device +./Device/Vendor/MSFT/Policy/Config/Camera/AllowCamera +``` + -
    -
    - Camera/AllowCamera -
    -
    + + +This policy setting allow the use of Camera devices on the machine. +If you enable or do not configure this policy setting, Camera devices will be enabled. -
    +If you disable this property setting, Camera devices will be disabled. + - -**Camera/AllowCamera** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | L_AllowCamera | +| Friendly Name | Allow Use of Camera | +| Location | Computer Configuration | +| Path | Windows Components > Camera | +| Registry Key Name | software\Policies\Microsoft\Camera | +| Registry Value Name | AllowCamera | +| ADMX File Name | Camera.admx | + - - -Disables or enables the camera. + + + -Most restricted value is 0. + - - -ADMX Info: -- GP Friendly name: *Allow Use of Camera* -- GP name: *L_AllowCamera* -- GP path: *Windows Components/Camera* -- GP ADMX file name: *Camera.admx* + + + - - -The following list shows the supported values: + -- 0 – Not allowed. -- 1 (default) – Allowed. - - - -
    - - - - +## Related articles +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index fc801d1859..e6c9882a53 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,84 +1,54 @@ --- -title: Policy CSP - Cellular -description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data. +title: Cellular Policy CSP +description: Learn more about the Cellular Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Cellular > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## LetAppsAccessCellularData - -## Cellular policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    -
    - Cellular/LetAppsAccessCellularData -
    -
    - Cellular/LetAppsAccessCellularData_ForceAllowTheseApps -
    -
    - Cellular/LetAppsAccessCellularData_ForceDenyTheseApps -
    -
    - Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps -
    -
    - Cellular/ShowAppCellularAccessUI -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData +``` + - -
    - - -**Cellular/LetAppsAccessCellularData** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Windows apps can access cellular data. + + + You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. @@ -89,210 +59,272 @@ If you choose the "Force Deny" option, Windows apps aren't allowed to access cel If you disable or don't configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. -If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” +If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app. + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_Enum* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 - User is in control -- 1 - Force Allow -- 2 - Force Deny + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | User is in control | +| 1 | Force Allow | +| 2 | Force Deny | + -
    + +**Group policy mapping**: - -**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps** +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Element Name | Default for all apps | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## LetAppsAccessCellularData_ForceAllowTheseApps - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +``` + -> [!div class = "checklist"] -> * Device + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + -
    + + + - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_ForceAllowTheseApps_List* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + - -**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## LetAppsAccessCellularData_ForceDenyTheseApps + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_ForceDenyTheseApps_List* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* + +**Group policy mapping**: - - +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + -
    + + + - -**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps** + - + +## LetAppsAccessCellularData_UserInControlOfTheseApps -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +``` + - -
    + + +List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - - -List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Let Windows apps access cellular data* -- GP name: *LetAppsAccessCellularData* -- GP element: *LetAppsAccessCellularData_UserInControlOfTheseApps_List* -- GP path: *Network/WWAN Service/Cellular Data Access* -- GP ADMX file name: *wwansvc.admx* +| Name | Value | +|:--|:--| +| Name | LetAppsAccessCellularData | +| Friendly Name | Let Windows apps access cellular data | +| Location | Computer Configuration | +| Path | Network > WWAN Service > Cellular Data Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess | +| ADMX File Name | wwansvc.admx | + - - + + + -
    + - -**Cellular/ShowAppCellularAccessUI** + +## ShowAppCellularAccessUI - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Cellular/ShowAppCellularAccessUI +``` + - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. -If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. -If this policy setting is disabled or isn't configured, the link to the per-application cellular access control page is shown by default. +If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. +If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Per-App Cellular Access UI Visibility* -- GP name: *ShowAppCellularAccessUI* -- GP path: *Network/WWAN Service/WWAN UI Settings* -- GP ADMX file name: *wwansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | ShowAppCellularAccessUI | +| Friendly Name | Set Per-App Cellular Access UI Visibility | +| Location | Computer Configuration | +| Path | Network > WWAN Service > WWAN UI Settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\UISettings | +| ADMX File Name | wwansvc.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 8cb2c32fe6f1a5d3ae14cde196815fabab7a1999 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 27 Dec 2022 12:52:42 -0500 Subject: [PATCH 074/152] cloudpc connectivity --- .../mdm/policy-csp-cloudpc.md | 5 +- .../mdm/policy-csp-connectivity.md | 1249 +++++++++-------- 2 files changed, 695 insertions(+), 559 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md index 0c497a0c4e..dd52780e9a 100644 --- a/windows/client-management/mdm/policy-csp-cloudpc.md +++ b/windows/client-management/mdm/policy-csp-cloudpc.md @@ -4,7 +4,7 @@ description: Learn more about the CloudPC Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 12/27/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,7 +26,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | @@ -36,6 +36,7 @@ ms.topic: reference + This policy is used by IT admin to set the configuration mode of cloud PC. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index e9849f6706..c13152ace1 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,224 +1,199 @@ --- -title: Policy CSP - Connectivity -description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access. +title: Connectivity Policy CSP +description: Learn more about the Connectivity Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Connectivity ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowBluetooth - -## Connectivity policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    -
    - Connectivity/AllowBluetooth -
    -
    - Connectivity/AllowCellularData -
    -
    - Connectivity/AllowCellularDataRoaming -
    -
    - Connectivity/AllowConnectedDevices -
    -
    - Connectivity/AllowPhonePCLinking -
    -
    - Connectivity/AllowUSBConnection -
    -
    - Connectivity/AllowVPNOverCellular -
    -
    - Connectivity/AllowVPNRoamingOverCellular -
    -
    - Connectivity/DisablePrintingOverHTTP -
    -
    - Connectivity/DisableDownloadingOfPrintDriversOverHTTP -
    -
    - Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards -
    -
    - Connectivity/DisallowNetworkConnectivityActiveTests -
    -
    - Connectivity/HardenedUNCPaths -
    -
    - Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowBluetooth +``` + + + +Allows the user to enable Bluetooth or restrict access. -
    +**Note**: This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. + - -**Connectivity/AllowBluetooth** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on. | +| 1 | Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | +| 2 (Default) | Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowCellularData - - -This policy allows the user to enable Bluetooth or restrict access. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -> [!NOTE] ->  This value isn't supported in Windows 10. + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularData +``` + -If this policy isn't set or is deleted, the default value of 2 (Allow) is used. + + +Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. + -Most restricted value is 0. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user won't be able to turn on Bluetooth. -- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth. -- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn on Bluetooth. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | +| 1 (Default) | Allow the cellular data channel. The user can turn it off. | +| 2 | Allow the cellular data channel. The user cannot turn it off. | + - -**Connectivity/AllowCellularData** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowCellularDataRoaming + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularDataRoaming +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network. -> [!div class = "checklist"] -> * Device +If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers with the home provider network. -
    +If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadband networks. + - - + + + -This policy allows the cellular data channel on the device. Device reboot isn't required to enforce the policy. + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 – Don't allow the cellular data channel. The user can't turn it on. This value isn't supported in Windows 10, version 1511. -- 1 (default) – Allow the cellular data channel. The user can turn it off. -- 2 - Allow the cellular data channel. The user can't turn it off. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. | +| 1 (Default) | Allow cellular data roaming. | +| 2 | Allow cellular data roaming on. The user cannot turn it off. | + -
    + +**Group policy mapping**: - -**Connectivity/AllowCellularDataRoaming** +| Name | Value | +|:--|:--| +| Name | WCM_DisableRoaming | +| Friendly Name | Prohibit connection to roaming Mobile Broadband networks | +| Location | Computer Configuration | +| Path | Network > Windows Connection Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy | +| Registry Value Name | fBlockRoaming | +| ADMX File Name | WCM.admx | + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows or disallows cellular data roaming on the device. Device reboot isn't required to enforce the policy. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Prohibit connection to roaming Mobile Broadband networks* -- GP name: *WCM_DisableRoaming* -- GP path: *Network/Windows Connection Manager* -- GP ADMX file name: *WCM.admx* - - - -The following list shows the supported values: - -- 0 – Don't allow cellular data roaming. The user can't turn it on. This value isn't supported in Windows 10, version 1511. -- 1 (default) – Allow cellular data roaming. -- 2 - Allow cellular data roaming on. The user can't turn it off. - - - + + +**Validate**: To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate on devices, perform the following steps: @@ -226,561 +201,721 @@ To validate on devices, perform the following steps: 1. Go to Cellular & SIM. 2. Click on the SIM (next to the signal strength icon) and select **Properties**. 3. On the Properties page, select **Data roaming options**. + - - + -
    + +## AllowConnectedDevices - -**Connectivity/AllowConnectedDevices** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowConnectedDevices +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Note This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disable (CDP service not available). | +| 1 (Default) | Allow (CDP service available). | + + + + + + + + + +## AllowNFC - - > [!NOTE] -> This policy requires reboot to take effect. +> This policy is deprecated and may be removed in a future release. -This policy allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowNFC +``` + -- 1 (default) - Allow (CDP service available). -- 0 - Disable (CDP service not available). + + +This policy is deprecated. + - - + + + -
    + +**Description framework properties**: - -**Connectivity/AllowPhonePCLinking** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowPhonePCLinking -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowPhonePCLinking +``` + - - -This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC. + + +This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. -If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. +If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. -If you disable this policy setting, the Windows device isn't allowed to be linked to phones, will remove itself from the device list of any linked Phones, and can't participate in 'Continue on PC experiences'. +If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. -If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. + - - -ADMX Info: -- GP name: *enableMMX* -- GP ADMX file name: *grouppolicy.admx* + + + - - -This setting supports a range of values between 0 and 1. + +**Description framework properties**: -- 0 - Don't link -- 1 (default) - Allow phone-PC linking +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -Validation: + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Do not link. | +| 1 (Default) | Allow phone-PC linking. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableMMX | +| Friendly Name | Phone-PC linking on this device | +| Location | Computer Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | EnableMmx | +| ADMX File Name | GroupPolicy.admx | + + + + +**Validate**: If the Connectivity/AllowPhonePCLinking policy is configured to value 0, add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number. Device that has previously opt-in to MMX will also stop showing on the device list. + - - + -
    + +## AllowUSBConnection - -**Connectivity/AllowUSBConnection** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowUSBConnection +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| + + +NoteCurrently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - -> [!NOTE] -> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. + + + -Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy doesn't affect USB charging. + -Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. + +## AllowVPNOverCellular -Most restricted value is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowVPNOverCellular +``` + -- 0 – Not allowed. -- 1 (default) – Allowed. + + +Specifies what type of underlying connections VPN is allowed to use. Most restricted value is 0. + - - + + + -
    + +**Description framework properties**: - -**Connectivity/AllowVPNOverCellular** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | VPN is not allowed over cellular. | +| 1 (Default) | VPN can use any connection, including cellular. | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowVPNRoamingOverCellular -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowVPNRoamingOverCellular +``` + - - -Specifies what type of underlying connections VPN is allowed to use. + + +Prevents the device from connecting to VPN when the device roams over cellular networks. Most restricted value is 0. + -Most restricted value is 0. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – VPN isn't allowed over cellular. -- 1 (default) – VPN can use any connection, including cellular. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**Connectivity/AllowVPNRoamingOverCellular** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DiablePrintingOverHTTP + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DiablePrintingOverHTTP +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy prevents the device from connecting to VPN when the device roams over cellular networks. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**Connectivity/DisablePrintingOverHTTP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether to allow printing over HTTP from this client. -Printing over HTTP allows a client to print to printers on the intranet and the Internet. +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. -Note: This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. +Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. -If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP. +If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off printing over HTTP* -- GP name: *DisableHTTPPrinting_2* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**Connectivity/DisableDownloadingOfPrintDriversOverHTTP** +| Name | Value | +|:--|:--| +| Name | DisableHTTPPrinting | +| Friendly Name | Turn off printing over HTTP | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableHTTPPrinting | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisableDownloadingOfPrintDriversOverHTTP - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableDownloadingOfPrintDriversOverHTTP +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. -Note: This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that aren't already installed locally. +Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. -If you enable this policy setting, print drivers can't be downloaded over HTTP. +If you enable this policy setting, print drivers cannot be downloaded over HTTP. -If you disable or don't configure this policy setting, users can download print drivers over HTTP. +If you disable or do not configure this policy setting, users can download print drivers over HTTP. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off downloading of print drivers over HTTP* -- GP name: *DisableWebPnPDownload_2* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards** +| Name | Value | +|:--|:--| +| Name | DisableWebPnPDownload | +| Friendly Name | Turn off downloading of print drivers over HTTP | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPnPDownload | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. -If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed. +If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. -If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards. +If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. -For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards. +See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards* -- GP name: *ShellPreventWPWDownload_2* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**Connectivity/DisallowNetworkConnectivityActiveTests** +| Name | Value | +|:--|:--| +| Name | ShellPreventWPWDownload | +| Friendly Name | Turn off Internet download for Web publishing and online ordering wizards | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWebServices | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisallowNetworkConnectivityActiveTests - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/DisallowNetworkConnectivityActiveTests +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network. -
    +As part of determining the connectivity level, NCSI performs one of two active tests: downloading a page from a dedicated Web server or making a DNS request for a dedicated address. - - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to `` to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to `www.msftconnecttest.com`. +If you enable this policy setting, NCSI does not run either of the two active tests. This may reduce the ability of NCSI, and of other components that use NCSI, to determine Internet access. -Value type is integer. +If you disable or do not configure this policy setting, NCSI runs one of the two active tests. + - - -ADMX Info: -- GP Friendly name: *Turn off Windows Network Connectivity Status Indicator active tests* -- GP name: *NoActiveProbe* -- GP path: *Internet Communication settings* -- GP ADMX file name: *ICM.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Connectivity/HardenedUNCPaths** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Allow | +| 0 (Default) | Block | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: +| Name | Value | +|:--|:--| +| Name | NoActiveProbe | +| Friendly Name | Turn off Windows Network Connectivity Status Indicator active tests | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator | +| Registry Value Name | NoActiveProbe | +| ADMX File Name | ICM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## HardenedUNCPaths -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/HardenedUNCPaths +``` + + + + This policy setting configures secure access to UNC paths. -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling other security requirements. +If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hardened UNC Paths* -- GP name: *Pol_HardenedPaths* -- GP path: *Network/Network Provider* -- GP ADMX file name: *networkprovider.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge** +| Name | Value | +|:--|:--| +| Name | Pol_HardenedPaths | +| Friendly Name | Hardened UNC Paths | +| Location | Computer Configuration | +| Path | Network > Network Provider | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths | +| ADMX File Name | NetworkProvider.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## ProhibitInstallationAndConfigurationOfNetworkBridge - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge +``` + -> [!div class = "checklist"] -> * Device + + +Determines whether a user can install and configure the Network Bridge. -
    +Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. - - -This policy determines whether a user can install and configure the Network Bridge. +The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder. -Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply. +If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. + -The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segments together. This connection appears in the Network Connections folder. + + + -If you disable this setting or don't configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting doesn't remove an existing Network Bridge from the user's computer. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Prohibit installation and configuration of Network Bridge on your DNS domain network* -- GP name: *NC_AllowNetBridge_NLA* -- GP path: *Network/Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NC_AllowNetBridge_NLA | +| Friendly Name | Prohibit installation and configuration of Network Bridge on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AllowNetBridge_NLA | +| ADMX File Name | NetworkConnections.admx | + -
    + + + + + + + - + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 0ae3996e9df2b98f952d1ce6d44691811e827957 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 27 Dec 2022 15:32:09 -0500 Subject: [PATCH 075/152] controlpolicyconflict --- .../mdm/policy-csp-controlpolicyconflict.md | 124 +++++++++--------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index e8769b8986..5a99e635e7 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,78 +1,56 @@ --- -title: Policy CSP - ControlPolicyConflict -description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device. +title: ControlPolicyConflict Policy CSP +description: Learn more about the ControlPolicyConflict Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - ControlPolicyConflict + + + + +## MDMWinsOverGP -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -## ControlPolicyConflict policies + +```Device +./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP +``` + - -**ControlPolicyConflict/MDMWinsOverGP** + + +If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. + -> [!NOTE] -> This setting doesn't apply to the following types of group policies: -> -> - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies. -> - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts. -> - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls. -> - If they are in the Windows Update category. - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. + + > [!NOTE] > MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. - This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. > [!NOTE] > This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. -The following list shows the supported values: - -- 0 (default) -- 1 - The MDM policy is used and the GP policy is blocked. - The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: @@ -92,17 +70,39 @@ For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. - - -The following list shows the supported values: + -- 0 (default) -- 1 - The MDM policy is used and the GP policy is blocked. + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | | +| 1 | The MDM policy is used and the GP policy is blocked. | + - + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From bdfaa6e18036a20a1f15b7b245dcfadb91182c19 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 27 Dec 2022 15:52:52 -0500 Subject: [PATCH 076/152] credentialproviders, delegation, ui, cryptography, dataprotection --- .../mdm/policy-csp-credentialproviders.md | 279 +++++++++--------- .../mdm/policy-csp-credentialsdelegation.md | 133 +++++---- .../mdm/policy-csp-credentialsui.md | 215 +++++++------- .../mdm/policy-csp-cryptography.md | 200 ++++++------- .../mdm/policy-csp-dataprotection.md | 182 ++++++------ 5 files changed, 512 insertions(+), 497 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 6b8fff0b9e..f9ca1be96f 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,200 +1,213 @@ --- -title: Policy CSP - CredentialProviders -description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. +title: CredentialProviders Policy CSP +description: Learn more about the CredentialProviders Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - CredentialProviders > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowPINLogon - -## CredentialProviders policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    -
    - CredentialProviders/AllowPINLogon -
    -
    - CredentialProviders/BlockPicturePassword -
    -
    - CredentialProviders/DisableAutomaticReDeploymentCredentials -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialProviders/AllowPINLogon +``` + - -
    - - -**CredentialProviders/AllowPINLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control whether a domain user can sign in using a convenience PIN. If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. -> [!NOTE] -> The user's domain password will be cached in the system vault when using this feature. +Note: The user's domain password will be cached in the system vault when using this feature. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on convenience PIN sign-in* -- GP name: *AllowDomainPINLogon* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**CredentialProviders/BlockPicturePassword** +| Name | Value | +|:--|:--| +| Name | AllowDomainPINLogon | +| Friendly Name | Turn on convenience PIN sign-in | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowDomainPINLogon | +| ADMX File Name | CredentialProviders.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## BlockPicturePassword - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialProviders/BlockPicturePassword +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting, a domain user can set up and use a picture password. -> [!NOTE] -> The user's domain password will be cached in the system vault when using this feature. +Note that the user's domain password will be cached in the system vault when using this feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off picture password sign-in* -- GP name: *BlockDomainPicturePassword* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**CredentialProviders/DisableAutomaticReDeploymentCredentials** +| Name | Value | +|:--|:--| +| Name | BlockDomainPicturePassword | +| Friendly Name | Turn off picture password sign-in | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | BlockDomainPicturePassword | +| ADMX File Name | CredentialProviders.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DisableAutomaticReDeploymentCredentials - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials +``` + -> [!div class = "checklist"] -> * Device + + +Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. + -
    + + + - - -Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. + +**Description framework properties**: -The Autopilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the Autopilot Reset is triggered the devices are for ready for use by information workers or students. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -The following list shows the supported values: + +**Allowed values**: -0 - Enable the visibility of the credentials for Autopilot Reset -1 - Disable visibility of the credentials for Autopilot Reset +| Value | Description | +|:--|:--| +| 0 | Enable the visibility of the credentials for Autopilot Reset. | +| 1 (Default) | Disable visibility of the credentials for Autopilot Reset. | + - - -
    + + + + + + + - + -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 1a40f20b82..3322179607 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,95 +1,100 @@ --- -title: Policy CSP - CredentialsDelegation -description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. +title: CredentialsDelegation Policy CSP +description: Learn more about the CredentialsDelegation Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - CredentialsDelegation > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## RemoteHostAllowsDelegationOfNonExportableCredentials - -## CredentialsDelegation policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    -
    - CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials +``` + + + +Remote host allows delegation of non-exportable credentials -
    - - -**CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Remote host allows delegation of non-exportable credentials. - -When credential delegation is being used, devices provide an exportable version of credentials to the remote host. This version exposes users to the risk of credential theft from attackers on the remote host. +When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. -If you disable or don't configure this policy setting, Restricted Administration and Remote Credential Guard mode aren't supported. User will always need to pass their credentials to the host. +If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remote host allows delegation of non-exportable credentials* -- GP name: *AllowProtectedCreds* -- GP path: *System/Credentials Delegation* -- GP ADMX file name: *CredSsp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | AllowProtectedCreds | +| Friendly Name | Remote host allows delegation of non-exportable credentials | +| Location | Computer Configuration | +| Path | System > Credentials Delegation | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredentialsDelegation | +| Registry Value Name | AllowProtectedCreds | +| ADMX File Name | CredSsp.admx | + - + + + -## Related topics + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index cc614a22ef..ddb6b3206c 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,149 +1,166 @@ --- -title: Policy CSP - CredentialsUI -description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. +title: CredentialsUI Policy CSP +description: Learn more about the CredentialsUI Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - CredentialsUI > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## CredentialsUI policies + +## DisablePasswordReveal -
    -
    - CredentialsUI/DisablePasswordReveal -
    -
    - CredentialsUI/EnumerateAdministrators -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal +``` + - -**CredentialsUI/DisablePasswordReveal** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to configure the display of the password reveal button in password entry user experiences. -If you enable this policy setting, the password reveal button won't be displayed after a user types a password in the password entry text box. +If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. -If you disable or don't configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. +If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. -This policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. +The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display the password reveal button* -- GP name: *DisablePasswordReveal* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**CredentialsUI/EnumerateAdministrators** +| Name | Value | +|:--|:--| +| Name | DisablePasswordReveal | +| Friendly Name | Do not display the password reveal button | +| Location | Computer and User Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows\CredUI | +| Registry Value Name | DisablePasswordReveal | +| ADMX File Name | CredUI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## EnumerateAdministrators - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts aren't displayed when the user attempts to elevate a running application. + + +This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting, users will always be required to type a user name and password to elevate. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enumerate administrator accounts on elevation* -- GP name: *EnumerateAdministrators* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | EnumerateAdministrators | +| Friendly Name | Enumerate administrator accounts on elevation | +| Location | Computer Configuration | +| Path | Windows Components > Credential User Interface | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\CredUI | +| Registry Value Name | EnumerateAdministrators | +| ADMX File Name | CredUI.admx | + - + + + -## Related topics + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 709df7bf13..4fc053a985 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,141 +1,129 @@ --- -title: Policy CSP - Cryptography -description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. +title: Cryptography Policy CSP +description: Learn more about the Cryptography Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Cryptography + + + + +## AllowFipsAlgorithmPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -## Cryptography policies + +```Device +./Device/Vendor/MSFT/Policy/Config/Cryptography/AllowFipsAlgorithmPolicy +``` + -
    -
    - Cryptography/AllowFipsAlgorithmPolicy -
    -
    - Cryptography/TLSCipherSuites -
    -
    + + +Allows or disallows the Federal Information Processing Standard (FIPS) policy. + + + + -
    + +**Description framework properties**: - -**Cryptography/AllowFipsAlgorithmPolicy** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 1 | Allow | +| 0 (Default) | Block | + + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TLSCipherSuites - - -This policy setting allows or disallows the Federal Information Processing Standard (FIPS) policy. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -ADMX Info: -- GP Friendly name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + +```Device +./Device/Vendor/MSFT/Policy/Config/Cryptography/TLSCipherSuites +``` + - - -The following list shows the supported values: + + +Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. + -0 (default) – Not allowed. -1– Allowed. - - + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + -
    + + + - -**Cryptography/TLSCipherSuites** + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - - - - - - - - - - - - - -
    - - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 5e5484db98..8407ea5f13 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,129 +1,121 @@ --- -title: Policy CSP - DataProtection -description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. +title: DataProtection Policy CSP +description: Learn more about the DataProtection Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DataProtection + + + + +## AllowDirectMemoryAccess -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -## DataProtection policies + +```Device +./Device/Vendor/MSFT/Policy/Config/DataProtection/AllowDirectMemoryAccess +``` + -
    -
    - DataProtection/AllowDirectMemoryAccess -
    -
    - DataProtection/LegacySelectiveWipeID -
    -
    + + +This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker Device Encryption is enabled. Most restricted value is 0. + + + + -
    + +**Description framework properties**: - -**DataProtection/AllowDirectMemoryAccess** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LegacySelectiveWipeID -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DataProtection/LegacySelectiveWipeID +``` + - - -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. + + +Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe. -Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. +**Note**: This policy is not recommended for use in Windows 10. + -Most restricted value is 0. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed. -- 1 (default) – Allowed. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + + + -
    + - -**DataProtection/LegacySelectiveWipeID** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!IMPORTANT] -> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. - - -Setting used by Windows 8.1 Selective Wipe. - -> [!NOTE] -> This policy is not recommended for use in Windows 10. - - - -
    - - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 2447a37757db6e1a6cc2fc6a8f4aa8e865987644 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 29 Dec 2022 10:22:17 -0500 Subject: [PATCH 077/152] dataprotection datausage defender deliveryoptimization --- .../mdm/policy-csp-datausage.md | 180 +- .../mdm/policy-csp-defender.md | 115 +- .../mdm/policy-csp-deliveryoptimization.md | 2909 +++++++++-------- 3 files changed, 1732 insertions(+), 1472 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index da61efc35d..66ecdcc47e 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,112 +1,168 @@ --- -title: Policy CSP - DataUsage -description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. +title: DataUsage Policy CSP +description: Learn more about the DataUsage Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DataUsage > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## DataUsage policies + +## SetCost3G -
    -
    - DataUsage/SetCost3G -
    -
    - DataUsage/SetCost4G -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DataUsage/SetCost3G +``` + -
    + + +This policy setting configures the cost of 3G connections on the local machine. - -**DataUsage/SetCost3G** +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: -
    +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -This policy is deprecated in Windows 10, version 1809. +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - - +- Variable: This connection is costed on a per byte basis. -
    +If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. + - -**DataUsage/SetCost4G** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | SetCost3G | +| Friendly Name | Set 3G Cost | +| Location | Computer Configuration | +| Path | Network > WWAN Service > WWAN Media Cost | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\NetCost | +| ADMX File Name | wwansvc.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## SetCost4G + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DataUsage/SetCost4G +``` + + + + This policy setting configures the cost of 4G connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + - Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set 4G Cost* -- GP name: *SetCost4G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SetCost4G | +| Friendly Name | Set 4G Cost | +| Location | Computer Configuration | +| Path | Network > WWAN Service > WWAN Media Cost | +| Registry Key Name | Software\Policies\Microsoft\Windows\WwanSvc\NetCost | +| ADMX File Name | wwansvc.admx | + - + + + -## Related topics + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index efc7a8a312..665840ec64 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 12/27/2022 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,6 +36,7 @@ ms.topic: reference + This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. @@ -102,6 +103,7 @@ If you disable this setting, archive files will not be scanned. However, archive + This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. @@ -168,6 +170,7 @@ If you disable this setting, behavior monitoring will be disabled. + This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. @@ -222,7 +225,6 @@ In Windows 10, Basic membership is no longer available, so setting the value to | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MAPS | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | -| Registry Value Name | SpynetReporting | | ADMX File Name | WindowsDefender.admx | @@ -248,6 +250,7 @@ In Windows 10, Basic membership is no longer available, so setting the value to + This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. If you enable this setting, e-mail scanning will be enabled. @@ -314,6 +317,7 @@ If you disable or do not configure this setting, e-mail scanning will be disable + This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. @@ -380,6 +384,7 @@ If you disable or do not configure this setting, mapped network drives will not + This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. @@ -446,6 +451,7 @@ If you disable or do not configure this setting, removable drives will not be sc + Allows or disallows Windows Defender Intrusion Prevention functionality. @@ -494,6 +500,7 @@ Allows or disallows Windows Defender Intrusion Prevention functionality. + This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. @@ -560,6 +567,7 @@ If you disable this setting, scanning for all downloaded files and attachments w + This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. @@ -626,13 +634,8 @@ If you disable this setting, monitoring for file and program activity will be di -This policy turns off real-time protection in Microsoft Defender Antivirus. - -Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections. - -If you enable this policy setting, real-time protection is turned off. - -If you either disable or do not configure this policy setting, real-time protection is turned on. + +Allows or disallows Windows Defender Realtime Monitoring functionality. @@ -694,6 +697,7 @@ If you either disable or do not configure this policy setting, real-time protect + This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. @@ -760,6 +764,7 @@ If you disable or do not configure this setting, network files will not be scann + Allows or disallows Windows Defender Script Scanning functionality. @@ -808,6 +813,7 @@ Allows or disallows Windows Defender Script Scanning functionality. + This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM UI won't be available to users. @@ -871,6 +877,7 @@ If you enable this setting AM UI won't be available to users. + Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: @@ -913,7 +920,6 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | -| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions | | ADMX File Name | WindowsDefender.admx | @@ -939,6 +945,7 @@ You can configure ASR rules in the Configure Attack Surface Reduction rules GP s + Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: @@ -965,9 +972,9 @@ The following status IDs are permitted under the value column: Example: -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: No ASR rules will be configured. @@ -1002,7 +1009,6 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | -| Registry Value Name | ExploitGuard_ASR_Rules | | ADMX File Name | WindowsDefender.admx | @@ -1028,6 +1034,7 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su + This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. If you enable this setting, CPU utilization will not exceed the percentage specified. @@ -1061,7 +1068,6 @@ If you disable or do not configure this setting, CPU utilization will not exceed | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | AvgCPULoadFactor | | ADMX File Name | WindowsDefender.admx | @@ -1087,6 +1093,7 @@ If you disable or do not configure this setting, CPU utilization will not exceed + This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan. This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan". @@ -1129,7 +1136,6 @@ If you disable this setting or do not configure this setting, the scan will star | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | CheckForSignaturesBeforeRunningScan | | ADMX File Name | WindowsDefender.admx | @@ -1155,7 +1161,10 @@ If you disable this setting or do not configure this setting, the scan will star -This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. NoteThis feature requires the Join Microsoft MAPS setting enabled in order to function. + +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. + +**Note**: This feature requires the Join Microsoft MAPS setting enabled in order to function. @@ -1188,13 +1197,12 @@ This policy setting determines how aggressive Windows Defender Antivirus will be | Name | Value | |:--|:--| -| Name | MpCloudBlockLevel | +| Name | MpEngine_MpCloudBlockLevel | | Friendly Name | Select cloud protection level | | Element Name | Select cloud blocking level | | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MpEngine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | -| Registry Value Name | MpCloudBlockLevel | | ADMX File Name | WindowsDefender.admx | @@ -1220,7 +1228,10 @@ This policy setting determines how aggressive Windows Defender Antivirus will be -This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. NoteThis feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. + +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. + +**Note**: This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. @@ -1243,13 +1254,12 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up | Name | Value | |:--|:--| -| Name | MpBafsExtendedTimeout | +| Name | MpEngine_MpBafsExtendedTimeout | | Friendly Name | Configure extended cloud check | | Element Name | Specify the extended cloud check time in seconds | | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MpEngine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | -| Registry Value Name | MpBafsExtendedTimeout | | ADMX File Name | WindowsDefender.admx | @@ -1275,6 +1285,7 @@ This feature allows Windows Defender Antivirus to block a suspicious file for up + Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. @@ -1320,7 +1331,6 @@ Default system folders are automatically guarded, but you can add folders in the | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | -| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | | ADMX File Name | WindowsDefender.admx | @@ -1346,6 +1356,7 @@ Default system folders are automatically guarded, but you can add folders in the + Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or deleted by untrusted applications. @@ -1392,7 +1403,6 @@ Microsoft Defender Antivirus automatically determines which applications can be | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | -| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | | ADMX File Name | WindowsDefender.admx | @@ -1418,6 +1428,7 @@ Microsoft Defender Antivirus automatically determines which applications can be + This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. @@ -1451,7 +1462,6 @@ If you disable or do not configure this setting, items will be kept in the quara | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Quarantine | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | -| Registry Value Name | PurgeItemsAfterDelay | | ADMX File Name | WindowsDefender.admx | @@ -1477,9 +1487,10 @@ If you disable or do not configure this setting, items will be kept in the quara -This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. @@ -1517,7 +1528,6 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | DisableCatchupFullScan | | ADMX File Name | WindowsDefender.admx | @@ -1543,9 +1553,10 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu -This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. + +This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. @@ -1583,7 +1594,6 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | DisableCatchupQuickScan | | ADMX File Name | WindowsDefender.admx | @@ -1609,6 +1619,7 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu + Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to: - Modify or delete files in protected folders, such as the Documents folder - Write to disk sectors @@ -1695,7 +1706,6 @@ Same as Disabled. | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | -| Registry Value Name | EnableControlledFolderAccess | | ADMX File Name | WindowsDefender.admx | @@ -1721,6 +1731,7 @@ Same as Disabled. + This policy setting allows you to enable or disable low CPU priority for scheduled scans. If you enable this setting, low CPU priority will be used during scheduled scans. @@ -1761,7 +1772,6 @@ If you disable or do not configure this setting, not changes will be made to CPU | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | LowCpuPriority | | ADMX File Name | WindowsDefender.admx | @@ -1787,6 +1797,7 @@ If you disable or do not configure this setting, not changes will be made to CPU + Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: @@ -1835,7 +1846,6 @@ Same as Disabled. | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection | -| Registry Value Name | EnableNetworkProtection | | ADMX File Name | WindowsDefender.admx | @@ -1861,6 +1871,7 @@ Same as Disabled. + Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. @@ -1889,7 +1900,6 @@ Allows an administrator to specify a list of file type extensions to ignore duri | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | -| Registry Value Name | Exclusions_Extensions | | ADMX File Name | WindowsDefender.admx | @@ -1915,6 +1925,7 @@ Allows an administrator to specify a list of file type extensions to ignore duri + Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. @@ -1943,7 +1954,6 @@ Allows an administrator to specify a list of directory paths to ignore during a | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | -| Registry Value Name | Exclusions_Paths | | ADMX File Name | WindowsDefender.admx | @@ -1969,7 +1979,10 @@ Allows an administrator to specify a list of directory paths to ignore during a -Allows an administrator to specify a list of files opened by processes to ignore during a scan. ImportantThe process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +**Important**: The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. @@ -1997,7 +2010,6 @@ Allows an administrator to specify a list of files opened by processes to ignore | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Exclusions | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | -| Registry Value Name | Exclusions_Processes | | ADMX File Name | WindowsDefender.admx | @@ -2023,6 +2035,7 @@ Allows an administrator to specify a list of files opened by processes to ignore + Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: @@ -2071,7 +2084,6 @@ Same as Disabled. | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus | | Registry Key Name | Software\Policies\Microsoft\Windows Defender | -| Registry Value Name | PUAProtection | | ADMX File Name | WindowsDefender.admx | @@ -2097,6 +2109,7 @@ Same as Disabled. + This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. @@ -2148,7 +2161,6 @@ If you disable or do not configure this setting, monitoring for incoming and out | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | -| Registry Value Name | RealtimeScanDirection | | ADMX File Name | WindowsDefender.admx | @@ -2174,6 +2186,7 @@ If you disable or do not configure this setting, monitoring for incoming and out + This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2 = Full Scan @@ -2217,7 +2230,6 @@ If you disable or do not configure this setting, the default scan type will used | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScanParameters | | ADMX File Name | WindowsDefender.admx | @@ -2243,7 +2255,8 @@ If you disable or do not configure this setting, the default scan type will used -This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. + +This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. If you enable this setting, a daily quick scan will run at the time of day specified. @@ -2276,7 +2289,6 @@ If you disable or do not configure this setting, daily quick scan controlled by | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScheduleQuickScanTime | | ADMX File Name | WindowsDefender.admx | @@ -2302,6 +2314,7 @@ If you disable or do not configure this setting, daily quick scan controlled by + This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: @@ -2361,7 +2374,6 @@ If you disable or do not configure this setting, a scheduled scan will run at a | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScheduleDay | | ADMX File Name | WindowsDefender.admx | @@ -2387,7 +2399,8 @@ If you disable or do not configure this setting, a scheduled scan will run at a -This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. If you enable this setting, a scheduled scan will run at the time of day specified. @@ -2420,7 +2433,6 @@ If you disable or do not configure this setting, a scheduled scan will run at a | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Scan | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | -| Registry Value Name | ScheduleTime | | ADMX File Name | WindowsDefender.admx | @@ -2446,6 +2458,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a + This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do not configure this setting, security intelligence will be referred from the default local source. @@ -2500,6 +2513,7 @@ If you disable or do not configure this setting, security intelligence will be r + This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares” For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } @@ -2559,6 +2573,7 @@ If you disable or do not configure this setting, security intelligence update so + This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. @@ -2616,6 +2631,7 @@ If you disable or do not configure this setting, the list will remain empty by d + This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If you enable this setting, checks for security intelligence updates will occur at the interval specified. @@ -2649,7 +2665,6 @@ If you disable or do not configure this setting, checks for security intelligenc | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | -| Registry Value Name | SignatureUpdateInterval | | ADMX File Name | WindowsDefender.admx | @@ -2675,6 +2690,7 @@ If you disable or do not configure this setting, checks for security intelligenc + This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set. Possible options are: @@ -2720,7 +2736,6 @@ Possible options are: | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > MAPS | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | -| Registry Value Name | SubmitSamplesConsent | | ADMX File Name | WindowsDefender.admx | @@ -2746,7 +2761,8 @@ Possible options are: -Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:1 – Clean. Service tries to recover files and try to disinfect. 2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution. + +Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution. @@ -2773,7 +2789,6 @@ Allows an administrator to specify any valid threat severity levels and the corr | Location | Computer Configuration | | Path | Windows Components > Microsoft Defender Antivirus > Threats | | Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | -| Registry Value Name | Threats_ThreatSeverityDefaultAction | | ADMX File Name | WindowsDefender.admx | diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 95f4178efd..82f614f2ec 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,1595 +1,1784 @@ --- -title: Policy CSP - DeliveryOptimization -description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. +title: DeliveryOptimization Policy CSP +description: Learn more about the DeliveryOptimization Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/27/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 06/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeliveryOptimization ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## DeliveryOptimization policies + +## DOAbsoluteMaxCacheSize -
    -
    - DeliveryOptimization/DOAbsoluteMaxCacheSize -
    -
    - DeliveryOptimization/DOAllowVPNPeerCaching -
    -
    - DeliveryOptimization/DOCacheHost -
    -
    - DeliveryOptimization/DOCacheHostSource -
    -
    - DeliveryOptimization/DODelayBackgroundDownloadFromHttp -
    -
    - DeliveryOptimization/DODelayCacheServerFallbackBackground -
    -
    - DeliveryOptimization/DODelayCacheServerFallbackForeground -
    -
    - DeliveryOptimization/DODelayForegroundDownloadFromHttp -
    -
    - DeliveryOptimization/DODownloadMode -
    -
    - DeliveryOptimization/DOGroupId -
    -
    - DeliveryOptimization/DOGroupIdSource -
    -
    - DeliveryOptimization/DOMaxBackgroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxCacheAge -
    -
    - DeliveryOptimization/DOMaxCacheSize -
    -
    - DeliveryOptimization/DOMaxDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxForegroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOMaxUploadBandwidth -
    -
    - DeliveryOptimization/DOMinBackgroundQos -
    -
    - DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload -
    -
    - DeliveryOptimization/DOMinDiskSizeAllowedToPeer -
    -
    - DeliveryOptimization/DOMinFileSizeToCache -
    -
    - DeliveryOptimization/DOMinRAMAllowedToPeer -
    -
    - DeliveryOptimization/DOModifyCacheDrive -
    -
    - DeliveryOptimization/DOMonthlyUploadDataCap -
    -
    - DeliveryOptimization/DOPercentageMaxBackgroundBandwidth -
    -
    - DeliveryOptimization/DOPercentageMaxDownloadBandwidth -
    -
    - DeliveryOptimization/DOPercentageMaxForegroundBandwidth -
    -
    - DeliveryOptimization/DORestrictPeerSelectionBy -
    -
    - DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth -
    -
    - DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOAbsoluteMaxCacheSize +``` + -
    + + +Specifies the maximum size in GB of Delivery Optimization cache. - -**DeliveryOptimization/DOAbsoluteMaxCacheSize** +This policy overrides the DOMaxCacheSize policy. - +The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Group policy mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | AbsoluteMaxCacheSize | +| Friendly Name | Absolute Max Cache Size (in GB) | +| Element Name | Absolute Max Cache Size (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + + +## DOAllowVPNPeerCaching -Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -The default value is 10. + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOAllowVPNPeerCaching +``` + - - -ADMX Info: -- GP Friendly name: *Absolute Max Cache Size (in GB)* -- GP name: *AbsoluteMaxCacheSize* -- GP element: *AbsoluteMaxCacheSize* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + +Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. - - +This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + -
    + + + - -**DeliveryOptimization/DOAllowVPNPeerCaching** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | AllowVPNPeerCaching | +| Friendly Name | Enable Peer Caching while the device connects via VPN | +| Element Name | Enable Peer Caching while the device connects via VPN | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + +## DOCacheHost + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This policy means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost +``` + - - -ADMX Info: -- GP Friendly name: *Enable Peer Caching while the device connects via VPN* -- GP name: *AllowVPNPeerCaching* -- GP element: *AllowVPNPeerCaching* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -The following list shows the supported values: - -- 0 (default) - Not allowed. -- 1 - Allowed. - - - - -
    - - -**DeliveryOptimization/DOCacheHost** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy allows you to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. + + +This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CacheHost | +| Friendly Name | Cache Server Hostname | +| Element Name | Cache Server | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + - - -ADMX Info: -- GP Friendly name: *Cache Server Hostname* -- GP name: *CacheHost* -- GP element: *CacheHost* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - - - - - - - - - - -
    - - -**DeliveryOptimization/DOCacheHostSource** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy allows you to configure one or more Delivery Optimizations in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. - - - -ADMX Info: -- GP Friendly name: *Cache Server Hostname Source* -- GP name: *CacheHostSource* -- GP element: *CacheHostSource* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -The following are the supported values: -- 1 = DHCP Option ID. -- 2 = DHCP Option ID Force. - -When DHCP Option ID (1) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value. This policy will be overridden when the [Cache Server Hostname](#deliveryoptimization-docachehost) policy has been set. - -When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value, and will override the Cache Server Hostname policy if it has been set. - -> [!Note] -> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#deliveryoptimization-docachehost) policy value if that value has been set. - - - - - - - - - - -
    - - -**DeliveryOptimization/DODelayBackgroundDownloadFromHttp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. - -After the max delay is reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from peers. A download that is waiting for peer sources will appear to be stuck for the end user. The recommended value is 1 hour (3600). - - - -ADMX Info: -- GP Friendly name: *Delay background download from http (in secs)* -- GP name: *DelayBackgroundDownloadFromHttp* -- GP element: *DelayBackgroundDownloadFromHttp* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DODelayCacheServerFallbackBackground** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. - -> [!NOTE] -> The [DODelayBackgroundDownloadFromHttp](#deliveryoptimization-dodelaybackgrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first. - - - -ADMX Info: -- GP Friendly name: *Delay Background download Cache Server fallback (in seconds)* -- GP name: *DelayCacheServerFallbackBackground* -- GP element: *DelayCacheServerFallbackBackground* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -This policy is specified in seconds. -Supported values: 0 - one month (in seconds) - - - - - - - - - -
    - - -**DeliveryOptimization/DODelayCacheServerFallbackForeground** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. - -> [!NOTE] -> The [DODelayForegroundDownloadFromHttp](#deliveryoptimization-dodelayforegrounddownloadfromhttp) policy takes precedence over this policy to allow downloads from peers first. - - - -ADMX Info: -- GP Friendly name: *Delay Foreground download Cache Server fallback (in seconds)* -- GP name: *DelayCacheServerFallbackForeground* -- GP element: *DelayCacheServerFallbackForeground* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - -This policy is specified in seconds. -Supported values: 0 - one month (in seconds) - - - - - - - -
    - - -**DeliveryOptimization/DODelayForegroundDownloadFromHttp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. - -After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers. - -A download that is waiting for peer sources, will appear to be stuck for the end user. + + + +## DOCacheHostSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHostSource +``` + + + + +This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically. + +Options available are: + +0 = Disable DNS-SD. + +1 = DHCP Option 235. + +2 = DHCP Option 235 Force. + +If this policy is not configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client will not use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CacheHostSource | +| Friendly Name | Cache Server Hostname Source | +| Element Name | Cache Server Hostname Source | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayBackgroundDownloadFromHttp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayBackgroundDownloadFromHttp +``` + + + + +This policy allows you to delay the use of an HTTP source in a background download that is allowed to use P2P. + +After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. + +Note that a download that is waiting for peer sources, will appear to be stuck for the end user. + +The recommended value is 1 hour (3600). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DelayBackgroundDownloadFromHttp | +| Friendly Name | Delay background download from http (in secs) | +| Element Name | Delay background download from http (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayCacheServerFallbackBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayCacheServerFallbackBackground +``` + + + + +Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds. + +Note: if you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2592000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DelayCacheServerFallbackBackground | +| Friendly Name | Delay Background download Cache Server fallback (in seconds) | +| Element Name | Delay Background download Cache Server fallback (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayCacheServerFallbackForeground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayCacheServerFallbackForeground +``` + + + + +Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds. + +Note: if you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-2592000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DelayCacheServerFallbackForeground | +| Friendly Name | Delay Foreground download Cache Server fallback (in seconds) | +| Element Name | Delay Foreground download Cache Server fallback (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DODelayForegroundDownloadFromHttp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayForegroundDownloadFromHttp +``` + + + + +This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P. + +After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. + +Note that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 minute (60). + - - -ADMX Info: -- GP Friendly name: *Delay Foreground download from http (in secs)* -- GP name: *DelayForegroundDownloadFromHttp* -- GP element: *DelayForegroundDownloadFromHttp* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + + - - -The following list shows the supported values as number of seconds: + +**Description framework properties**: -- 0 to 86400 (1 day) -- 0 - managed by the cloud service -- Default isn't configured. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | DelayForegroundDownloadFromHttp | +| Friendly Name | Delay Foreground download from http (in secs) | +| Element Name | Delay Foreground download from http (in secs) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -**DeliveryOptimization/DODownloadMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DODisallowCacheServerDownloadsOnVPN + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODisallowCacheServerDownloadsOnVPN +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + +**Allowed values**: +| Value | Description | +|:--|:--| +| 0 (Default) | Allowed | +| 1 | Not allowed | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowCacheHostWithVPN | +| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat | +| Element Name | DisallowCacheServerDownloadsOnVPN | + + + + + + + + + +## DODownloadMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode +``` + + + + Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. - - -ADMX Info: -- GP Friendly name: *Download Mode* -- GP name: *DownloadMode* -- GP element: *DownloadMode* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - The following list shows the supported values: -- 0 – HTTP only, no peering. -- 1 (default) – HTTP blended with peering behind the same NAT. -- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. -- 3 – HTTP blended with Internet peering. -- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Don't use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. This value is deprecated and will be removed in a future release. - - +0 = HTTP only, no peering. -
    +1 = HTTP blended with peering behind the same NAT. - -**DeliveryOptimization/DOGroupId** +2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - +3 = HTTP blended with Internet Peering. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. +100 = Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. +| Value | Description | +|:--|:--| +| 0 (Default) | HTTP only, no peering. | +| 1 | HTTP blended with peering behind the same NAT. | +| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. | +| 3 | HTTP blended with Internet peering. | +| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. | +| 100 | Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. | + + +**Group policy mapping**: -This policy specifies an arbitrary group ID that the device belongs to. Use this ID if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN. This approach is a best effort optimization and shouldn't be relied on for an authentication of identity. +| Name | Value | +|:--|:--| +| Name | DownloadMode | +| Friendly Name | Download Mode | +| Element Name | Download Mode | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -> [!NOTE] -> You must use a GUID as the group ID. + + + - - -ADMX Info: -- GP Friendly name: *Group ID* -- GP name: *GroupId* -- GP element: *GroupId* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + - - + +## DOGroupId -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -**DeliveryOptimization/DOGroupIdSource** + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupId +``` + - + + +Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. +Note: this is a best effort optimization and should not be relied on for an authentication of identity. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +**Group policy mapping**: - - -Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory. +| Name | Value | +|:--|:--| +| Name | GroupId | +| Friendly Name | Group ID | +| Element Name | Group ID | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The default behavior, when neither the GroupID or GroupIDSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. + + + + + + + +## DOGroupIdSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupIdSource +``` + + + + +Set this policy to restrict peer selection to a specific source. + +Options available are: + +1 = AD Site. + +2 = Authenticated domain SID. + +3 = DHCP Option ID. + +4 = DNS Suffix. + +5 = AAD Tenant ID. + +When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. + +The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. + -Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this task, set the value of DOGroupIdSource to 5. + + + - - -ADMX Info: -- GP Friendly name: *Select the source of Group IDs* -- GP name: *GroupIdSource* -- GP element: *GroupIdSource* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 1 - Active Directory site -- 2 - Authenticated domain SID -- 3 - DHCP user option -- 4 - DNS suffix -- 5 - Azure Active Directory + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Unset | +| 1 | AD site | +| 2 | Authenticated domain SID | +| 3 | DHCP user option | +| 4 | DNS suffix | +| 5 | AAD | + -
    + +**Group policy mapping**: - -**DeliveryOptimization/DOMaxBackgroundDownloadBandwidth** +| Name | Value | +|:--|:--| +| Name | GroupIdSource | +| Friendly Name | Select the source of Group IDs | +| Element Name | Source of Group IDs | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DOMaxBackgroundDownloadBandwidth - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxBackgroundDownloadBandwidth +``` + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + + +Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + - - -ADMX Info: -- GP Friendly name: *Maximum Background Download Bandwidth (in KB/s)* -- GP name: *MaxBackgroundDownloadBandwidth* -- GP element: *MaxBackgroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - -**DeliveryOptimization/DOMaxCacheAge** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxBackgroundDownloadBandwidth | +| Friendly Name | Maximum Background Download Bandwidth (in KB/s) | +| Element Name | Maximum Background Download Bandwidth (in KB/s) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DOMaxCacheAge -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxCacheAge +``` + - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. + + +Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. +The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. + -Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. + + + -The default value is 259200 seconds (three days). + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Max Cache Age (in seconds)* -- GP name: *MaxCacheAge* -- GP element: *MaxCacheAge* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | MaxCacheAge | +| Friendly Name | Max Cache Age (in seconds) | +| Element Name | Max Cache Age (in seconds) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - -**DeliveryOptimization/DOMaxCacheSize** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DOMaxCacheSize + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxCacheSize +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size (1-100). + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100]` | +| Default Value | 0 | + + +**Group policy mapping**: -Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). +| Name | Value | +|:--|:--| +| Name | MaxCacheSize | +| Friendly Name | Max Cache Size (percentage) | +| Element Name | Max Cache Size (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -The default value is 20. + + + - - -ADMX Info: -- GP Friendly name: *Max Cache Size (percentage)* -- GP name: *MaxCacheSize* -- GP element: *MaxCacheSize* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + - - + +## DOMaxForegroundDownloadBandwidth -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - -**DeliveryOptimization/DOMaxDownloadBandwidth** + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMaxForegroundDownloadBandwidth +``` + - - - - -
    - - -
    - - - -This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptimization-domaxforegrounddownloadbandwidth) and [DOMaxBackgroundDownloadBandwidth](#deliveryoptimization-domaxbackgrounddownloadbandwidth) policies instead. - - - - - - -
    - - -**DeliveryOptimization/DOMaxForegroundDownloadBandwidth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + + +Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - -ADMX Info: -- GP Friendly name: *Maximum Foreground Download Bandwidth (in KB/s)* -- GP name: *MaxForegroundDownloadBandwidth* -- GP element: *MaxForegroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMaxUploadBandwidth** - - - - - - - - -This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which isn't used in commercial deployments. There's no alternate policy to use. - - - - - - -
    - - -**DeliveryOptimization/DOMinBackgroundQos** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. - - -Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. - -The default value is 500. - - - -ADMX Info: -- GP Friendly name: *Minimum Background QoS (in KB/s)* -- GP name: *MinBackgroundQos* -- GP element: *MinBackgroundQos* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - -Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. - -The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. - - - -ADMX Info: -- GP Friendly name: *Allow uploads while the device is on battery while under set Battery level (percentage)* -- GP name: *MinBatteryPercentageAllowedToUpload* -- GP element: *MinBatteryPercentageAllowedToUpload* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - - -Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. - -> [!NOTE] -> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. - -The default value is 32 GB. - - - -ADMX Info: -- GP Friendly name: *Minimum disk size allowed to use Peer Caching (in GB)* -- GP name: *MinDiskSizeAllowedToPeer* -- GP element: *MinDiskSizeAllowedToPeer* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinFileSizeToCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - - -Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. - -The default value is 100 MB. - - - -ADMX Info: -- GP Friendly name: *Minimum Peer Caching Content File Size (in MB)* -- GP name: *MinFileSizeToCache* -- GP element: *MinFileSizeToCache* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMinRAMAllowedToPeer** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions. - - -Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. - -The default value is 4 GB. - - - -ADMX Info: -- GP Friendly name: *Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)* -- GP name: *MinRAMAllowedToPeer* -- GP element: *MinRAMAllowedToPeer* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOModifyCacheDrive** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. - - -Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. - -By default, %SystemDrive% is used to store the cache. - - - -ADMX Info: -- GP Friendly name: *Modify Cache Drive* -- GP name: *ModifyCacheDrive* -- GP element: *ModifyCacheDrive* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* - - - - -
    - - -**DeliveryOptimization/DOMonthlyUploadDataCap** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions. - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MaxForegroundDownloadBandwidth | +| Friendly Name | Maximum Foreground Download Bandwidth (in KB/s) | +| Element Name | Maximum Foreground Download Bandwidth (in KB/s) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinBackgroundQos + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinBackgroundQos +``` + + + + +Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloBytes/second. + +This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from HTTP source to achieve the specified minimum QoS value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-4294967295]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinBackgroundQos | +| Friendly Name | Minimum Background QoS (in KB/s) | +| Element Name | Minimum Background QoS (in KB/s) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinBatteryPercentageAllowedToUpload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload +``` + + + + +Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). + +The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy. + +The value 0 means "not-limited"; The cloud service set default value will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinBatteryPercentageAllowedToUpload | +| Friendly Name | Allow uploads while the device is on battery while under set Battery level (percentage) | +| Element Name | Minimum battery level (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinDiskSizeAllowedToPeer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinDiskSizeAllowedToPeer +``` + + + + +Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used. + +Recommended values: 64 GB to 256 GB. + +Note: If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinDiskSizeAllowedToPeer | +| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) | +| Element Name | Minimum disk size allowed to use Peer Caching (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinFileSizeToCache + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinFileSizeToCache +``` + + + + +Specifies the minimum content file size in MB enabled to use Peer Caching. + +Recommended values: 1 MB to 100000 MB. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinFileSizeToCache | +| Friendly Name | Minimum Peer Caching Content File Size (in MB) | +| Element Name | Minimum Peer Caching Content File Size (in MB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMinRAMAllowedToPeer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinRAMAllowedToPeer +``` + + + + +Specifies the minimum RAM size in GB required to use Peer Caching. + +For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. + +Recommended values: 1 GB to 4 GB. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-100000]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | MinRAMAllowedToPeer | +| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | +| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOModifyCacheDrive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOModifyCacheDrive +``` + + + + +Specifies the drive Delivery Optimization shall use for its cache. + +By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ModifyCacheDrive | +| Friendly Name | Modify Cache Drive | +| Element Name | Modify Cache Drive | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOMonthlyUploadDataCap + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMonthlyUploadDataCap +``` + + + + Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. + -The default value is 20. + + + - - -ADMX Info: -- GP Friendly name: *Monthly Upload Data Cap (in GB)* -- GP name: *MonthlyUploadDataCap* -- GP element: *MonthlyUploadDataCap* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4294967295]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - -**DeliveryOptimization/DOPercentageMaxBackgroundBandwidth** +| Name | Value | +|:--|:--| +| Name | MonthlyUploadDataCap | +| Friendly Name | Monthly Upload Data Cap (in GB) | +| Element Name | Monthly Upload Data Cap (in GB) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## DOPercentageMaxBackgroundBandwidth - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxBackgroundBandwidth +``` + -> [!div class = "checklist"] -> * Device + + +Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. -
    +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. + - - -Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. + + Downloads from LAN peers won't be throttled even when this policy is set. + - - -ADMX Info: -- GP Friendly name: *Maximum Background Download Bandwidth (percentage)* -- GP name: *PercentageMaxBackgroundBandwidth* -- GP element: *PercentageMaxBackgroundBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + -
    + +**Group policy mapping**: - -**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** +| Name | Value | +|:--|:--| +| Name | PercentageMaxBackgroundBandwidth | +| Friendly Name | Maximum Background Download Bandwidth (percentage) | +| Element Name | Maximum Background Download Bandwidth (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + -
    + + + - -This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryoptimization-dopercentagemaxforegroundbandwidth) and [DOPercentageMaxBackgroundBandwidth](#deliveryoptimization-dopercentagemaxbackgroundbandwidth) policies instead. + - - + +## DOPercentageMaxForegroundBandwidth -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -**DeliveryOptimization/DOPercentageMaxForegroundBandwidth** + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxForegroundBandwidth +``` + - + + +Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-100]` | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PercentageMaxForegroundBandwidth | +| Friendly Name | Maximum Foreground Download Bandwidth (percentage) | +| Element Name | Maximum Foreground Download Bandwidth (Percentage) | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + - - -Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. + + + -Downloads from LAN peers won't be throttled even when this policy is set. + - - -ADMX Info: -- GP Friendly name: *Maximum Foreground Download Bandwidth (percentage)* -- GP name: *PercentageMaxForegroundBandwidth* -- GP element: *PercentageMaxForegroundBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* + +## DORestrictPeerSelectionBy - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DORestrictPeerSelectionBy +``` + - -**DeliveryOptimization/DORestrictPeerSelectionBy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Set this policy to restrict peer selection via selected option. -In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery". -If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). +Options available are: +0 = NAT. +1 = Subnet mask. +2 = Local discovery (DNS-SD). -The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. +The default value has changed from 0 (no restriction) to 1 (restrict to the subnet). - - -ADMX Info: -- GP Friendly name: *Select a method to restrict Peer Selection* -- GP name: *RestrictPeerSelectionBy* -- GP element: *RestrictPeerSelectionBy* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +These options apply to both Download Mode LAN (1) and Group (2). + - - -The following list shows the supported values: + + + -- 0 - NAT -- 1 - Subnet mask -- 2 - Local Peer Discovery + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - -**DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth** +| Value | Description | +|:--|:--| +| 0 (Default) | None. | +| 1 | Subnet mask. | +| 2 | Local peer discovery (DNS-SD). | + - + +**Group policy mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RestrictPeerSelectionBy | +| Friendly Name | Select a method to restrict Peer Selection | +| Element Name | Restrict Peer Selection By | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DOSetHoursToLimitBackgroundDownloadBandwidth -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth +``` + - - + + Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Business Hours to Limit Background Download Bandwidth* -- GP name: *SetHoursToLimitBackgroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SetHoursToLimitBackgroundDownloadBandwidth | +| Friendly Name | Set Business Hours to Limit Background Download Bandwidth | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + + + + + + +## DOSetHoursToLimitForegroundDownloadBandwidth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth +``` + + + + +Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + + + + This policy allows an IT Admin to define the following details: - Business hours range (for example 06:00 to 18:00) - % of throttle for background traffic during business hours - % of throttle for background traffic outside of business hours + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | SetHoursToLimitForegroundDownloadBandwidth | +| Friendly Name | Set Business Hours to Limit Foreground Download Bandwidth | +| Location | Computer Configuration | +| Path | Windows Components > Delivery Optimization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization | +| ADMX File Name | DeliveryOptimization.admx | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DOVpnKeywords -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/DOVpnKeywords +``` + - - -Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. + + +This policy allows you to set one or more keywords used to recognize VPN connections. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Business Hours to Limit Foreground Download Bandwidth* -- GP name: *SetHoursToLimitForegroundDownloadBandwidth* -- GP path: *Windows Components/Delivery Optimization* -- GP ADMX file name: *DeliveryOptimization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `,`) | + - - -This policy allows an IT Admin to define the following details: + +**Group policy mapping**: -- Business hours range (for example 06:00 to 18:00) -- % of throttle for foreground traffic during business hours -- % of throttle for foreground traffic outside of business hours +| Name | Value | +|:--|:--| +| Name | VpnKeywords | +| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat | +| Element Name | VpnKeywords | + - - -
    + + + + - + + + -## Related topics + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) - From 03f55e0b8e193c4877d7ca64587da45c0877d540 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 29 Dec 2022 12:01:25 -0500 Subject: [PATCH 078/152] desktop desktopa;;installer deviceguard devicehealthmonitoring deviceinstallation --- .../mdm/policy-csp-desktop.md | 130 +- .../mdm/policy-csp-desktopappinstaller.md | 1097 +++++++++-------- .../mdm/policy-csp-deviceguard.md | 496 +++++--- .../mdm/policy-csp-devicehealthmonitoring.md | 289 ++--- .../mdm/policy-csp-deviceinstallation.md | 980 ++++++++------- 5 files changed, 1603 insertions(+), 1389 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 1cd8888461..cea4653f7b 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,92 +1,98 @@ --- -title: Policy CSP - Desktop -description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. +title: Desktop Policy CSP +description: Learn more about the Desktop Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Desktop > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## Desktop policies + +## PreventUserRedirectionOfProfileFolders -
    -
    - Desktop/PreventUserRedirectionOfProfileFolders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/Desktop/PreventUserRedirectionOfProfileFolders +``` + -
    - - -**Desktop/PreventUserRedirectionOfProfileFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from changing the path to their profile folders. + + +Prevents users from changing the path to their profile folders. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. If you enable this setting, users are unable to type a new location in the Target box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit User from manually redirecting Profile Folders* -- GP name: *DisablePersonalDirChange* -- GP path: *Desktop* -- GP ADMX file name: *desktop.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DisablePersonalDirChange | +| Friendly Name | Prohibit User from manually redirecting Profile Folders | +| Location | User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisablePersonalDirChange | +| ADMX File Name | Desktop.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md index f6f865422e..bb9af56415 100644 --- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -1,595 +1,708 @@ --- -title: Policy CSP - DesktopAppInstaller -description: Learn about the Policy CSP - DesktopAppInstaller. -ms.author: v-aljupudi +title: DesktopAppInstaller Policy CSP +description: Learn more about the DesktopAppInstaller Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 12/29/2022 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: alekyaj -ms.date: 08/24/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DesktopAppInstaller ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## EnableAdditionalSources - -## DesktopAppInstaller policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    -
    - DesktopAppInstaller/EnableAdditionalSources -
    -
    - DesktopAppInstaller/EnableAppInstaller -
    -
    - DesktopAppInstaller/EnableDefaultSource -
    -
    - DesktopAppInstaller/EnableLocalManifestFiles -
    -
    - DesktopAppInstaller/EnableHashOverride -
    -
    - DesktopAppInstaller/EnableMicrosoftStoreSource -
    -
    - DesktopAppInstaller/EnableMSAppInstallerProtocol -
    -
    - DesktopAppInstaller/EnableSettings -
    -
    - DesktopAppInstaller/EnableAllowedSources -
    -
    - DesktopAppInstaller/EnableExperimentalFeatures -
    -
    - DesktopAppInstaller/SourceAutoUpdateInterval -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources +``` + + + +This policy controls additional sources provided by the enterprise IT administrator. -
    +If you do not configure this policy, no additional sources will be configured for the Windows Package Manager. - -**DesktopAppInstaller/EnableAdditionalSources** +If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using 'winget source export'. - +If you disable this policy, no additional sources can be configured for the Windows Package Manager. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - -This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/). +| Name | Value | +|:--|:--| +| Name | EnableAdditionalSources | +| Friendly Name | Enable App Installer Additional Sources | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableAdditionalSources | +| ADMX File Name | DesktopAppInstaller.admx | + -If you don't configure this setting, no additional sources will be configured for Windows Package Manager. + + + -If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/). + -If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + +## EnableAllowedSources - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -ADMX Info: -- GP Friendly name: *Enable Additional Windows Package Manager Sources* -- GP name: *EnableAdditionalSources* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources +``` + - - + + +This policy controls additional sources allowed by the enterprise IT administrator. -
    +If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. +If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using 'winget source export'. - -**DesktopAppInstaller/EnableAppInstaller** +If you disable this policy, no additional sources can be configured for the Windows Package Manager. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | EnableAllowedSources | +| Friendly Name | Enable App Installer Allowed Sources | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableAllowedSources | +| ADMX File Name | DesktopAppInstaller.admx | + - - -This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + + + -- If you enable or don't configure this setting, users will be able to use the Windows Package Manager. -- If you disable this setting, users won't be able to use the Windows Package Manager. + - + +## EnableAppInstaller - -ADMX Info: -- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users* -- GP name: *EnableAppInstaller* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller +``` + -
    + + +This policy controls whether the Windows Package Manager can be used by users. - -**DesktopAppInstaller/EnableDefaultSource** +If you enable or do not configure this setting, users will be able to use the Windows Package Manager. - +If you disable this setting, users will not be able to use the Windows Package Manager. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | EnableAppInstaller | +| Friendly Name | Enable App Installer | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableAppInstaller | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + +## EnableDefaultSource + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource +``` + + + + This policy controls the default source included with the Windows Package Manager. -If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed. -- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed. -- If you disable this setting the default source for the Windows Package Manager won't be available. - +If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed. - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Default Source* -- GP name: *EnableDefaultSource* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* +If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed. - - +If you disable this setting the default source for the Windows Package Manager will not be available. + -
    + + + - -**DesktopAppInstaller/EnableLocalManifestFiles** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | EnableDefaultSource | +| Friendly Name | Enable App Installer Default Source | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableDefaultSource | +| ADMX File Name | DesktopAppInstaller.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableExperimentalFeatures + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures +``` + + + + +This policy controls whether users can enable experimental features in the Windows Package Manager. + +If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager. + +If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager. + + + + +Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableExperimentalFeatures | +| Friendly Name | Enable App Installer Experimental Features | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableExperimentalFeatures | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableHashOverride + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride +``` + + + + +This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings. + +If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings. + +If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableHashOverride | +| Friendly Name | Enable App Installer Hash Override | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableHashOverride | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableLocalManifestFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles +``` + + + + This policy controls whether users can install packages with local manifest files. -- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. -- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager. +If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. - +If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager. + - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Local Manifest Files* -- GP name: *EnableLocalManifestFiles* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**DesktopAppInstaller/EnableHashOverride** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableLocalManifestFiles | +| Friendly Name | Enable App Installer Local Manifest Files | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableLocalManifestFiles | +| ADMX File Name | DesktopAppInstaller.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## EnableMicrosoftStoreSource -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - - - -This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest. - -- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings. - -- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings. - - - - -ADMX Info: -- GP Friendly name: *Enable App Installer Hash Override* -- GP name: *EnableHashOverride* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/EnableMicrosoftStoreSource** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource +``` + + + This policy controls the Microsoft Store source included with the Windows Package Manager. -If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. -- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed. -- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available. - +If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source* -- GP name: *EnableMicrosoftStoreSource* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* +If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed. - - +If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available. + -
    + + + + + +**Description framework properties**: - -**DesktopAppInstaller/EnableMSAppInstallerProtocol** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableMicrosoftStoreSource | +| Friendly Name | Enable App Installer Microsoft Store Source | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableMicrosoftStoreSource | +| ADMX File Name | DesktopAppInstaller.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + +## EnableMSAppInstallerProtocol -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol +``` + + + + +This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol. + +If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. + +If you disable this setting, users will not be able to install packages from websites that use this protocol. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableMSAppInstallerProtocol | +| Friendly Name | Enable App Installer ms-appinstaller protocol | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableMSAppInstallerProtocol | +| ADMX File Name | DesktopAppInstaller.admx | + + + + + + + + + +## EnableSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings +``` + + + + +This policy controls whether users can change their settings. + +If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager. + +If you disable this setting, users will not be able to change settings for the Windows Package Manager. + + + + +The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableSettings | +| Friendly Name | Enable App Installer Settings | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| Registry Value Name | EnableSettings | +| ADMX File Name | DesktopAppInstaller.admx | + -
    + + + - - + + + +## SourceAutoUpdateInterval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/SourceAutoUpdateInterval +``` + + + + +This policy controls the auto update interval for package-based sources. + +If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager. + +If you enable this setting, the number of minutes specified will be used by the Windows Package Manager. + + + + + + + +**Description framework properties**: -This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SourceAutoUpdateInterval | +| Friendly Name | Set App Installer Source Auto Update Interval In Minutes | +| Location | Computer Configuration | +| Path | Windows Components > Desktop App Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller | +| ADMX File Name | DesktopAppInstaller.admx | + -- If you disable this setting, users will not be able to install packages from websites that use this protocol. + + + - + - -ADMX Info: -- GP Friendly name: *Enable MS App Installer Protocol* -- GP name: *EnableMSAppInstallerProtocol* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* + + + - - + + +## Related articles -
    - - -**DesktopAppInstaller/EnableSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. - -- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager. -- If you disable this setting, users will not be able to change settings for Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Settings Command* -- GP name: *EnableSettings* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/EnableAllowedSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy. - -- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. -- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Settings Command* -- GP name: *EnableAllowedSources* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/EnableExperimentalFeatures** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. - -- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager. - -- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Enable Windows Package Manager Experimental Features* -- GP name: *EnableExperimentalFeatures* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - -**DesktopAppInstaller/SourceAutoUpdateInterval** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. - -- If you enable this setting, the number of minutes specified will be used by Windows Package Manager. - -- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager. - - - - -ADMX Info: -- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes* -- GP name: *SourceAutoUpdateInterval* -- GP path: *Administrative Templates\Windows Components\App Package Deployment* -- GP ADMX file name: *AppxPackageManager.admx* - - - - -
    - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index c7f637d5a7..d4a0eaf1df 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,259 +1,351 @@ --- -title: Policy CSP - DeviceGuard -description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. +title: DeviceGuard Policy CSP +description: Learn more about the DeviceGuard Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeviceGuard + + + -
    + +## ConfigureSystemGuardLaunch - -## DeviceGuard policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    -
    - DeviceGuard/ConfigureSystemGuardLaunch -
    -
    - DeviceGuard/EnableVirtualizationBasedSecurity -
    -
    - DeviceGuard/LsaCfgFlags -
    -
    - DeviceGuard/RequirePlatformSecurityFeatures -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch +``` + + + +Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. + -
    - - -**DeviceGuard/ConfigureSystemGuardLaunch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows the IT admin to configure the launch of System Guard. - -Secure Launch configuration: - -- 0 - Unmanaged, configurable by Administrative user -- 1 - Enables Secure Launch if supported by hardware -- 2 - Disables Secure Launch. - + + For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). + - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP element: *SystemGuardDrop* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 (Default) | Unmanaged Configurable by Administrative user | +| 1 | Unmanaged Enables Secure Launch if supported by hardware | +| 2 | Unmanaged Disables Secure Launch | + - - + +**Group policy mapping**: -
    +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Secure Launch Configuration | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + - -**DeviceGuard/EnableVirtualizationBasedSecurity** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableVirtualizationBasedSecurity + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies whether Virtualization Based Security is enabled. -> [!div class = "checklist"] -> * Device +Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. -
    +Virtualization Based Protection of Code Integrity - - -Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. +This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* +The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option. - - -The following list shows the supported values: +The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. -- 0 (default) - disable virtualization based security. -- 1 - enable virtualization based security. +The "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy. - - +The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. -
    +The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. - -**DeviceGuard/LsaCfgFlags** +Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. - +Credential Guard -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. +For Windows 11 21H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured". - -
    +The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511). -> [!div class = "checklist"] -> * Device +For Windows 11 21H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock. -
    +Secure Launch - - +This setting sets the configuration of Secure Launch to secure the boot chain. + +The "Not Configured" setting is the default, and allows configuration of the feature by Administrative users. + +The "Enabled" option turns on Secure Launch on supported hardware. + +The "Disabled" option turns off Secure Launch, regardless of hardware support. + +Kernel-mode Hardware-enforced Stack Protection + +This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered. + +This security feature has the following prerequisites: +1) The CPU hardware supports hardware-based shadow stacks. +2) Virtualization Based Protection of Code Integrity is enabled. + +If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature. + +**Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately. + +Devices that enable this security feature must be running at least Windows 11 (Version 22H2). + +The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection. + +The "Enabled in audit mode" option enables kernel-mode Hardware-enforced Stack Protection in audit mode, where shadow stack violations are not fatal and will be logged to the system event log. + +The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced Stack Protection in enforcement mode, where shadow stack violations are fatal. + +The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. + +Warning: All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | disable virtualization based security. | +| 1 | enable virtualization based security. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| Registry Value Name | EnableVirtualizationBasedSecurity | +| ADMX File Name | DeviceGuard.admx | + + + + + + + + + +## LsaCfgFlags + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags +``` + + + + +Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. | +| 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. | +| 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Credential Guard Configuration | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + + + + + + + + + +## RequirePlatformSecurityFeatures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures +``` + + + + +Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. + + + + This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. + - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP element: *CredentialIsolationDrop* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. -- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. -- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 1 (Default) | Turns on VBS with Secure Boot. | +| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. | + -
    + +**Group policy mapping**: - -**DeviceGuard/RequirePlatformSecurityFeatures** +| Name | Value | +|:--|:--| +| Name | VirtualizationBasedSecurity | +| Friendly Name | Turn On Virtualization Based Security | +| Element Name | Select Platform Security Level | +| Location | Computer Configuration | +| Path | System > Device Guard | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | +| ADMX File Name | DeviceGuard.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device - -
    - - - -This setting specifies the platform security level at the next reboot. Value type is integer. - - - -ADMX Info: -- GP Friendly name: *Turn On Virtualization Based Security* -- GP name: *VirtualizationBasedSecurity* -- GP element: *RequirePlatformSecurityFeaturesDrop* -- GP path: *System/Device Guard* -- GP ADMX file name: *DeviceGuard.admx* - - - -The following list shows the supported values: - -- 1 (default) - Turns on VBS with Secure Boot. -- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. - - - -
    - - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 9b12315551..38b1ab8c83 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,189 +1,200 @@ --- -title: Policy CSP - DeviceHealthMonitoring -description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. +title: DeviceHealthMonitoring Policy CSP +description: Learn more about the DeviceHealthMonitoring Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeviceHealthMonitoring + + + + +## AllowDeviceHealthMonitoring -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - -## DeviceHealthMonitoring policies + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring +``` + -
    -
    - DeviceHealthMonitoring/AllowDeviceHealthMonitoring -
    -
    - DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope -
    -
    - DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination -
    -
    + + +Enable/disable 4Nines device health monitoring on devices. + + + + -
    + +**Description framework properties**: - -**DeviceHealthMonitoring/AllowDeviceHealthMonitoring** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 1 | The DeviceHealthMonitoring connection is enabled. | +| 0 (Default) | The DeviceHealthMonitoring connection is disabled. | + + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigDeviceHealthMonitoringScope -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope +``` + - - -DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it. + + +If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. + - - -The following list shows the supported values: + + + -- 1 -The DeviceHealthMonitoring connection is enabled. -- 0 - (default)—The DeviceHealthMonitoring connection is disabled. + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringScope_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + + + - - + -
    + +## ConfigDeviceHealthMonitoringServiceInstance - -**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which service instance to which events are to be uploaded. + + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringServiceInstance_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. -This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. -IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. + +## ConfigDeviceHealthMonitoringUploadDestination + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination +``` + - - + + +If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. + - - + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringUploadDestination_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - -**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    +## Related articles - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. - -The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios. -In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. - -Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service. - - - - - - - - - - - - - -
    - - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index de68aa4b4e..ea11b5d336 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,135 +1,102 @@ --- -title: Policy CSP - DeviceInstallation -ms.reviewer: +title: DeviceInstallation Policy CSP +description: Learn more about the DeviceInstallation Area in Policy CSP +author: vinaypamnani-msft manager: aaroncz -description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. ms.author: vinpa -ms.date: 09/27/2019 -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium +ms.topic: reference --- + + + # Policy CSP - DeviceInstallation ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -
    - - -## DeviceInstallation policies - -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceIDs -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs -
    -
    - DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses -
    -
    - DeviceInstallation/EnableInstallationPolicyLayering -
    -
    - DeviceInstallation/PreventDeviceMetadataFromNetwork -
    -
    - DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceIDs -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs -
    -
    - DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses -
    -
    - - -
    - - -### DeviceInstallation/AllowInstallationOfMatchingDeviceIDs - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install. - > [!TIP] -> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + + + + +## AllowInstallationOfMatchingDeviceIDs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs +``` + + + + +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match these device IDs +- Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -- Prevent installation of devices that match these device IDs. -- Prevent installation of devices that match any of these device instance IDs. +NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. - -> [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. - -Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). +Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Allow installation of devices that match any of these device IDs* -- GP name: *DeviceInstall_IDs_Allow* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_IDs_Allow | +| Friendly Name | Allow installation of devices that match any of these device IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowDeviceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. - ```xml @@ -157,79 +124,77 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - + -
    + +## AllowInstallationOfMatchingDeviceInstanceIDs - -### DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. - -> [!TIP] -> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + + +This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: +- Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -- Prevent installation of devices that match any of these device instance IDs. - -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. - -> [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow installation of devices that match any of these device instance IDs* -- GP name: *DeviceInstall_Instance_IDs_Allow* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Instance_IDs_Allow | +| Friendly Name | Allow installation of devices that match any of these device instance IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowInstanceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. ``` xml @@ -257,81 +222,79 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - + -
    + +## AllowInstallationOfMatchingDeviceSetupClasses - -### DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. - -> [!TIP] -> This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. + + +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled, however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for legacy policy definitions. When this policy setting is enabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings: - - Prevent installation of devices for these device classes - Prevent installation of devices that match these device IDs - Prevent installation of devices that match any of these device instance IDs +If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. -If the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting isn't enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. - -> [!NOTE] -> The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. +NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible. Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Allow installation of devices using drivers that match these device setup classes* -- GP name: *DeviceInstall_Classes_Allow* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Classes_Allow | +| Friendly Name | Allow installation of devices using drivers that match these device setup classes | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowDeviceClasses | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example allows Windows to install: - Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} @@ -359,6 +322,7 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes,
    ``` +**Verify**: To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: @@ -369,82 +333,85 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - + -
    + +## EnableInstallationPolicyLayering - -### DeviceInstallation/EnableInstallationPolicyLayering + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/EnableInstallationPolicyLayering +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -Added in Windows 10, Version 2106 -
    - - - + + This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows: Device instance IDs > Device IDs > Device setup class > Removable devices -**Device instance IDs** +Device instance IDs +1. Prevent installation of devices using drivers that match these device instance IDs +2. Allow installation of devices using drivers that match these device instance IDs -- Prevent installation of devices using drivers that match these device instance IDs. -- Allow installation of devices using drivers that match these device instance IDs. +Device IDs +3. Prevent installation of devices using drivers that match these device IDs +4. Allow installation of devices using drivers that match these device IDs -**Device IDs** -- Prevent installation of devices using drivers that match these device IDs. -- Allow installation of devices using drivers that match these device IDs. +Device setup class +5. Prevent installation of devices using drivers that match these device setup classes +6. Allow installation of devices using drivers that match these device setup classes -**Device setup class** -- Prevent installation of devices using drivers that match these device setup classes. -- Allow installation of devices using drivers that match these device setup classes. +Removable devices +7. Prevent installation of removable devices -**Removable devices** -- Prevent installation of removable devices. +NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. -> [!NOTE] -> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. +If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. + -If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria* -- GP name: *DeviceInstall_Allow_Deny_Layered* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Allow_Deny_Layered | +| Friendly Name | Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | AllowDenyLayered | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - ```xml @@ -463,6 +430,7 @@ ADMX Info: ``` +**Verify**: To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: @@ -477,126 +445,133 @@ You can also change the evaluation order of device installation policy settings :::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image."::: - - - - -
    + - -### DeviceInstallation/PreventDeviceMetadataFromNetwork + - + +## PreventDeviceMetadataFromNetwork -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventDeviceMetadataFromNetwork +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. -If you enable this policy setting, Windows doesn't retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). +If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). -If you disable or don't configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. +If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent device metadata retrieval from the Internet* -- GP name: *DeviceMetadata_PreventDeviceMetadataFromNetwork* -- GP path: *System/Device Installation* -- GP ADMX file name: *DeviceSetup.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | DeviceMetadata_PreventDeviceMetadataFromNetwork | +| Friendly Name | Prevent device metadata retrieval from the Internet | +| Location | Computer Configuration | +| Path | System > Device Installation | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Device Metadata | +| Registry Value Name | PreventDeviceMetadataFromNetwork | +| ADMX File Name | DeviceSetup.admx | + - - + + + -
    + - -### DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + +## PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings +``` + + + +This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. - -
    +NOTE: This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. -> [!div class = "checklist"] -> * Device +If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. + -
    + + + - - -This policy setting allows you to prevent the installation of devices that aren't described by any other policy setting. + +**Description framework properties**: -> [!NOTE] -> This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It's recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that isn't described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you disable or don't configure this policy setting, Windows is allowed to install or update the driver package for any device that isn't described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Unspecified_Deny | +| Friendly Name | Prevent installation of devices not described by other policy settings | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyUnspecified | +| ADMX File Name | DeviceInstallation.admx | + + + +**Example**: - -ADMX Info: -- GP Friendly name: *Prevent installation of devices not described by other policy settings* -- GP name: *DeviceInstall_Unspecified_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* - - - - - - To enable this policy, use the following SyncML. This example prevents Windows from installing devices that aren't described by any other policy setting. - ```xml @@ -616,6 +591,8 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -628,69 +605,71 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i You can also block installation by using a custom profile in Intune. ![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png) - - + - - + -
    + +## PreventInstallationOfMatchingDeviceIDs - -### DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -> [!NOTE] -> To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. +NOTE: To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent installation of devices that match any of these device IDs* -- GP name: *DeviceInstall_IDs_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_IDs_Deny | +| Friendly Name | Prevent installation of devices that match any of these device IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyDeviceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - -
    To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use &#xF000; as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. @@ -713,6 +692,8 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -727,65 +708,69 @@ You can also block installation and usage of prohibited peripherals by using a c For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed. ![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png) - - + - - + -
    + +## PreventInstallationOfMatchingDeviceInstanceIDs - -### DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + + + Peripherals can be specified by their [device instance ID](/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent installation of devices that match any of these device instance IDs* -- GP name: *DeviceInstall_Instance_IDs_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Instance_IDs_Deny | +| Friendly Name | Prevent installation of devices that match any of these device instance IDs | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyInstanceIDs | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with device instance IDs of USB\VID_1F75 and USB\VID_0781. To configure multiple classes, use `` as a delimiter. ``` xml @@ -806,6 +791,9 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` + +**Verify** + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ``` txt @@ -834,68 +822,71 @@ with > don't use spaces in the value. 3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. - - + - - + -
    + +## PreventInstallationOfMatchingDeviceSetupClasses - -### DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. -> [!NOTE] -> To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. +NOTE: To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + + + Peripherals can be specified by their [hardware identity](/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Prevent installation of devices using drivers that match these device setup classes* -- GP name: *DeviceInstall_Classes_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DeviceInstall_Classes_Deny | +| Friendly Name | Prevent installation of devices using drivers that match these device setup classes | +| Location | Computer Configuration | +| Path | System > Device Installation > Device Installation Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | +| Registry Value Name | DenyDeviceClasses | +| ADMX File Name | DeviceInstallation.admx | + + + + +**Example**: - - To enable this policy, use the following SyncML. This example prevents Windows from installing: - Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} @@ -924,6 +915,8 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: ```txt @@ -932,17 +925,16 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` - - + - - -
    + + + + + - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 38b90600338c67bfa3d403f953a7e378947ec7bc Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 29 Dec 2022 15:34:32 -0500 Subject: [PATCH 079/152] devicelock display dmaguard --- .../mdm/policy-csp-devicelock.md | 1915 ++++++++++------- .../mdm/policy-csp-display.md | 466 ++-- .../mdm/policy-csp-dmaguard.md | 140 +- 3 files changed, 1478 insertions(+), 1043 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index fc07d7068e..bc7b915aea 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,245 +1,215 @@ --- -title: Policy CSP - DeviceLock -description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state. +title: DeviceLock Policy CSP +description: Learn more about the DeviceLock Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 05/16/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DeviceLock -
    +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## DeviceLock policies - -
    -
    - DeviceLock/AllowIdleReturnWithoutPassword -
    -
    - DeviceLock/AllowSimpleDevicePassword -
    -
    - DeviceLock/AllowScreenTimeoutWhileLockedUserConfig -
    -
    - DeviceLock/AlphanumericDevicePasswordRequired -
    -
    - DeviceLock/DevicePasswordEnabled -
    -
    - DeviceLock/DevicePasswordExpiration -
    -
    - DeviceLock/DevicePasswordHistory -
    -
    - DeviceLock/EnforceLockScreenAndLogonImage -
    -
    - DeviceLock/MaxDevicePasswordFailedAttempts -
    -
    - DeviceLock/MaxInactivityTimeDeviceLock -
    -
    - DeviceLock/MinDevicePasswordComplexCharacters -
    -
    - DeviceLock/MinDevicePasswordLength -
    -
    - DeviceLock/MinimumPasswordAge -
    -
    - DeviceLock/PreventEnablingLockScreenCamera -
    -
    - DeviceLock/PreventLockScreenSlideShow -
    -
    - - -
    - -> [!Important] + + +[!Important] > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). - -**DeviceLock/AllowIdleReturnWithoutPassword** + - + +## AllowIdleReturnWithoutPassword -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowIdleReturnWithoutPassword +``` + - -
    + + +Specifies whether the user must input a PIN or password when the device resumes from an idle state. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + > [!NOTE] > Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. -Specifies whether the user must input a PIN or password when the device resumes from an idle state. - > [!NOTE] > This policy must be wrapped in an Atomic command. + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed. -- 1 (default) – Allowed. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [DeviceLock_AllowIdleReturnWithoutPassword_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**DeviceLock/AllowSimpleDevicePassword** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AllowScreenTimeoutWhileLockedUserConfig + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowScreenTimeoutWhileLockedUserConfig +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Allow | +| 0 (Default) | Block | + + + + + + + + + +## AllowSimpleDevicePassword + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AllowSimpleDevicePassword +``` + + + + +Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. + + + + > [!NOTE] > This policy must be wrapped in an Atomic command. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Blocked -- 1 – Allowed +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [DeviceLock_AllowSimpleDevicePassword_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## AlphanumericDevicePasswordRequired + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - -
    - - -**DeviceLock/AlphanumericDevicePasswordRequired** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). + + +Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 + + + > [!NOTE] > This policy must be wrapped in an Atomic command. > @@ -251,456 +221,31 @@ Determines the type of PIN required. This policy only applies if the **DeviceLoc > If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. > > If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. - - - -The following list shows the supported values: - -- 0 – Password or Alphanumeric PIN required. -- 1 – Password or Numeric PIN required. -- 2 (default) – Password, Numeric PIN, or Alphanumeric PIN required. - - - - -
    - - -**DeviceLock/DevicePasswordEnabled** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies whether device lock is enabled. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. - - - -> [!IMPORTANT] -> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: -> -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock -> - MinDevicePasswordComplexCharacters -  - -> [!IMPORTANT] -> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: -> -> - MinDevicePasswordLength is set to 4 -> - MinDevicePasswordComplexCharacters is set to 1 -> -> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: -> -> - MinDevicePasswordLength -> - MinDevicePasswordComplexCharacters - -> [!Important] -> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: -> - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters -> - DevicePasswordExpiration -> - DevicePasswordHistory -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock - - - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - - - - -
    - - -**DeviceLock/DevicePasswordExpiration** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies when the password expires (in days). - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - - -If all policy values = 0, then 0; otherwise, Min policy value is the most secure value. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 730. -- 0 (default) - Passwords don't expire. - - - - -
    - - -**DeviceLock/DevicePasswordHistory** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies how many passwords can be stored in the history that can’t be used. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - -The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords. - -Max policy value is the most restricted. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 50. -- 0 (default) - - - - -
    - - -**DeviceLock/EnforceLockScreenAndLogonImage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the default lock screen and sign-in image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and sign-in screens. Users won't be able to change this image. - -> [!NOTE] -> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. - - -Value type is a string, which is the full image filepath and filename. - - - - -
    - - -**DeviceLock/MaxDevicePasswordFailedAttempts** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -On a client device, when the user reaches the value set by this policy, it isn't wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker isn't enabled, then the policy can't be enforced. - - Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. - - -Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - - -The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for client devices. -- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. - - - - -
    - - -**DeviceLock/MaxInactivityTimeDeviceLock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. - -On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 999. -- 0 (default) - No timeout is defined. - - - - -
    - - -**DeviceLock/MinDevicePasswordComplexCharacters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. - -PIN enforces the following behavior for client devices: - -- 1 - Digits only -- 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. - -The default value is 1. The following list shows the supported values and actual enforced values: - -|Account Type|Supported Values|Actual Enforced Values| -|--- |--- |--- | -|Local Accounts|1,2,3|3| -|Microsoft Accounts|1,2|<p2| -|Domain Accounts|Not supported|Not supported| - - -Enforced values for Local and Microsoft Accounts: - -- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. -- Passwords for local accounts must meet the following minimum requirements: - - - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - - Be at least six characters in length - - Contain characters from three of the following four categories: - - - English uppercase characters (A through Z) - - English lowercase characters (a through z) - - Base 10 digits (0 through 9) - - Special characters (!, $, \#, %, etc.) - -The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -
    - - -**DeviceLock/MinDevicePasswordLength** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Specifies the minimum number or characters required in the PIN or password. - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | +| Dependency [DeviceLock_AlphanumericDevicePasswordRequired_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Password or Alphanumeric PIN required. | +| 1 | Password or Numeric PIN required. | +| 2 (Default) | Password, Numeric PIN, or Alphanumeric PIN required. | + + + + > [!NOTE] > This policy must be wrapped in an Atomic command. > @@ -743,168 +288,1020 @@ The following example shows how to set the minimum password length to 4 characte ``` - - + -
    + - -**DeviceLock/MinimumPasswordAge** + +## ClearTextPassword - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/ClearTextPassword +``` + + + + +Store passwords using reversible encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Store passwords using reversible encryption | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## DevicePasswordEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled +``` + + + + +Specifies whether device lock is enabled. + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. + +> [!IMPORTANT] +> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: +> +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordComplexCharacters +  + +> [!IMPORTANT] +> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: +> +> - MinDevicePasswordLength is set to 4 +> - MinDevicePasswordComplexCharacters is set to 1 +> +> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: +> +> - MinDevicePasswordLength +> - MinDevicePasswordComplexCharacters + +> [!Important] +> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: +> - **DevicePasswordEnabled** is the parent policy of the following: +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters +> - DevicePasswordExpiration +> - DevicePasswordHistory +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enabled | +| 1 (Default) | Disabled | + + + + + + + + + +## DevicePasswordExpiration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordExpiration +``` + + + + +Specifies when the password expires (in days). + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-730]` | +| Default Value | 0 | +| Dependency [DeviceLock_DevicePasswordExpiration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. - -
    +If all policy values = 0, then 0; otherwise, Min policy value is the most secure value. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting doesn't follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user doesn't have to choose a new password. For this reason, Enforce password history is set to 1 by default. +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - -GP Info: -- GP Friendly name: *Minimum password age* -- GP path: *Windows Settings/Security Settings/Account Policies/Password Policy* + +The following list shows the supported values: - - +- An integer X where 0 <= X <= 730. +- 0 (default) - Passwords don't expire. + -
    + - -**DeviceLock/PreventEnablingLockScreenCamera** + +## DevicePasswordHistory - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordHistory +``` + + + + +Specifies how many passwords can be stored in the history that can’t be used. + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + +The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords. + +Max policy value is the most restricted. + +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + + + +The following list shows the supported values: + +- An integer X where 0 <= X <= 50. +- 0 (default) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-50]` | +| Default Value | 0 | +| Dependency [DeviceLock_DevicePasswordHistory_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## EnforceLockScreenAndLogonImage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenAndLogonImage +``` + + + + +Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. Value type is a string, which is the full image filepath and filename. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## EnforceLockScreenProvider + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/EnforceLockScreenProvider +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## MaxDevicePasswordFailedAttempts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts +``` + + + + +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + +**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see Exchange ActiveSync Policy Engine Overview. + + + + +The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for client devices. +- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-999]` | +| Default Value | 0 | +| Dependency [DeviceLock_MaxDevicePasswordFailedAttempts_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## MaximumPasswordAge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaximumPasswordAge +``` + + + + +This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. + +**Note**: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-999]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Maximum password age | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## MaxInactivityTimeDeviceLock + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock +``` + + + + +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-999]` | +| Default Value | 0 | +| Dependency [DeviceLock_MaxInactivityTimeDeviceLock_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + + + + + + +## MaxInactivityTimeDeviceLockWithExternalDisplay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay +``` + + + + +Sets the maximum timeout value for the external display. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-999]` | +| Default Value | 0 | + + + + + + + + + +## MinDevicePasswordComplexCharacters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordComplexCharacters +``` + + + + +The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. + +PIN enforces the following behavior for client devices: + +- 1 - Digits only +- 2 - Digits and lowercase letters are required +- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. + +The default value is 1. The following list shows the supported values and actual enforced values: + +|Account Type|Supported Values|Actual Enforced Values| |--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Local Accounts|1,2,3|3| +|Microsoft Accounts|1,2|<p2| +|Domain Accounts|Not supported|Not supported| - -
    +Enforced values for Local and Microsoft Accounts: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. +- Passwords for local accounts must meet the following minimum requirements: -> [!div class = "checklist"] -> * Device + - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters + - Be at least six characters in length + - Contain characters from three of the following four categories: -
    + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Special characters (!, $, \#, %, etc.) - - -Disables the lock screen camera toggle-switch in PC Settings and prevents a camera from being invoked on the lock screen. +The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. + +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [DeviceLock_MinDevicePasswordComplexCharacters_DependencyGroup] | Dependency Type: `DependsOn DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled Device/Vendor/MSFT/Policy/Config/DeviceLock/AlphanumericDevicePasswordRequired`
    Dependency Allowed Value: `[0] [0]`
    Dependency Allowed Value Type: `Range Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Digits only | +| 2 | Digits and lowercase letters are required | +| 3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts | +| 4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop | + + + + + + + + + +## MinDevicePasswordLength + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength +``` + + + + +Specifies the minimum number or characters required in the PIN or password. + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[4-16]` | +| Default Value | 4 | +| Dependency [DeviceLock_MinDevicePasswordLength_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled`
    Dependency Allowed Value: `[0]`
    Dependency Allowed Value Type: `Range`
    | + + + + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows for desktop editions. + + + +Max policy value is the most restricted. + +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + + + +The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6. +- Not enforced. +- The default value is 4 for client devices. + + + +**Example**: + +The following example shows how to set the minimum password length to 4 characters. + +```xml + + + + $CmdID$ + + + ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength + + + int + + 4 + + + + + +``` + + + + + +## MinimumPasswordAge + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge +``` + + + + +This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-998]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Minimum password age | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## PasswordComplexity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordComplexity +``` + + + + +Password must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Password must meet complexity requirements | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## PasswordHistorySize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PasswordHistorySize +``` + + + + +Minimum password length This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. + +**Note**: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-24]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Minimum password length | +| Path | Windows Settings > Security Settings > Account Policies > Password Policy | + + + + + + + + + +## PreventEnablingLockScreenCamera + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventEnablingLockScreenCamera +``` + + + + +Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. -If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera can't be invoked on the lock screen. +If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Prevent enabling lock screen camera* -- GP name: *CPL_Personalization_NoLockScreenCamera* -- GP path: *Control Panel/Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreenCamera | +| Friendly Name | Prevent enabling lock screen camera | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreenCamera | +| ADMX File Name | ControlPanelDisplay.admx | + -
    + + + - -**DeviceLock/PreventLockScreenSlideShow** + - + +## PreventLockScreenSlideShow -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Disables the lock screen slideshow settings in PC Settings and prevents a slide show from playing on the lock screen. + + +Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Prevent enabling lock screen slide show* -- GP name: *CPL_Personalization_NoLockScreenSlideshow* -- GP path: *Control Panel/Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreenSlideshow | +| Friendly Name | Prevent enabling lock screen slide show | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreenSlideshow | +| ADMX File Name | ControlPanelDisplay.admx | + -
    + + + + + +## ScreenTimeoutWhileLocked - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/Policy/Config/DeviceLock/ScreenTimeoutWhileLocked +``` + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + +Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[10-1800]` | +| Default Value | 10 | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 8e0295af7e..e692af7ae2 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,118 +1,105 @@ --- -title: Policy CSP - Display -description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications. +title: Display Policy CSP +description: Learn more about the Display Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Display -
    + + + - -## Display policies + +## DisablePerProcessDpiForApps -
    -
    - Display/DisablePerProcessDpiForApps -
    -
    - Display/EnablePerProcessDpi -
    -
    - Display/EnablePerProcessDpiForApps -
    -
    - Display/TurnOffGdiDPIScalingForApps -
    -
    - Display/TurnOnGdiDPIScalingForApps -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/DisablePerProcessDpiForApps +``` + -
    - - -**Display/DisablePerProcessDpiForApps** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. + - - -ADMX Info: -- GP Friendly name: *Configure Per-Process System DPI settings* -- GP name: *DisplayPerProcessSystemDpiSettings* -- GP element: *DisplayDisablePerProcessSystemDpiSettings* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Display/EnablePerProcessDpi** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisplayPerProcessSystemDpiSettings | +| Friendly Name | Configure Per-Process System DPI settings | +| Element Name | Disable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer and User Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## EnablePerProcessDpi - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpi +``` + - - + + +Enable or disable Per-Process System DPI for all applications. + + + + Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows. When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows. @@ -126,100 +113,122 @@ Per Process System DPI won't work for all applications as some older desktop app In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled. Enabling this setting lets you specify the system-wide default for desktop applications and per-application overrides. If you disable or don't configure this setting, Per Process System DPI won't apply to any processes on the system. + - - -ADMX Info: -- GP Friendly name: *Configure Per-Process System DPI settings* -- GP name: *DisplayPerProcessSystemDpiSettings* -- GP element: *DisplayGlobalPerProcessSystemDpiSettings* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | + -- 0 - Disable. -- 1 - Enable. + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | Disable. | +| 1 | Enable. | + -
    + +**Group policy mapping**: - -**Display/EnablePerProcessDpiForApps** +| Name | Value | +|:--|:--| +| Name | DisplayPerProcessSystemDpiSettings | +| Friendly Name | Configure Per-Process System DPI settings | +| Element Name | Enable or disable Per-Process System DPI for all applications. | +| Location | Computer and User Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +## EnablePerProcessDpiForApps - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/EnablePerProcessDpiForApps +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. + - - -ADMX Info: -- GP Friendly name: *Configure Per-Process System DPI settings* -- GP name: *DisplayPerProcessSystemDpiSettings* -- GP element: *DisplayEnablePerProcessSystemDpiSettings* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + - -**Display/TurnOffGdiDPIScalingForApps** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisplayPerProcessSystemDpiSettings | +| Friendly Name | Configure Per-Process System DPI settings | +| Element Name | Enable Per-Process System DPI for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer and User Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + + - -
    + +## TurnOffGdiDPIScalingForApps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/TurnOffGdiDPIScalingForApps +``` + -
    + + +This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + - - + + GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware. This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. @@ -229,58 +238,68 @@ If you enable this policy setting, GDI DPI Scaling is turned off for all applica If you disable or don't configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off. + - - -ADMX Info: -- GP Friendly name: *Turn off GdiDPIScaling for applications* -- GP name: *DisplayTurnOffGdiDPIScaling* -- GP element: *DisplayTurnOffGdiDPIScalingPrompt* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisplayTurnOffGdiDPIScaling | +| Friendly Name | Turn off GdiDPIScaling for applications | +| Element Name | Disable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + + + + +**Validate**: - - To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. - + -
    + - -**Display/TurnOnGdiDPIScalingForApps** + +## TurnOnGdiDPIScalingForApps - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Display/TurnOnGdiDPIScalingForApps +``` + + + +This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -GDI DPI Scaling enables applications that aren't DPI aware to become per monitor DPI aware. - + + This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. @@ -288,31 +307,50 @@ If you enable this policy setting, GDI DPI Scaling is turned on for all legacy a If you disable or don't configure this policy setting, GDI DPI Scaling won't be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. If GDI DPI Scaling is configured to both turn-off and turn-on an application, the application will be turned off. + - - -ADMX Info: -- GP Friendly name: *Turn on GdiDPIScaling for applications* -- GP name: *DisplayTurnOnGdiDPIScaling* -- GP element: *DisplayTurnOnGdiDPIScalingPrompt* -- GP path: *System/Display* -- GP ADMX file name: *Display.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `;`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisplayTurnOnGdiDPIScaling | +| Friendly Name | Turn on GdiDPIScaling for applications | +| Element Name | Enable GDI DPI Scaling for the following applications. Use either the full application path or the application filename and extension. Separate applications with a semicolon. | +| Location | Computer Configuration | +| Path | System > Display | +| Registry Key Name | Software\Policies\Microsoft\Windows\Display | +| ADMX File Name | Display.admx | + + + + +**Validate**: - - To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which uses GDI. 2. Run the app and observe crisp text. + - - -
    + + + + + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 8de9e8a848..0cf55a401e 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,101 +1,101 @@ --- -title: Policy CSP - DmaGuard -description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices. +title: DmaGuard Policy CSP +description: Learn more about the DmaGuard Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - DmaGuard -
    + + + - -## DmaGuard policies + +## DeviceEnumerationPolicy -
    -
    - DmaGuard/DeviceEnumerationPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/DmaGuard/DeviceEnumerationPolicy +``` + -
    + + +Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. - -**DmaGuard/DeviceEnumerationPolicy** +**Note**: this policy does not apply to 1394, PCMCIA or ExpressCard devices. + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing. Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that can't be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. + -> [!NOTE] -> This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. + +**Description framework properties**: -The following are the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -0 - Block all (Most restrictive): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will never be allowed to start and perform DMA at any time. + +**Allowed values**: -1 - Only after log in/screen unlock (Default): Devices with DMA remapping compatible drivers will be allowed to enumerate at any time. Devices with DMA remapping incompatible drivers will only be enumerated after the user unlocks the screen. +| Value | Description | +|:--|:--| +| 0 | Block all (Most restrictive) | +| 1 (Default) | Only after log in/screen unlock | +| 2 | Allow all (Least restrictive) | + -2 - Allow all (Least restrictive): All external DMA capable PCIe devices will be enumerated at any time + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Enumeration policy for external devices incompatible with Kernel DMA Protection* -- GP name: *DmaGuardEnumerationPolicy* -- GP path: *System/Kernel DMA Protection* -- GP ADMX file name: *dmaguard.admx* +| Name | Value | +|:--|:--| +| Name | DmaGuardEnumerationPolicy | +| Friendly Name | Enumeration policy for external devices incompatible with Kernel DMA Protection | +| Location | Computer Configuration | +| Path | System > Kernel DMA Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows\Kernel DMA Protection | +| ADMX File Name | DmaGuard.admx | + - - + + + - - + - - + + + - - -
    + - +## Related articles -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 6c0dd8c1ae7e6b1f5cd626d134bb8203c5eddfc5 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 29 Dec 2022 15:58:31 -0500 Subject: [PATCH 080/152] eap education enterprisecloutprint --- .../client-management/mdm/policy-csp-eap.md | 120 ++-- .../mdm/policy-csp-education.md | 435 ++++++++++----- .../mdm/policy-csp-enterprisecloudprint.md | 512 ++++++++++-------- 3 files changed, 615 insertions(+), 452 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 4088b37c80..b3b49b3cb2 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,86 +1,80 @@ --- -title: Policy CSP - EAP -description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app. +title: Eap Policy CSP +description: Learn more about the Eap Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - EAP + -
    + +# Policy CSP - Eap - -## EAP policies + + + -
    -
    - EAP/AllowTLS1_3 -
    -
    + +## AllowTLS1_3 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Eap/AllowTLS1_3 +``` + - -**EAP/AllowTLS1_3** + + +Added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -
    + +**Allowed values**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Value | Description | +|:--|:--| +| 0 | Use of TLS version 1.3 is not allowed for authentication. | +| 1 (Default) | Use of TLS version 1.3 is allowed for authentication. | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -Added in Windows 10, version 21H1. This policy setting allows or disallows use of TLS 1.3 during EAP client authentication. + + + - - -ADMX Info: -- GP Friendly name: *AllowTLS1_3* -- GP name: *AllowTLS1_3* -- GP path: *Windows Components/EAP* -- GP ADMX file name: *EAP.admx* + - - -The following list shows the supported values: +## Related articles -- 0 – Use of TLS version 1.3 is not allowed for authentication. -- 1 (default) – Use of TLS version 1.3 is allowed for authentication. - - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 10da71d3b4..4a05b27018 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,211 +1,348 @@ --- -title: Policy CSP - Education -description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app. +title: Education Policy CSP +description: Learn more about the Education Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Education -
    + + + - -## Education policies + +## EnableEduThemes -
    -
    - Education/AllowGraphingCalculator -
    -
    - Education/DefaultPrinterName -
    -
    - Education/PreventAddingNewPrinters -
    -
    - Education/PrinterNames -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Education/EnableEduThemes +``` + - -**Education/AllowGraphingCalculator** + + +This policy setting allows you to control whether EDU-specific theme packs are available in Settings > Personalization. If you disable or don't configure this policy setting, EDU-specific theme packs will not be included. If you enable this policy setting, users will be able to personalize their devices with EDU-specific themes. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * User +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
    + + + - - -This policy setting allows you to control, whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality. - - -ADMX Info: -- GP Friendly name: *Allow Graphing Calculator* -- GP name: *AllowGraphingCalculator* -- GP path: *Windows Components/Calculator* -- GP ADMX file name: *Programs.admx* + - - -The following list shows the supported values: -- 0 - Disabled -- 1 (default) - Enabled - - + +## IsEducationEnvironment -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -**Education/DefaultPrinterName** + +```Device +./Device/Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment +``` + - + + +This policy setting allows tenant to control whether to declare this OS as an education environment + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * User + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - - -This policy allows IT Admins to set the user's default printer. + + + + + + +## AllowGraphingCalculator + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Education/AllowGraphingCalculator +``` + + + + +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowGraphingCalculator | +| Friendly Name | Allow Graphing Calculator | +| Location | User Configuration | +| Path | Windows Components > Calculator | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Calculator | +| Registry Value Name | AllowGraphingCalculator | +| ADMX File Name | Programs.admx | + + + + + + + + + +## DefaultPrinterName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Education/DefaultPrinterName +``` + + + + +This policy sets user's default printer + + + + The policy value is expected to be the name (network host name) of an installed printer. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**Education/PreventAddingNewPrinters** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## PreventAddingNewPrinters + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/Education/PreventAddingNewPrinters +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +Prevents users from using familiar methods to add local and network printers. -> [!div class = "checklist"] -> * User +If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. -
    +Also, users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears explaining that the setting prevents the action. - - -Allows IT Admins to prevent user installation of more printers from the printers settings. +However, this setting does not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add printers. - - -ADMX Info: -- GP Friendly name: *Prevent addition of printers* -- GP name: *NoAddPrinter* -- GP path: *Control Panel/Printers* -- GP ADMX file name: *Printing.admx* +This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print. - - -The following list shows the supported values: +Note: You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Properties, and then click the Security tab. -- 0 (default) – Allow user installation. -- 1 – Prevent user installation. +If this policy is disabled, or not configured, users can add printers using the methods described above. + - - + + + -
    + +**Description framework properties**: - -**Education/PrinterNames** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 (Default) | Allow user installation. | +| 1 | Prevent user installation. | + - -
    + +**Group policy mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoAddPrinter | +| Friendly Name | Prevent addition of printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoAddPrinter | +| ADMX File Name | Printing.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - -Allows IT Admins to automatically provision printers based on their names (network host names). + +## PrinterNames + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Education/PrinterNames +``` + + + + +This policy provisions per-user network printers + + + + The policy value is expected to be a `````` separated list of printer names. The OS will attempt to search and install the matching printer driver for each listed printer. + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index ebe04d9e51..25607f6862 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,275 +1,307 @@ --- -title: Policy CSP - EnterpriseCloudPrint -description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point. +title: EnterpriseCloudPrint Policy CSP +description: Learn more about the EnterpriseCloudPrint Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - EnterpriseCloudPrint -
    + + + - -## EnterpriseCloudPrint policies + +## CloudPrinterDiscoveryEndPoint -
    -
    - EnterpriseCloudPrint/CloudPrintOAuthAuthority -
    -
    - EnterpriseCloudPrint/CloudPrintOAuthClientId -
    -
    - EnterpriseCloudPrint/CloudPrintResourceId -
    -
    - EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint -
    -
    - EnterpriseCloudPrint/DiscoveryMaxPrinterLimit -
    -
    - EnterpriseCloudPrint/MopriaDiscoveryResourceId -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint +``` + - -**EnterpriseCloudPrint/CloudPrintOAuthAuthority** + + +This policy provisions per-user discovery end point to discover cloud printers + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. - -Supported datatype is string. - -The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, ```https://azuretenant.contoso.com/adfs```. - - - - -
    - - -**EnterpriseCloudPrint/CloudPrintOAuthClientId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. - -Supported datatype is string. - -The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - - -
    - - -**EnterpriseCloudPrint/CloudPrintResourceId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. - -Supported datatype is string. - -The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - - -
    - - -**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, ```https://cloudprinterdiscovery.contoso.com```. +The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. +**Example**: - - +```https://cloudprinterdiscovery.contoso.com```. + -
    + +**Description framework properties**: - -**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## CloudPrintOAuthAuthority - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintOAuthAuthority +``` + -
    + + +Authentication endpoint for acquiring OAuth tokens + - - -Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. - -Supported datatype is integer. - - - - -
    - - -**EnterpriseCloudPrint/MopriaDiscoveryResourceId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. + + +Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain a URL. For example, ```http://MopriaDiscoveryService/CloudPrint```. +The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. +**Example**: - - -
    +```https://azuretenant.contoso.com/adfs```. + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + +## CloudPrintOAuthClientId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintOAuthClientId +``` + + + + +A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority + + + + +Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. + +Supported datatype is string. + +The default value is an empty string. Otherwise, the value should contain a GUID. +**Example**: + +"E1CF1107-FF90-4228-93BF-26052DD2C714". + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## CloudPrintResourceId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/CloudPrintResourceId +``` + + + + +Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication + + + + +Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. + +Supported datatype is string. + +The default value is an empty string. Otherwise, the value should contain a URL. +**Example**: + +"http://MicrosoftEnterpriseCloudPrint/CloudPrint". + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + +## DiscoveryMaxPrinterLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/DiscoveryMaxPrinterLimit +``` + + + + +Defines the maximum number of printers that should be queried from discovery end point + + + + +This policy must target ./User, otherwise it fails. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-65535]` | +| Default Value | 20 | + + + + + + + + + +## MopriaDiscoveryResourceId + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/EnterpriseCloudPrint/MopriaDiscoveryResourceId +``` + + + + +Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication + + + + +This policy must target ./User, otherwise it fails. + +The default value is an empty string. Otherwise, the value should contain a URL. + +**Example**: + +```http://MopriaDiscoveryService/CloudPrint```. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 141f6913c55964069f4243f85c61e5c3281ea8b0 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 30 Dec 2022 15:29:28 -0500 Subject: [PATCH 081/152] errorreporting eventlogservice experience --- .../mdm/policy-csp-errorreporting.md | 463 +-- .../mdm/policy-csp-eventlogservice.md | 375 ++- .../mdm/policy-csp-experience.md | 2762 ++++++++++------- 3 files changed, 2126 insertions(+), 1474 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 3e4f4435e7..a524a6cd1c 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,302 +1,351 @@ --- -title: Policy CSP - ErrorReporting -description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types. +title: ErrorReporting Policy CSP +description: Learn more about the ErrorReporting Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ErrorReporting > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ErrorReporting policies + +## CustomizeConsentSettings -
    -
    - ErrorReporting/CustomizeConsentSettings -
    -
    - ErrorReporting/DisableWindowsErrorReporting -
    -
    - ErrorReporting/DisplayErrorNotification -
    -
    - ErrorReporting/DoNotSendAdditionalData -
    -
    - ErrorReporting/PreventCriticalErrorDisplay -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/CustomizeConsentSettings +``` + - -**ErrorReporting/CustomizeConsentSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those even types for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - 1 (Always ask before sending data): Windows prompts the user for consent to send reports. -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any extra data requested by Microsoft. +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. -- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent, to send any extra data requested by Microsoft. +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Customize consent settings* -- GP name: *WerConsentCustomize_2* -- GP path: *Windows Components/Windows Error Reporting/Consent* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ErrorReporting/DisableWindowsErrorReporting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerConsentCustomize | +| Friendly Name | Customize consent settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableWindowsErrorReporting -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting +``` + - - -This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization, when software unexpectedly stops working or fails. + + +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. -If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. -If you disable or don't configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + - + + + - -ADMX Info: -- GP Friendly name: *Disable Windows Error Reporting* -- GP name: *WerDisable_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ErrorReporting/DisplayErrorNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerDisable | +| Friendly Name | Disable Windows Error Reporting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | Disabled | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisplayErrorNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisplayErrorNotification +``` + - - -This policy setting controls, whether users are shown an error dialog box that lets them report an error. + + +This policy setting controls whether users are shown an error dialog box that lets them report an error. If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. -If you disable this policy setting, users aren't notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that don't have interactive users. +If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. -If you don't configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. +If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. See also the Configure Error Reporting policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Display Error Notification* -- GP name: *PCH_ShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ErrorReporting/DoNotSendAdditionalData** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PCH_ShowUI | +| Friendly Name | Display Error Notification | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| Registry Value Name | ShowUI | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotSendAdditionalData -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DoNotSendAdditionalData +``` + - - -This policy setting controls, whether extra data in support of error reports can be sent to Microsoft automatically. + + +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. -If you enable this policy setting, any extra data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. -If you disable or don't configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Do not send additional data* -- GP name: *WerNoSecondLevelData_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ErrorReporting/PreventCriticalErrorDisplay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WerNoSecondLevelData | +| Friendly Name | Do not send additional data | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DontSendAdditionalData | +| ADMX File Name | ErrorReporting.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventCriticalErrorDisplay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ErrorReporting/PreventCriticalErrorDisplay +``` + - - + + This policy setting prevents the display of the user interface for critical errors. -If you enable this policy setting, Windows Error Reporting doesn't display any GUI-based error messages or dialog boxes for critical errors. +If you enable or do not configure this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. -If you disable or don't configure this policy setting, Windows Error Reporting displays the user interface for critical errors. +If you disable this policy setting, Windows Error Reporting displays the GUI-based error messages or dialog boxes for critical errors. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent display of the user interface for critical errors* -- GP name: *WerDoNotShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | WerDoNotShowUI | +| Friendly Name | Prevent display of the user interface for critical errors | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DontShowUI | +| ADMX File Name | ErrorReporting.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 2062c3c59d..56f1f619a0 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,234 +1,277 @@ --- -title: Policy CSP - EventLogService -description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size. +title: EventLogService Policy CSP +description: Learn more about the EventLogService Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - EventLogService -
    +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## EventLogService policies + + + -
    -
    - EventLogService/ControlEventLogBehavior -
    -
    - EventLogService/SpecifyMaximumFileSizeApplicationLog -
    -
    - EventLogService/SpecifyMaximumFileSizeSecurityLog -
    -
    - EventLogService/SpecifyMaximumFileSizeSystemLog -
    -
    + +## ControlEventLogBehavior -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**EventLogService/ControlEventLogBehavior** + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/ControlEventLogBehavior +``` + - + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. - -
    +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy setting controls Event Log behavior, when the log file reaches its maximum size. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +**ADMX mapping**: -> [!NOTE] -> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +| Name | Value | +|:--|:--| +| Name | Channel_Log_Retention | +| Friendly Name | Control Event Log behavior when the log file reaches its maximum size | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| Registry Value Name | Retention | +| ADMX File Name | EventLog.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* + - - + +## SpecifyMaximumFileSizeApplicationLog -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -**EventLogService/SpecifyMaximumFileSizeApplicationLog** + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/SpecifyMaximumFileSizeApplicationLog +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**EventLogService/SpecifyMaximumFileSizeSecurityLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Application | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaximumFileSizeSecurityLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/SpecifyMaximumFileSizeSecurityLog +``` + - - + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. +If you enable this policy setting, you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_2* -- GP path: *Windows Components/Event Log Service/Security* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**EventLogService/SpecifyMaximumFileSizeSystemLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security | +| ADMX File Name | EventLog.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SpecifyMaximumFileSizeSystemLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/EventLogService/SpecifyMaximumFileSizeSystemLog +``` + - - + + This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + - + + + - -ADMX Info: -- GP Friendly name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_4* -- GP path: *Windows Components/Event Log Service/System* -- GP ADMX file name: *eventlog.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | Channel_LogMaxSize | +| Friendly Name | Specify the maximum log file size (KB) | +| Location | Computer Configuration | +| Path | Windows Components > Event Log Service > System | +| Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System | +| ADMX File Name | EventLog.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index bb1fe34831..56af7d7e93 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,1218 +1,1201 @@ --- -title: Policy CSP - Experience -description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory. +title: Experience Policy CSP +description: Learn more about the Experience Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/29/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 11/02/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Experience -
    + + + - -## Experience policies + +## AllowClipboardHistory -
    -
    - Experience/AllowClipboardHistory -
    -
    - Experience/AllowCortana -
    -
    - Experience/AllowDeviceDiscovery -
    -
    - Experience/AllowFindMyDevice -
    -
    - Experience/AllowManualMDMUnenrollment -
    -
    - Experience/AllowSaveAsOfOfficeFiles -
    -
    - Experience/AllowScreenCapture -
    -
    - Experience/AllowSharingOfOfficeFiles -
    -
    - Experience/AllowSIMErrorDialogPromptWhenNoSIM -
    -
    - Experience/AllowSyncMySettings -
    -
    - Experience/AllowSpotlightCollection -
    -
    - Experience/AllowTailoredExperiencesWithDiagnosticData -
    -
    - Experience/AllowThirdPartySuggestionsInWindowsSpotlight -
    -
    - Experience/AllowWindowsConsumerFeatures -
    -
    - Experience/AllowWindowsSpotlight -
    -
    - Experience/AllowWindowsSpotlightOnActionCenter -
    -
    - Experience/AllowWindowsSpotlightOnSettings -
    -
    - Experience/AllowWindowsSpotlightWindowsWelcomeExperience -
    -
    - Experience/AllowWindowsTips -
    -
    - Experience/ConfigureChatIcon -
    -
    - Experience/ConfigureWindowsSpotlightOnLockScreen -
    -
    - Experience/DisableCloudOptimizedContent -
    -
    - Experience/DoNotShowFeedbackNotifications -
    -
    - Experience/DoNotSyncBrowserSettings -
    -
    - Experience/PreventUsersFromTurningOnBrowserSyncing -
    -
    - Experience/ShowLockOnUserTile -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowClipboardHistory +``` + - -**Experience/AllowClipboardHistory** + + +This policy setting determines whether history of Clipboard contents can be stored in memory. +If you enable this policy setting, history of Clipboard contents are allowed to be stored. +If you disable this policy setting, history of Clipboard contents are not allowed to be stored. +Policy change takes effect immediately. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + +**Group policy mapping**: - - -Allows history of clipboard items to be stored in memory. +| Name | Value | +|:--|:--| +| Name | AllowClipboardHistory | +| Friendly Name | Allow Clipboard History | +| Location | Computer Configuration | +| Path | System > OS Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowClipboardHistory | +| ADMX File Name | OSPolicy.admx | + -Supported value type is integer. Supported values are: -- 0 - Not allowed -- 1 - Allowed (default) - - - -ADMX Info: -- GP Friendly name: *Allow Clipboard History* -- GP name: *AllowClipboardHistory* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - - - - - - - -**Validation procedure** + + +**Validate**: 1. Configure Experiences/AllowClipboardHistory to 0. 1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. 1. Press Win+V to open the clipboard history UI. 1. You shouldn't see any clipboard item including current item you copied. 1. The setting under Settings App->System->Clipboard should be grayed out with policy warning. + - - + -
    + +## AllowCopyPaste - -**Experience/AllowCortana** +> [!NOTE] +> This policy is deprecated and may be removed in a future release. - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowCopyPaste +``` + - -
    + + +This policy is deprecated. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. + +**Allowed values**: -Most restricted value is 0. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - - -ADMX Info: -- GP Friendly name: *Allow Cortana* -- GP name: *AllowCortana* -- GP path: *Windows Components/Search* -- GP ADMX file name: *Search.admx* + + + - - -The following list shows the supported values: + -- 0 – Not allowed -- 1 (default) – Allowed + +## AllowCortana - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana +``` + - -**Experience/AllowDeviceDiscovery** + + +This policy setting specifies whether Cortana is allowed on the device. - +If you enable or don't configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +When Cortana is off, users will still be able to use search to find things on the device. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -
    + +**Allowed values**: - - -Allows users to turn on/off device discovery UX. +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -When set to 0, the projection pane is disabled. The Win+P and Win+K shortcut keys won't work on. + +**Group policy mapping**: -Most restricted value is 0. +| Name | Value | +|:--|:--| +| Name | AllowCortana | +| Friendly Name | Allow Cortana | +| Location | Computer Configuration | +| Path | Windows Components > Search | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Search | +| Registry Value Name | AllowCortana | +| ADMX File Name | Search.admx | + - - -The following list shows the supported values: + + + -- 0 – Not allowed -- 1 (default) – Allowed + - - + +## AllowDeviceDiscovery -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - -**Experience/AllowFindMyDevice** + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowDeviceDiscovery +``` + - + + +Allows users to turn on/off device discovery UX. When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. Most restricted value is 0. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - - + + + + + + + +## AllowFindMyDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowFindMyDevice +``` + + + + This policy turns on Find My Device. -When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. +When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. On devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. -When Find My Device is off, the device and its location aren't registered, and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device. +When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work.The user will also not be able to view the location of the last use of their active digitizer on their device. + - - -ADMX Info: -- GP Friendly name: *Turn On/Off Find My Device* -- GP name: *FindMy_AllowFindMyDeviceConfig* -- GP path: *Windows Components/Find My Device* -- GP ADMX file name: *FindMy.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed -- 1 (default) – Allowed +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -**Experience/AllowManualMDMUnenrollment** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | FindMy_AllowFindMyDeviceConfig | +| Friendly Name | Turn On/Off Find My Device | +| Location | Computer Configuration | +| Path | Windows Components > Find My Device | +| Registry Key Name | SOFTWARE\Policies\Microsoft\FindMyDevice | +| Registry Value Name | AllowFindMyDevice | +| ADMX File Name | FindMy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowManualMDMUnenrollment -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment +``` + - - -Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory-joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect. + + +Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect. -> [!NOTE] -> The MDM server can always remotely delete the account. +**Note**: The MDM server can always remotely delete the account. Most restricted value is 0. + -Most restricted value is 0. + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Not allowed -- 1 (default) – Allowed +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -Experience/AllowSaveAsOfOfficeFiles + + + -
    + - + +## AllowSaveAsOfOfficeFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSaveAsOfOfficeFiles +``` + + + + This policy is deprecated. + - - + + + -
    + +**Description framework properties**: - -**Experience/AllowScreenCapture** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AllowScreenCapture -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowScreenCapture +``` + + + +Allow screen capture + - - -Describe what values are supported in by this policy and meaning of each value is default value. + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -**Experience/AllowSharingOfOfficeFiles** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowSharingOfOfficeFiles + +> [!NOTE] +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSharingOfOfficeFiles +``` + + + + This policy is deprecated. + - - + + + - -**Experience/AllowSIMErrorDialogPromptWhenNoSIM** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowSIMErrorDialogPromptWhenNoSIM - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + - - -Describes what values are supported in by this policy and meaning of each value is default value. + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSIMErrorDialogPromptWhenNoSIM +``` + - - + + +Allow SIM error diaglog prompts when no SIM is inserted. + -
    + + + - -**Experience/AllowSyncMySettings** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowSyncMySettings - - -Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -The following list shows the supported values: + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings +``` + -- 0 – Sync settings aren't allowed. -- 1 (default) – Sync settings allowed. + + +Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see About sync setting on Windows 10 devices. + - - + + + -
    + +**Description framework properties**: - -**Experience/AllowSpotlightCollection** +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - + +**Allowed values**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +| Value | Description | +|:--|:--| +| 0 | Sync settings are not allowed. | +| 1 (Default) | Sync settings allowed. | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy allows spotlight collection on the device. - -- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings. -- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop. - - - -The following list shows the supported values: - -- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop -- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft -- Default value: 1 - - - - -
    - - -**Experience/AllowTailoredExperiencesWithDiagnosticData** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows won't use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or don't configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. - -Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. + +## AllowTaskSwitcher > [!NOTE] -> This setting doesn't control Cortana customized experiences because there are separate policies to configure it. +> This policy is deprecated and may be removed in a future release. -Most restricted value is 0. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - - -ADMX Info: -- GP Friendly name: *Do not use diagnostic data for tailored experiences* -- GP name: *DisableTailoredExperiencesWithDiagnosticData* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowTaskSwitcher +``` + - - -The following list shows the supported values: + + +This policy is deprecated. + -- 0 – Not allowed -- 1 (default) – Allowed + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowVoiceRecording -> [!div class = "checklist"] -> * User - -
    - - - > [!NOTE] -> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. - - - -ADMX Info: -- GP Friendly name: *Do not suggest third-party content in Windows spotlight* -- GP name: *DisableThirdPartySuggestions* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Third-party suggestions not allowed. -- 1 (default) – Third-party suggestions allowed. - - - - -
    - - -**Experience/AllowWindowsConsumerFeatures** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -> [!NOTE] -> Prior to Windows 10, version 1803, this policy had User scope. - -This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off Microsoft consumer experiences* -- GP name: *DisableWindowsConsumerFeatures* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 – Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlight** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -> [!NOTE] -> This policy is only available for Windows 10 Enterprise and Windows 10 Education. - -Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features, and other related features will be turned off. You should enable this policy setting, if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off all Windows spotlight features* -- GP name: *DisableWindowsSpotlightFeatures* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 (default) – Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlightOnActionCenter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or don't configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off Windows Spotlight on Action Center* -- GP name: *DisableWindowsSpotlightOnActionCenter* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 (default) – Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlightOnSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive. - -- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app. -- User Setting is changeable on a per user basis. -- If the Group policy is set to off, no suggestions will be shown to the user in Settings app. - - - -ADMX Info: -- GP Friendly name: *Turn off Windows Spotlight on Settings* -- GP name: *DisableWindowsSpotlightOnSettings* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 - Not allowed -- 1 - Allowed - - - - -
    - - -**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting lets you turn off the Windows spotlight, and Windows welcome experience feature. -The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. - -Most restricted value is 0. - - - -ADMX Info: -- GP Friendly name: *Turn off the Windows Welcome Experience* -- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed -- 1 (default) – Allowed - - - - -
    - - -**Experience/AllowWindowsTips** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :x: Enterprise
    :x: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowVoiceRecording +``` + + + + +This policy is deprecated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + + + + + + + +## AllowWindowsConsumerFeatures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures +``` + + + + +Prior to Windows 10, version 1803, this policy had User scope. This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsConsumerFeatures_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsConsumerFeatures | +| Friendly Name | Turn off Microsoft consumer experiences | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsConsumerFeatures | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsTips + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips +``` + + + + Enables or disables Windows Tips / soft landing. + - - -ADMX Info: -- GP Friendly name: *Do not show Windows tips* -- GP name: *DisableSoftLanding* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 – Disabled -- 1 (default) – Enabled +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsTips_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - -**Experience/ConfigureChatIcon** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSoftLanding | +| Friendly Name | Do not show Windows tips | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableSoftLanding | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|Yes| -|Enterprise|No|Yes| -|Education|No|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureChatIcon -> [!div class = "checklist"] -> * Machine -
    - - -This policy setting allows you to configure the Chat icon on the taskbar. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -The values for this policy are 0, 1, 2, and 3. This policy defaults to 0, if not enabled. + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon +``` + -- 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition. -- 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings. -- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings. -- 3 - Disabled: The Chat icon won't be displayed, and users can't show or hide it in Settings. + + +Configures the Chat icon on the taskbar + + + > [!NOTE] > Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**Experience/ConfigureWindowsSpotlightOnLockScreen** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured | +| 1 | Show | +| 2 | Hide | +| 3 | Disabled | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | ConfigureChatIcon | +| Friendly Name | Configures the Chat icon on the taskbar | +| Element Name | State | +| Location | Computer Configuration | +| Path | Windows Components > Chat | +| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Chat | +| ADMX File Name | Taskbar.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableCloudOptimizedContent - - -> [!NOTE] -> This policy is only available for Windows 10 Enterprise, and Windows 10 Education. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Allows IT admins to specify, whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DisableCloudOptimizedContent +``` + - - -ADMX Info: -- GP Friendly name: *Configure Windows spotlight on lock screen* -- GP name: *ConfigureWindowsSpotlight* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* - - - -The following list shows the supported values: - -- 0 – None. -- 1 (default) – Windows spotlight enabled. -- 2 – placeholder only for future extension. Using this value has no effect. - - - - - -**Experience/DisableCloudOptimizedContent** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting lets you turn off cloud optimized content in all Windows experiences. -If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content. +If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. -If you disable or don't configure this policy setting, Windows experiences will be able to use cloud optimized content. +If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content. + - - -ADMX Info: -- GP Friendly name: *Turn off cloud optimized content* -- GP name: *DisableCloudOptimizedContent* -- GP path: *Windows Components/Cloud Content* -- GP ADMX file name: *CloudContent.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Disabled -- 1 – Enabled +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - -**Experience/DoNotShowFeedbackNotifications** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableCloudOptimizedContent | +| Friendly Name | Turn off cloud optimized content | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableCloudOptimizedContent | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableConsumerAccountStateContent -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DisableConsumerAccountStateContent +``` + - - -Prevents devices from showing feedback questions from Microsoft. + + +This policy setting lets you turn off cloud consumer account state content in all Windows experiences. -If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or don't configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. +If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. -If you disable or don't configure this policy setting, users can control how often they receive feedback questions. +If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content. + - - -ADMX Info: -- GP Friendly name: *Do not show feedback notifications* -- GP name: *DoNotShowFeedbackNotifications* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *FeedbackNotifications.admx* + + + - - -The following list shows the supported values: + +**Description framework properties**: -- 0 (default) – Feedback notifications aren't disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. -- 1 – Feedback notifications are disabled. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - -**Experience/DoNotSyncBrowserSettings** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableConsumerAccountStateContent | +| Friendly Name | Turn off cloud consumer account state content | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableConsumerAccountStateContent | +| ADMX File Name | CloudContent.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotShowFeedbackNotifications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications +``` + - - -[!INCLUDE [do-not-sync-browser-settings-shortdesc](../includes/do-not-sync-browser-settings-shortdesc.md)] + + +This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. +If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. + +If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. + +Note: If you disable or do not configure this policy setting, users can control how often they receive feedback questions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. | +| 1 | Feedback notifications are disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotShowFeedbackNotifications | +| Friendly Name | Do not show feedback notifications | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| Registry Value Name | DoNotShowFeedbackNotifications | +| ADMX File Name | FeedbackNotifications.admx | + + + + + + + + + +## DoNotSyncBrowserSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +``` + + + + +Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. + +If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced. + +Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable by the user. + + + + Related policy: [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing) + - - -ADMX Info: -- GP Friendly name: *Do not sync browser settings* -- GP name: *DisableWebBrowserSettingSync* -- GP path: *Windows Components/Sync your settings* -- GP ADMX file name: *SettingSync.admx* + +**Description framework properties**: - - -Supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes. -- 2 - Prevented/turned off. The "browser" group doesn't use the _Sync your Settings_ option. + +**Allowed values**: +| Value | Description | +|:--|:--| +| 2 | Disable Syncing | +| 0 (Default) | Allow syncing | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebBrowserSettingSync | +| Friendly Name | Do not sync browser settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableWebBrowserSettingSync | +| ADMX File Name | SettingSync.admx | + + + + _**Sync the browser settings automatically**_ Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). @@ -1230,64 +1213,72 @@ _**Prevent syncing of browser settings and let users turn on syncing**_ _**Turn syncing off by default but don’t disable**_ Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option. + - - + - - + +## PreventUsersFromTurningOnBrowserSyncing - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + - -**Experience/PreventUsersFromTurningOnBrowserSyncing** + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + + +You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + + + Related policy: [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting) + + +**Description framework properties**: - - -ADMX Info: -- GP Friendly name: *Prevent users from turning on browser syncing* -- GP name: *PreventUsersFromTurningOnBrowserSyncing* -- GP path: *Windows Components/Sync your settings* -- GP ADMX file name: *SettingSync.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - -Supported values: + +**Allowed values**: -- 0 - Allowed/turned on. Users can sync the browser settings. -- 1 (default) - Prevented/turned off. +| Value | Description | +|:--|:--| +| 0 | Allowed/turned on. Users can sync the browser settings. | +| 1 (Default) | Prevented/turned off. | + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebBrowserSettingSync | +| Friendly Name | Do not sync browser settings | +| Element Name | Allow users to turn "browser" syncing on. | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| ADMX File Name | SettingSync.admx | + + + + +**Examples**: _**Sync the browser settings automatically**_ @@ -1303,83 +1294,652 @@ _**Prevent syncing of browser settings and let users turn on syncing**_ 1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). 2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). - - - - - -Validation procedure: +**Validate**: 1. Select **More > Settings**. 1. See, if the setting is enabled or disabled based on your selection. + - - + -
    + +## ShowLockOnUserTile - -**Experience/ShowLockOnUserTile** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/ShowLockOnUserTile +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Shows or hides lock from the user tile menu. +If you enable this policy setting, the lock option will be shown in the User Tile menu. -If you enable this policy setting, the lock option is shown in the User Tile menu. +If you disable this policy setting, the lock option will never be shown in the User Tile menu. -If you disable this policy setting, the lock option is never shown in the User Tile menu. +If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. + -If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose, if they want to show the lock in the user tile menu from the Power Options control panel. + + + - - -ADMX Info: -- GP Friendly name: *Show lock in the user tile menu* -- GP name: *ShowLockOption* -- GP path: *File Explorer* -- GP ADMX file name: *WindowsExplorer.admx* + +**Description framework properties**: - - -Supported values: -- false - The lock option isn't displayed in the User Tile menu. -- true (default) - The lock option is displayed in the User Tile menu. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - - + +**Allowed values**: - - +| Value | Description | +|:--|:--| +| 0 | The lock option is not displayed in the User Tile menu. | +| 1 (Default) | The lock option is displayed in the User Tile menu. | + - - -
    + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowLockOption | +| Friendly Name | Show lock in the user tile menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowLockOption | +| ADMX File Name | WindowsExplorer.admx | + -## Related topics + + + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + +## AllowSpotlightCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection +``` + + + + +Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. If you disable this policy setting, Spotlight collection will not show as an option in Personliazation Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSpotlightCollectionOnDesktop | +| Friendly Name | Turn off Spotlight collection on Desktop | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableSpotlightCollectionOnDesktop | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowTailoredExperiencesWithDiagnosticData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowTailoredExperiencesWithDiagnosticData +``` + + + + +This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value. + +**Note**: This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowTailoredExperiencesWithDiagnosticData_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableTailoredExperiencesWithDiagnosticData | +| Friendly Name | Do not use diagnostic data for tailored experiences | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableTailoredExperiencesWithDiagnosticData | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowThirdPartySuggestionsInWindowsSpotlight + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowThirdPartySuggestionsInWindowsSpotlight +``` + + + + +Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowThirdPartySuggestionsInWindowsSpotlight_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Third-party suggestions not allowed. | +| 1 (Default) | Third-party suggestions allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableThirdPartySuggestions | +| Friendly Name | Do not suggest third-party content in Windows spotlight | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableThirdPartySuggestions | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlight + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight +``` + + + + +Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightFeatures | +| Friendly Name | Turn off all Windows spotlight features | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightFeatures | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlightOnActionCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlightOnActionCenter +``` + + + + +This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsSpotlightOnActionCenter_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightOnActionCenter | +| Friendly Name | Turn off Windows Spotlight on Action Center | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightOnActionCenter | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlightOnSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlightOnSettings +``` + + + + +This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make their experience productive. User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app. User Setting is changeable on a per user basis. If the Group policy is set to off, no suggestions will be shown to the user in Settings app. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightOnSettings | +| Friendly Name | Turn off Windows Spotlight on Settings | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightOnSettings | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## AllowWindowsSpotlightWindowsWelcomeExperience + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlightWindowsWelcomeExperience +``` + + + + +This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsSpotlightWindowsWelcomeExperience_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWindowsSpotlightWindowsWelcomeExperience | +| Friendly Name | Turn off the Windows Welcome Experience | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableWindowsSpotlightWindowsWelcomeExperience | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## ConfigureWindowsSpotlightOnLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/ConfigureWindowsSpotlightOnLockScreen +``` + + + + +This policy setting lets you configure Windows spotlight on the lock screen. + +If you enable this policy setting, "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotlight" will display daily images from Microsoft on the lock screen. + +Additionally, if you check the "Include content from Enterprise spotlight" checkbox and your organization has setup an Enterprise spotlight content service in Azure, the lock screen will display internal messages and communications configured in that service, when available. If your organization does not have an Enterprise spotlight content service, the checkbox will have no effect. + +If you disable this policy setting, Windows spotlight will be turned off and users will no longer be able to select it as their lock screen. Users will see the default lock screen image and will be able to select another image, unless you have enabled the "Prevent changing lock screen image" policy. + +If you do not configure this policy, Windows spotlight will be available on the lock screen and will be selected by default, unless you have configured another default lock screen image using the "Force a specific default lock screen and logon image" policy. + +Note: This policy is only available for Enterprise SKUs + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_ConfigureWindowsSpotlightOnLockScreen_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Windows spotlight disabled. | +| 1 (Default) | Windows spotlight enabled. | +| 2 | Windows spotlight is always enabled, the user cannot disable it | +| 3 | Windows spotlight is always enabled, the user cannot disable it. For special configurations only | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureWindowsSpotlight | +| Friendly Name | Configure Windows spotlight on lock screen | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | ConfigureWindowsSpotlight | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## EnableOrganizationalMessages + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/EnableOrganizationalMessages +``` + + + + +Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager. By default, this policy is disabled. If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 192c548ef58b22ce2af3a610ddb7e8a6fa3630a7 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 30 Dec 2022 16:37:14 -0500 Subject: [PATCH 082/152] exploitguard federatedauthentication fileexplorer --- .../mdm/policy-csp-exploitguard.md | 177 +++-- .../mdm/policy-csp-federatedauthentication.md | 124 ++-- .../mdm/policy-csp-fileexplorer.md | 681 +++++++++--------- 3 files changed, 501 insertions(+), 481 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 9f1639a0ed..1b914b6115 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,106 +1,105 @@ --- -title: Policy CSP - ExploitGuard -description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization. +title: ExploitGuard Policy CSP +description: Learn more about the ExploitGuard Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ExploitGuard -
    + + + - -## ExploitGuard policies + +## ExploitProtectionSettings -
    -
    - ExploitGuard/ExploitProtectionSettings -
    -
    - -
    - - -**ExploitGuard/ExploitProtectionSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). - -The system settings require a reboot; the application settings do not require a reboot. - - - -ADMX Info: -- GP Friendly name: *Use a common set of exploit protection settings* -- GP name: *ExploitProtection_Name* -- GP element: *ExploitProtection_Name* -- GP path: *Windows Components/Windows Defender Exploit Guard/Exploit Protection* -- GP ADMX file name: *ExploitGuard.admx* - - - -Here is an example: - -```xml - - - - - $CmdId$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings - - ]]> - - - - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings ``` + - - -
    + + +Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured. +There are some prerequisites before you can enable this setting: +- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in Windows Security. +- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security. +- Place the generated XML file in a shared or local path. - +Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied. -## Related topics +Enabled +Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following: +- C:\MitigationSettings\Config.XML +- \\Server\Share\Config.xml +- https://localhost:8080/Config.xml -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +The settings in the XML file will be applied to the endpoint. + +Disabled +Common settings will not be applied, and the locally configured settings will be used instead. + +Not configured +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitProtection_Name | +| Friendly Name | Use a common set of exploit protection settings | +| Element Name | Type the location (local path, UNC path, or URL) of the mitigation settings configuration XML file | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Exploit Guard > Exploit Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection | +| ADMX File Name | ExploitGuard.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md index fd8823c506..61935e9c1c 100644 --- a/windows/client-management/mdm/policy-csp-federatedauthentication.md +++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md @@ -1,81 +1,83 @@ --- -title: Policy CSP - FederatedAuthentication -description: Use the Policy CSP - Represents the enablement state of the Web Sign-in Credential Provider for device sign-in. -ms.author: v-nsatapathy -ms.topic: article +title: FederatedAuthentication Policy CSP +description: Learn more about the FederatedAuthentication Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 12/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: nimishasatapathy -ms.localizationpriority: medium -ms.date: 09/07/2022 -ms.reviewer: -manager: dansimp +ms.topic: reference --- + + + # Policy CSP - FederatedAuthentication + + + -
    + +## EnableWebSignInForPrimaryUser - -## FederatedAuthentication policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    -
    - FederatedAuthentication/EnableWebSignInForPrimaryUser -
    -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser +``` + + + +Specifies whether web-based sign-in is enabled with the Primary User experience + -
    - - -**FederatedAuthentication/EnableWebSignInForPrimaryUser** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| -|Windows SE|Yes|No| - -> [!NOTE] -> Only available on Windows SE edition when Education/IsEducationEnvironment policy is also set to "1". - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - -This policy specifies whether Web Sign-in can be used for device sign-in in a single-user environment.​ - + + > [!NOTE] > Web Sign-in is only supported on Azure AD Joined PCs. + - + +**Description framework properties**: - -Value type is integer: -- 0 - (default): Feature defaults as appropriate for edition and device capabilities. -- 1 - Enabled: Web Sign-in Credential Provider will be enabled for device sign-in. -- 2 - Disabled: Web Sign-in Credential Provider won't be enabled for device sign-in. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. | +| 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. | +| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index e4dfc521d7..31e6019835 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,416 +1,435 @@ --- -title: Policy CSP - FileExplorer -description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer. +title: FileExplorer Policy CSP +description: Learn more about the FileExplorer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - FileExplorer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowOptionToShowNetwork - -## FileExplorer policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    -
    - FileExplorer/AllowOptionToShowNetwork -
    -
    - FileExplorer/AllowOptionToShowThisPC -
    -
    - FileExplorer/TurnOffDataExecutionPreventionForExplorer -
    -
    - FileExplorer/TurnOffHeapTerminationOnCorruption -
    -
    - FileExplorer/SetAllowedFolderLocations -
    -
    - FileExplorer/SetAllowedStorageLocations -
    -
    - FileExplorer/DisableGraphRecentItems -
    -
    + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork +``` +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork +``` + + + +When the Network folder is restricted, give the user the option to enumerate and navigate into it. + -
    + + + - -**FileExplorer/AllowOptionToShowNetwork** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Not Allowed. | +| 1 | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## AllowOptionToShowThisPC - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -This policy allows the user with an option to show the network folder when restricted. + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC +``` + - -The following list shows the supported values: + + +When This PC location is restricted, give the user the option to enumerate and navigate into it. + -- 0 - Disabled -- 1 (default) - Enabled + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow the user the option to show Network folder when restricted* -- GP name: *AllowOptionToShowNetwork* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Not Allowed. | +| 1 | Allowed. | + - -**FileExplorer/AllowOptionToShowThisPC** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableGraphRecentItems - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/DisableGraphRecentItems +``` + -> [!div class = "checklist"] -> * User + + +Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view. + -
    + + + - - + +**Description framework properties**: -This policy allows the user with an option to show this PC location when restricted. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | File Explorer will request cloud file metadata and display it in the Quick access view. | +| 1 | File Explorer will not request cloud file metadata or display it in the Quick access view. | + -- 0 - Disabled -- 1 (default) - Enabled + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableGraphRecentItems | +| Friendly Name | Turn off files from Office.com in Quick access view | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableGraphRecentItems | +| ADMX File Name | Explorer.admx | + - -ADMX Info: -- GP Friendly name: *Allow the user the option to show Network folder when restricted* -- GP name: *AllowOptionToShowThisPC* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + + + - - + -
    + +## SetAllowedFolderLocations - -**FileExplorer/TurnOffDataExecutionPreventionForExplorer** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations +``` + - -
    + + +A value that can represent one or more folder locations in File Explorer. If not specified, the default is access to all folder locations. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Access to all folder locations. | +| 13 | Documents, Pictures, Downloads | +| 15 | Desktop, Documents, Pictures, Downloads | +| 31 | Desktop, Documents, Pictures, Downloads, Network | +| 47 | This PC, Desktop, Documents, Pictures, Downloads | +| 63 | This PC, Desktop, Documents, Pictures, Downloads, Network | + + + + + + + + + +## SetAllowedStorageLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations +``` + + + + +A value that can represent one or more storage locations in File Explorer. If not specified, the default is access to all storage locations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Access to all storage locations. | +| 1 | Removable Drives | +| 2 | Sync roots | +| 3 | Removable Drives, Sync roots | +| 4 | Local Drives | +| 5 | Removable Drives, Local Drives | +| 6 | Sync Roots, Local Drives | +| 7 | Removable Drives, Sync Roots, Local Drives | + + + + + + + + + +## TurnOffDataExecutionPreventionForExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffDataExecutionPreventionForExplorer +``` + + + + Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Data Execution Prevention for Explorer* -- GP name: *NoDataExecutionPrevention* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**FileExplorer/TurnOffHeapTerminationOnCorruption** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDataExecutionPrevention | +| Friendly Name | Turn off Data Execution Prevention for Explorer | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoDataExecutionPrevention | +| ADMX File Name | Explorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffHeapTerminationOnCorruption -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffHeapTerminationOnCorruption +``` + - - + + Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off heap termination on corruption* -- GP name: *NoHeapTerminationOnCorruption* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**FileExplorer/SetAllowedFolderLocations** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoHeapTerminationOnCorruption | +| Friendly Name | Turn off heap termination on corruption | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoHeapTerminationOnCorruption | +| ADMX File Name | Explorer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + + + -
    + - - - - -This policy configures the folders that the user can enumerate and access in the File Explorer. - - - - -The following list shows the supported values: - -- 0: All folders -- 15: Desktop, Documents, Pictures, and Downloads -- 31: Desktop, Documents, Pictures, Downloads, and Network -- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads -- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network - - - - -ADMX Info: -- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* -- GP name: *SetAllowedFolderLocations* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
    - - -**FileExplorer/SetAllowedStorageLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - - -This policy configures the folders that the user can enumerate and access in the File Explorer. - - - - -The following list shows the supported values: - -- 0: All storage locations -- 1: Removable Drives -- 2: Sync roots -- 3: Removable Drives, Sync roots, local drive - - - - -ADMX Info: -- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* -- GP name: *SetAllowedStorageLocations* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
    - - -**FileExplorer/DisableGraphRecentItems** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - - -This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer. - - - - -The following list shows the supported values: - -- 0: Files from Office.com will display in the Home node -- 1: No files from Office.com will be retrieved or displayed - - - - -ADMX Info: -- GP Friendly name: *Turn off files from Office.com in Quick access view* -- GP name: *DisableGraphRecentItems* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
    - - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 3f303ce6b03642b076e94786e8cd778c6a50a0f7 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Mon, 2 Jan 2023 13:17:49 -0500 Subject: [PATCH 083/152] games handwriting humanpresence --- .../client-management/mdm/policy-csp-games.md | 111 ++--- .../mdm/policy-csp-handwriting.md | 133 +++--- .../mdm/policy-csp-humanpresence.md | 405 ++++++++++-------- 3 files changed, 349 insertions(+), 300 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index d2d17d4b28..43b22b00f0 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,77 +1,80 @@ --- -title: Policy CSP - Games -description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used. +title: Games Policy CSP +description: Learn more about the Games Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/02/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Games -
    + + + - -## Games policies + +## AllowAdvancedGamingServices -
    -
    - Games/AllowAdvancedGamingServices -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices +``` + - -**Games/AllowAdvancedGamingServices** + + +Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + -
    + + + - - -Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + -Supported value type is integer. + + + - - -The following list shows the supported values: + -- 0 - Not Allowed -- 1 (default) - Allowed +## Related articles - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 21b975f9b1..d1e0e7494f 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,89 +1,94 @@ --- -title: Policy CSP - Handwriting -description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel. +title: Handwriting Policy CSP +description: Learn more about the Handwriting Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/02/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Handwriting -
    + + + - -## Handwriting policies + +## PanelDefaultModeDocked -
    -
    - Handwriting/PanelDefaultModeDocked -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Handwriting/PanelDefaultModeDocked +``` + - -**Handwriting/PanelDefaultModeDocked** + + +The handwriting panel has 2 modes - floats near the text box, or, attached to the bottom of the screen. Default is floating near text box. If you want the panel to be fixed, use this policy to fix it to the bottom. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
    + +**Group policy mapping**: - - -This policy allows an enterprise to configure the default mode for the handwriting panel. +| Name | Value | +|:--|:--| +| Name | PanelDefaultModeDocked | +| Friendly Name | Handwriting Panel Default Mode Docked | +| Location | Computer Configuration | +| Path | Windows Components > Handwriting | +| Registry Key Name | Software\Policies\Microsoft\Handwriting | +| Registry Value Name | PanelDefaultModeDocked | +| ADMX File Name | Handwriting.admx | + -The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. + + + -In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction. + -The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way. + + + - - -ADMX Info: -- GP Friendly name: *Handwriting Panel Default Mode Docked* -- GP name: *PanelDefaultModeDocked* -- GP path: *Windows Components/Handwriting* -- GP ADMX file name: *Handwriting.admx* + - - -The following list shows the supported values: +## Related articles -- 0 (default) - Disabled. -- 1 - Enabled. - - - -
    - - - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 103060ecab..20aa6d7f52 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,246 +1,287 @@ --- -title: Policy CSP - HumanPresence -description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM. +potitle: HumanPresence Policy CSP +description: Learn more about the HumanPresence Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/02/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - HumanPresence -
    + + + - -## HumanPresence policies + +## ForceInstantDim -
    -
    - HumanPresence/ForceInstantDim -
    -
    - HumanPresence/ForceInstantLock -
    -
    - HumanPresence/ForceInstantWake -
    -
    - HumanPresence/ForceLockTimeout -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceInstantDim +``` + - -**HumanPresence/ForceInstantDim** + + +Determines whether Attention Based Display Dimming is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. + - + + +This is a power saving feature that prolongs battery charge. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + -
    + +**Group policy mapping**: - - -This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge. +| Name | Value | +|:--|:--| +| Name | ForceInstantDim | +| Friendly Name | Force Instant Dim | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| ADMX File Name | Sensors.admx | + - - -ADMX Info: -- GP Friendly name: *Force Instant Dim* -- GP name: *ForceInstantDim* -- GP path: *Windows Components/Human Presence* -- GP ADMX file name: *Sensors.admx* + + + - - -The following list shows the supported values: + -- 2 = ForcedOff -- 1 = ForcedOn -- 0 = DefaultToUserChoice -- Defaults to 0. + +## ForceInstantLock - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceInstantLock +``` + - -**HumanPresence/ForceInstantLock** + + +Determines whether Lock on Leave is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + -
    + +**Group policy mapping**: - - -This policy specifies, whether the device can lock when a human presence sensor detects a human. +| Name | Value | +|:--|:--| +| Name | ForceInstantLock | +| Friendly Name | Force Instant Lock | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| Registry Value Name | ForceInstantLock | +| ADMX File Name | Sensors.admx | + - - -ADMX Info: -- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* -- GP name: *ForceInstantLock* -- GP path: *Windows Components/HumanPresence* -- GP ADMX file name: *HumanPresence.admx* + + + - - -The following list shows the supported values: + -- 2 = ForcedOff -- 1 = ForcedOn -- 0 = DefaultToUserChoice -- Defaults to 0 + +## ForceInstantWake - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**HumanPresence/ForceInstantWake** + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceInstantWake +``` + - + + +Determines whether Wake On Arrival is forced on/off by the MDM policy. The user will not be able to change this setting and the toggle in the UI will be greyed out. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -> [!div class = "checklist"] -> * Device + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 2 | ForcedOff. | +| 1 | ForcedOn. | +| 0 (Default) | DefaultToUserChoice. | + - - -This policy specifies, whether the device can lock when a human presence sensor detects a human. + +**Group policy mapping**: - - -ADMX Info: -- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* -- GP name: *ForceInstantWake* -- GP path: *Windows Components/HumanPresence* -- GP ADMX file name: *HumanPresence.admx* +| Name | Value | +|:--|:--| +| Name | ForceInstantWake | +| Friendly Name | Force Instant Wake | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| Registry Value Name | ForceInstantWake | +| ADMX File Name | Sensors.admx | + - - -The following list shows the supported values: + + + -- 2 = ForcedOff -- 1 = ForcedOn -- 0 = DefaultToUserChoice -- Defaults to 0 + - - -
    + +## ForceLockTimeout - -**HumanPresence/ForceLockTimeout** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForceLockTimeout +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Windows SE|No|No| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| + + +Determines the timeout for Lock on Leave forced by the MDM policy. The user will be unable to change this setting and the toggle in the UI will be greyed out. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -
    + +**Allowed values**: - - -This policy specifies, at what distance the sensor wakes up when it sees a human in seconds. +| Value | Description | +|:--|:--| +| 120 | TwoMinutes | +| 30 | ThirtySeconds. | +| 10 | TenSeconds. | +| 0 (Default) | DefaultToUserChoice. | + - - -ADMX Info: -- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM* -- GP name: *ForceLockTimeout* -- GP path: *Windows Components/HumanPresence* -- GP ADMX file name: *HumanPresence.admx* + +**Group policy mapping**: - - -Integer value that specifies, whether the device can lock when a human presence sensor detects a human. +| Name | Value | +|:--|:--| +| Name | ForceLockTimeout | +| Friendly Name | Lock Timeout | +| Location | Computer Configuration | +| Path | Windows Components > Human Presence | +| Registry Key Name | Software\Policies\Microsoft\HumanPresence | +| ADMX File Name | Sensors.admx | + -The following list shows the supported values: + + + -- 120 = 120 seconds -- 30 = 30 seconds -- 10 = 10 seconds -- 0 = DefaultToUserChoice -- Defaults to 0 + - - -
    + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 7a5331212d20c97663a6e78e52ed46bbac368ab2 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Mon, 2 Jan 2023 17:12:57 -0500 Subject: [PATCH 084/152] internetexplorer --- .../mdm/policy-csp-internetexplorer.md | 22963 +++++++++------- 1 file changed, 12993 insertions(+), 9970 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 275de06fef..14ee641a09 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,1102 +1,317 @@ --- -title: Policy CSP - InternetExplorer -description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers. +title: InternetExplorer Policy CSP +description: Learn more about the InternetExplorer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/02/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.reviewer: -manager: aaroncz -ms.date: 12/31/2017 +ms.topic: reference --- + + + # Policy CSP - InternetExplorer -
    - - -## InternetExplorer policies - -
    -
    - InternetExplorer/AddSearchProvider -
    -
    - InternetExplorer/AllowActiveXFiltering -
    -
    - InternetExplorer/AllowAddOnList -
    -
    - InternetExplorer/AllowAutoComplete -
    -
    - InternetExplorer/AllowCertificateAddressMismatchWarning -
    -
    - InternetExplorer/AllowDeletingBrowsingHistoryOnExit -
    -
    - InternetExplorer/AllowEnhancedProtectedMode -
    -
    - InternetExplorer/AllowEnhancedSuggestionsInAddressBar -
    -
    - InternetExplorer/AllowEnterpriseModeFromToolsMenu -
    -
    - InternetExplorer/AllowEnterpriseModeSiteList -
    -
    - InternetExplorer/AllowFallbackToSSL3 -
    -
    - InternetExplorer/AllowInternetExplorer7PolicyList -
    -
    - InternetExplorer/AllowInternetExplorerStandardsMode -
    -
    - InternetExplorer/AllowInternetZoneTemplate -
    -
    - InternetExplorer/AllowIntranetZoneTemplate -
    -
    - InternetExplorer/AllowLocalMachineZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownInternetZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownIntranetZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownLocalMachineZoneTemplate -
    -
    - InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate -
    -
    - InternetExplorer/AllowOneWordEntry -
    -
    - InternetExplorer/AllowSaveTargetAsInIEMode -
    -
    - InternetExplorer/AllowSiteToZoneAssignmentList -
    -
    - InternetExplorer/AllowSoftwareWhenSignatureIsInvalid -
    -
    - InternetExplorer/AllowSuggestedSites -
    -
    - InternetExplorer/AllowTrustedSitesZoneTemplate -
    -
    - InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate -
    -
    - InternetExplorer/AllowsRestrictedSitesZoneTemplate -
    -
    - InternetExplorer/CheckServerCertificateRevocation -
    -
    - InternetExplorer/CheckSignaturesOnDownloadedPrograms -
    -
    - InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses -
    - -
    - InternetExplorer/ConfigureEdgeRedirectChannel -
    -
    - InternetExplorer/DisableActiveXVersionListAutoDownload -
    -
    - InternetExplorer/DisableAdobeFlash -
    -
    - InternetExplorer/DisableBypassOfSmartScreenWarnings -
    -
    - InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles -
    -
    - InternetExplorer/DisableCompatView -
    -
    - InternetExplorer/DisableConfiguringHistory -
    -
    - InternetExplorer/DisableCrashDetection -
    -
    - InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation -
    -
    - InternetExplorer/DisableDeletingUserVisitedWebsites -
    -
    - InternetExplorer/DisableEnclosureDownloading -
    -
    - InternetExplorer/DisableEncryptionSupport -
    -
    - InternetExplorer/DisableFeedsBackgroundSync -
    -
    - InternetExplorer/DisableFirstRunWizard -
    -
    - InternetExplorer/DisableFlipAheadFeature -
    -
    - InternetExplorer/DisableGeolocation -
    -
    - InternetExplorer/DisableHomePageChange -
    -
    - InternetExplorer/DisableInternetExplorerApp -
    -
    - InternetExplorer/DisableIgnoringCertificateErrors -
    -
    - InternetExplorer/DisableInPrivateBrowsing -
    -
    - InternetExplorer/DisableProcessesInEnhancedProtectedMode -
    -
    - InternetExplorer/DisableProxyChange -
    -
    - InternetExplorer/DisableSearchProviderChange -
    -
    - InternetExplorer/DisableSecondaryHomePageChange -
    -
    - InternetExplorer/DisableSecuritySettingsCheck -
    -
    - InternetExplorer/DisableUpdateCheck -
    -
    - InternetExplorer/DisableWebAddressAutoComplete -
    -
    - InternetExplorer/DoNotAllowActiveXControlsInProtectedMode -
    -
    - InternetExplorer/DoNotAllowUsersToAddSites -
    -
    - InternetExplorer/DoNotAllowUsersToChangePolicies -
    -
    - InternetExplorer/DoNotBlockOutdatedActiveXControls -
    -
    - InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains -
    -
    - InternetExplorer/EnableExtendedIEModeHotkeys -
    -
    - InternetExplorer/EnableGlobalWindowListInIEMode -
    -
    - InternetExplorer/HideInternetExplorer11RetirementNotification -
    -
    - InternetExplorer/IncludeAllLocalSites -
    -
    - InternetExplorer/IncludeAllNetworkPaths -
    -
    - InternetExplorer/InternetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/InternetZoneAllowCopyPasteViaScript -
    -
    - InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles -
    -
    - InternetExplorer/InternetZoneAllowFontDownloads -
    -
    - InternetExplorer/InternetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles -
    -
    - InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    -
    - InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
    -
    - InternetExplorer/InternetZoneAllowScriptInitiatedWindows -
    -
    - InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls -
    -
    - InternetExplorer/InternetZoneAllowScriptlets -
    -
    - InternetExplorer/InternetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript -
    -
    - InternetExplorer/InternetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer -
    -
    - InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/InternetZoneDownloadSignedActiveXControls -
    -
    - InternetExplorer/InternetZoneDownloadUnsignedActiveXControls -
    -
    - InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter -
    -
    - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
    -
    - InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    -
    - InternetExplorer/InternetZoneEnableMIMESniffing -
    -
    - InternetExplorer/InternetZoneEnableProtectedMode -
    -
    - InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer -
    -
    - InternetExplorer/InternetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe -
    -
    - InternetExplorer/InternetZoneJavaPermissions -
    -
    - InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME -
    -
    - InternetExplorer/InternetZoneLogonOptions -
    -
    - InternetExplorer/InternetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
    -
    - InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles -
    -
    - InternetExplorer/InternetZoneUsePopupBlocker -
    -
    - InternetExplorer/IntranetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/IntranetZoneAllowFontDownloads -
    -
    - InternetExplorer/IntranetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/IntranetZoneAllowScriptlets -
    -
    - InternetExplorer/IntranetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/IntranetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/IntranetZoneJavaPermissions -
    -
    - InternetExplorer/IntranetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/KeepIntranetSitesInInternetExplorer -
    -
    - InternetExplorer/LocalMachineZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LocalMachineZoneAllowFontDownloads -
    -
    - InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LocalMachineZoneAllowScriptlets -
    -
    - InternetExplorer/LocalMachineZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LocalMachineZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LocalMachineZoneJavaPermissions -
    -
    - InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownInternetZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownInternetZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownInternetZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownIntranetJavaPermissions -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownLocalMachineZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions -
    -
    - InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses -
    -
    - InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses -
    -
    - InternetExplorer/NewTabDefaultPage -
    -
    - InternetExplorer/NotificationBarInternetExplorerProcesses -
    -
    - InternetExplorer/PreventManagingSmartScreenFilter -
    -
    - InternetExplorer/PreventPerUserInstallationOfActiveXControls -
    -
    - InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses -
    -
    - InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls -
    -
    - InternetExplorer/ResetZoomForDialogInIEMode -
    -
    - InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses -
    -
    - InternetExplorer/RestrictFileDownloadInternetExplorerProcesses -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/RestrictedSitesZoneAllowActiveScripting -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors -
    -
    - InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript -
    -
    - InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles -
    -
    - InternetExplorer/RestrictedSitesZoneAllowFileDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles -
    -
    - InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH -
    -
    - InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls -
    -
    - InternetExplorer/RestrictedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -
    -
    - InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer -
    -
    - InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter -
    -
    - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -
    -
    - InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    -
    - InternetExplorer/RestrictedSitesZoneEnableMIMESniffing -
    -
    - InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -
    -
    - InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/RestrictedSitesZoneJavaPermissions -
    -
    - InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -
    -
    - InternetExplorer/RestrictedSitesZoneLogonOptions -
    -
    - InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames -
    -
    - InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins -
    -
    - InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -
    -
    - InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -
    -
    - InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets -
    -
    - InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -
    -
    - InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode -
    -
    - InternetExplorer/RestrictedSitesZoneUsePopupBlocker -
    -
    - InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses -
    -
    - InternetExplorer/SearchProviderList -
    -
    - InternetExplorer/SecurityZonesUseOnlyMachineSettings -
    -
    - InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge -
    -
    - InternetExplorer/SpecifyUseOfActiveXInstallerService -
    -
    - InternetExplorer/TrustedSitesZoneAllowAccessToDataSources -
    -
    - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads -
    -
    - InternetExplorer/TrustedSitesZoneAllowFontDownloads -
    -
    - InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites -
    -
    - InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents -
    -
    - InternetExplorer/TrustedSitesZoneAllowScriptlets -
    -
    - InternetExplorer/TrustedSitesZoneAllowSmartScreenIE -
    -
    - InternetExplorer/TrustedSitesZoneAllowUserDataPersistence -
    -
    - InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls -
    -
    - InternetExplorer/TrustedSitesZoneJavaPermissions -
    -
    - InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**InternetExplorer/AddSearchProvider** + +## AddSearchProvider - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AddSearchProvider +``` - -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AddSearchProvider +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). -> [!NOTE] -> This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. +**Note**: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. -If you disable or do not configure this policy setting, the user can configure their list of search providers, unless another policy setting restricts such configuration. +If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. + - + + + - -ADMX Info: -- GP Friendly name: *Add a specific list of search providers to the user's list of search providers* -- GP name: *AddSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowActiveXFiltering** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddSearchProvider | +| Friendly Name | Add a specific list of search providers to the user's list of search providers | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | AddPolicySearchProviders | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowActiveXFiltering -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowActiveXFiltering +``` - - -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites, so that ActiveX controls can run properly. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowActiveXFiltering +``` + + + + +This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on ActiveX Filtering* -- GP name: *TurnOnActiveXFiltering* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowAddOnList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TurnOnActiveXFiltering | +| Friendly Name | Turn on ActiveX Filtering | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering | +| Registry Value Name | IsEnabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowAddOnList -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAddOnList +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAddOnList +``` + + + + This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: -- Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. +Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. -- Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied, enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. +Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will determine, whether add-ons not in this list are assumed to be denied. +If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. + - + + + - -ADMX Info: -- GP Friendly name: *Add-on List* -- GP name: *AddonManagement_AddOnList* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowAutoComplete** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddonManagement_AddOnList | +| Friendly Name | Add-on List | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | ListBox_Support_CLSID | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowCertificateAddressMismatchWarning -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowCertificateAddressMismatchWarning +``` - - -This AutoComplete feature can remember and suggest User names and passwords on Forms. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowCertificateAddressMismatchWarning +``` + -If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". - -If you disable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. - -If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. - - - - -ADMX Info: -- GP Friendly name: *Turn on the auto-complete feature for user names and passwords on forms* -- GP name: *RestrictFormSuggestPW* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/AllowCertificateAddressMismatchWarning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned, when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. + + +This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. If you enable this policy setting, the certificate address mismatch warning always appears. If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). + - + + + - -ADMX Info: -- GP Friendly name: *Turn on certificate address mismatch warning* -- GP name: *IZ_PolicyWarnCertMismatch* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowDeletingBrowsingHistoryOnExit** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyWarnCertMismatch | +| Friendly Name | Turn on certificate address mismatch warning | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | WarnOnBadCertRecving | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowDeletingBrowsingHistoryOnExit -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowDeletingBrowsingHistoryOnExit +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowDeletingBrowsingHistoryOnExit +``` + + + + This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted. If you enable this policy setting, deleting browsing history on exit is turned on. @@ -1106,49 +321,65 @@ If you disable this policy setting, deleting browsing history on exit is turned If you do not configure this policy setting, it can be configured on the General tab in Internet Options. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. + - + + + - -ADMX Info: -- GP Friendly name: *Allow deleting browsing history on exit* -- GP name: *DBHDisableDeleteOnExit* -- GP path: *Windows Components/Internet Explorer/Delete Browsing History* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowEnhancedProtectedMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DBHDisableDeleteOnExit | +| Friendly Name | Allow deleting browsing history on exit | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Delete Browsing History | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Privacy | +| Registry Value Name | ClearBrowsingHistoryOnExit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEnhancedProtectedMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedProtectedMode +``` + + + + Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. @@ -1156,354 +387,448 @@ If you enable this policy setting, Enhanced Protected Mode will be turned on. An If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Enhanced Protected Mode* -- GP name: *Advanced_EnableEnhancedProtectedMode* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowEnhancedSuggestionsInAddressBar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_EnableEnhancedProtectedMode | +| Friendly Name | Turn on Enhanced Protected Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | Isolation | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEnhancedSuggestionsInAddressBar -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedSuggestionsInAddressBar +``` - - -This policy setting allows Internet Explorer to provide enhanced suggestions, as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnhancedSuggestionsInAddressBar +``` + -If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. + + +This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. -If you disable this policy setting, users do not receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. +If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. -If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. +If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. - +If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm. + - -ADMX Info: -- GP Friendly name: *Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar* -- GP name: *AllowServicePoweredQSA* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + + + - - -Supported values: -- 0 - Disabled -- 1 - Enabled (Default) - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** +| Name | Value | +|:--|:--| +| Name | AllowServicePoweredQSA | +| Friendly Name | Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer | +| Registry Value Name | AllowServicePoweredQSA | +| ADMX File Name | inetres.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowEnterpriseModeFromToolsMenu - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -> [!div class = "checklist"] -> * User -> * Device + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeFromToolsMenu +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeFromToolsMenu +``` + - - -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode, using the Tools menu. + + +This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. + - + + + - -ADMX Info: -- GP Friendly name: *Let users turn on and use Enterprise Mode from the Tools menu* -- GP name: *EnterpriseModeEnable* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowEnterpriseModeSiteList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnterpriseModeEnable | +| Friendly Name | Let users turn on and use Enterprise Mode from the Tools menu | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowEnterpriseModeSiteList -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeSiteList +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowEnterpriseModeSiteList +``` + + + + This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. + - + + + - -ADMX Info: -- GP Friendly name: *Use the Enterprise Mode IE website list* -- GP name: *EnterpriseModeSiteList* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowFallbackToSSL3** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnterpriseModeSiteList | +| Friendly Name | Use the Enterprise Mode IE website list | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowFallbackToSSL3 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowFallbackToSSL3 +``` + - - -This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below, when TLS 1.0 or greater fails. + + +This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack. This policy does not affect which security protocols are enabled. If you disable this policy, system defaults will be used. + - + + + - -ADMX Info: -- GP Friendly name: *Allow fallback to SSL 3.0 (Internet Explorer)* -- GP name: *Advanced_EnableSSL3Fallback* -- GP path: *Windows Components/Internet Explorer/Security Features* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowInternetExplorer7PolicyList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_EnableSSL3Fallback | +| Friendly Name | Allow fallback to SSL 3.0 (Internet Explorer) | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer > Security Features | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowInternetExplorer7PolicyList -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorer7PolicyList +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorer7PolicyList +``` + + + + This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. If you disable or do not configure this policy setting, the user can add and remove sites from the list. + - + + + - -ADMX Info: -- GP Friendly name: *Use Policy List of Internet Explorer 7 sites* -- GP name: *CompatView_UsePolicyList* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowInternetExplorerStandardsMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CompatView_UsePolicyList | +| Friendly Name | Use Policy List of Internet Explorer 7 sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Compatibility View | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowInternetExplorerStandardsMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorerStandardsMode +``` - - -This policy setting controls, how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetExplorerStandardsMode +``` + + + + +This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Internet Explorer Standards Mode for local intranet* -- GP name: *CompatView_IntranetSites* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowInternetZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CompatView_IntranetSites | +| Friendly Name | Turn on Internet Explorer Standards Mode for local intranet | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Compatibility View | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\BrowserEmulation | +| Registry Value Name | IntranetCompatibilityMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowInternetZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowInternetZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1511,55 +836,69 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowIntranetZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyInternetZoneTemplate | +| Friendly Name | Internet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies | +| Registry Value Name | InternetZoneTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowIntranetZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowIntranetZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone, consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowIntranetZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1567,55 +906,69 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowLocalMachineZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyIntranetZoneTemplate | +| Friendly Name | Intranet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies | +| Registry Value Name | IntranetZoneTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLocalMachineZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLocalMachineZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLocalMachineZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1623,55 +976,69 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowLockedDownInternetZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLocalMachineZoneTemplate | +| Friendly Name | Local Machine Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template Policies | +| Registry Value Name | LocalMachineZoneTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLockedDownInternetZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownInternetZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownInternetZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1679,55 +1046,69 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Locked-Down Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyInternetZoneLockdownTemplate | +| Friendly Name | Locked-Down Internet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template Policies | +| Registry Value Name | InternetZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLockedDownIntranetZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownIntranetZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownIntranetZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1735,55 +1116,69 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Locked-Down Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyIntranetZoneLockdownTemplate | +| Friendly Name | Locked-Down Intranet Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template Policies | +| Registry Value Name | IntranetZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLockedDownLocalMachineZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownLocalMachineZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1791,55 +1186,69 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Locked-Down Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLocalMachineZoneLockdownTemplate | +| Friendly Name | Locked-Down Local Machine Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings\Template Policies | +| Registry Value Name | LocalMachineZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowLockedDownRestrictedSitesZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1847,120 +1256,175 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Locked-Down Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowOneWordEntry** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyRestrictedSitesZoneLockdownTemplate | +| Friendly Name | Locked-Down Restricted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Template Policies | +| Registry Value Name | RestrictedSitesZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowOneWordEntry -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowOneWordEntry +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowOneWordEntry +``` + + + + This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. + - + + + - -ADMX Info: -- GP Friendly name: *Go to an intranet site for a one-word entry in the Address bar* -- GP name: *UseIntranetSiteForOneWordEntry* -- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowSaveTargetAsInIEMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | UseIntranetSiteForOneWordEntry | +| Friendly Name | Go to an intranet site for a one-word entry in the Address bar | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Settings > Advanced settings > Browsing | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | GotoIntranetSiteForSingleWordEntry | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSaveTargetAsInIEMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSaveTargetAsInIEMode +``` - - -This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSaveTargetAsInIEMode +``` + -- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. -- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. + + +This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode. -For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq) +If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. - +If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. - -ADMX Info: -- GP Friendly name: *Allow "Save Target As" in Internet Explorer mode* -- GP name: *AllowSaveTargetAsInIEMode* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +For more information, see + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowSaveTargetAsInIEMode | +| Friendly Name | Allow "Save Target As" in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | AllowSaveTargetAsInIEMode | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -1973,69 +1437,82 @@ ADMX Info: ``` + - -**InternetExplorer/AllowSiteToZoneAssignmentList** + - + +## AllowSiteToZoneAssignmentList -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList +``` + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: -1. Intranet zone -1. Trusted Sites zone -1. Internet zone -1. Restricted Sites zone +Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) -Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) +If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: +Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. -- Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. - -- Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. +Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. If you disable or do not configure this policy, users may choose their own site-to-zone assignments. + + + > [!NOTE] > This policy is a list that contains the site and index value. + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Zonemaps | +| Friendly Name | Site to Zone Assignment List | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | ListBox_Support_ZoneMapKey | +| ADMX File Name | inetres.admx | + + + + The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. - +**Example**: - -ADMX Info: -- GP Friendly name: *Site to Zone Assignment List* -- GP name: *IZ_Zonemaps* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - ```xml @@ -2058,40 +1535,101 @@ ADMX Info: Value and index pairs in the SyncML example: - `https://adfs.contoso.org 1` - `https://microsoft.com 2` + - - + -
    + +## AllowsLockedDownTrustedSitesZoneTemplate - -**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate +``` + - -
    + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -> [!div class = "checklist"] -> * User -> * Device +If you disable this template policy setting, no security level is configured. -
    +If you do not configure this template policy setting, no security level is configured. - - +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTrustedSitesZoneLockdownTemplate | +| Friendly Name | Locked-Down Trusted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Template Policies | +| Registry Value Name | TrustedSitesZoneLockdownTemplate | +| ADMX File Name | inetres.admx | + + + + + + + + + +## AllowSoftwareWhenSignatureIsInvalid + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSoftwareWhenSignatureIsInvalid +``` + + + + This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. @@ -2099,100 +1637,202 @@ If you enable this policy setting, users will be prompted to install or run file If you disable this policy setting, users cannot run or install files with an invalid signature. If you do not configure this policy, users can choose to run or install files with an invalid signature. + - + + + - -ADMX Info: -- GP Friendly name: *Allow software to run or install even if the signature is invalid* -- GP name: *Advanced_InvalidSignatureBlock* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowSuggestedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_InvalidSignatureBlock | +| Friendly Name | Allow software to run or install even if the signature is invalid | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Download | +| Registry Value Name | RunInvalidSignatures | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowsRestrictedSitesZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsRestrictedSitesZoneTemplate +``` - - -This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft, to suggest sites that the user might want to visit. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowsRestrictedSitesZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyRestrictedSitesZoneTemplate | +| Friendly Name | Restricted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Policies | +| Registry Value Name | RestrictedSitesZoneTemplate | +| ADMX File Name | inetres.admx | + + + + + + + + + +## AllowSuggestedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSuggestedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowSuggestedSites +``` + + + + +This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit. If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions. If you disable this policy setting, the entry points and functionality associated with this feature are turned off. If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Suggested Sites* -- GP name: *EnableSuggestedSites* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowTrustedSitesZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableSuggestedSites | +| Friendly Name | Turn on Suggested Sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Suggested Sites | +| Registry Value Name | Enabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowTrustedSitesZoneTemplate -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowTrustedSitesZoneTemplate +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/AllowTrustedSitesZoneTemplate +``` + + + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -2200,166 +1840,68 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + - + + + - -ADMX Info: -- GP Friendly name: *Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTrustedSitesZoneTemplate | +| Friendly Name | Trusted Sites Zone Template | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policies | +| Registry Value Name | TrustedSitesZoneTemplate | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CheckServerCertificateRevocation -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/CheckServerCertificateRevocation +``` - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/CheckServerCertificateRevocation +``` + -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - -ADMX Info: -- GP Friendly name: *Locked-Down Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -> [!NOTE] -> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -> [!NOTE] -> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - -ADMX Info: -- GP Friendly name: *Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/CheckServerCertificateRevocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. @@ -2367,135 +1909,186 @@ If you enable this policy setting, Internet Explorer will check to see if server If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. + - + + + - -ADMX Info: -- GP Friendly name: *Check for server certificate revocation* -- GP name: *Advanced_CertificateRevocation* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/CheckSignaturesOnDownloadedPrograms** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_CertificateRevocation | +| Friendly Name | Check for server certificate revocation | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | CertificateRevocation | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CheckSignaturesOnDownloadedPrograms -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/CheckSignaturesOnDownloadedPrograms +``` - - -This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software, and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/CheckSignaturesOnDownloadedPrograms +``` + + + + +This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. + - + + + - -ADMX Info: -- GP Friendly name: *Check for signatures on downloaded programs* -- GP name: *Advanced_DownloadSignatures* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**InternetExplorer/ConfigureEdgeRedirectChannel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_DownloadSignatures | +| Friendly Name | Check for signatures on downloaded programs | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Download | +| Registry Value Name | CheckExeSignatures | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureEdgeRedirectChannel -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ConfigureEdgeRedirectChannel +``` - - -Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ConfigureEdgeRedirectChannel +``` + + + + +Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: - +- If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: - - 1 = Microsoft Edge Stable - - 2 = Microsoft Edge Beta version 77 or later - - 3 = Microsoft Edge Dev version 77 or later - - 4 = Microsoft Edge Canary version 77 or later - -- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. +1 = Microsoft Edge Stable +2 = Microsoft Edge Beta version 77 or later +3 = Microsoft Edge Dev version 77 or later +4 = Microsoft Edge Canary version 77 or later If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur: - +- If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: - - 0 = Microsoft Edge version 45 or earlier - - 1 = Microsoft Edge Stable - - 2 = Microsoft Edge Beta version 77 or later - - 3 = Microsoft Edge Dev version 77 or later - - 4 = Microsoft Edge Canary version 77 or later +0 = Microsoft Edge version 45 or earlier +1 = Microsoft Edge Stable +2 = Microsoft Edge Beta version 77 or later +3 = Microsoft Edge Dev version 77 or later +4 = Microsoft Edge Canary version 77 or later -- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. +*For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see . This update applies only to Windows 10 version 1709 and higher. + -> [!NOTE] -> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure which channel of Microsoft Edge to use for opening redirected sites* -- GP name: *NeedEdgeBrowser* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NeedEdgeBrowser | +| Friendly Name | Configure which channel of Microsoft Edge to use for opening redirected sites | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -2701,449 +2294,418 @@ ADMX Info: ``` - -**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## ConsistentMimeHandlingInternetExplorerProcesses - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses +``` + -
    - - - + + Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. -This policy setting determines, whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain, but the MIME sniff indicates that the file is really an executable file, then Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. +This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_5* -- GP path: *Windows Components/Internet Explorer/Security Features/Consistent Mime Handling* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableActiveXVersionListAutoDownload** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. - -> [!Caution] -> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download, breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. - -If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. - - - - -ADMX Info: -- GP Friendly name: *Turn off automatic download of the ActiveX VersionList* -- GP name: *VersionListAutomaticDownloadDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - -Supported values: -- 0 - Enabled -- 1 - Disabled (Default) - - - - - - - - - -
    - - -**InternetExplorer/DisableAdobeFlash** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. - -If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. - -If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. - -Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - - - -ADMX Info: -- GP Friendly name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* -- GP name: *DisableFlashInIE* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableBypassOfSmartScreenWarnings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen prevents the user from browsing to or downloading from sites that are known to host malicious content. Windows Defender SmartScreen also prevents the execution of files that are known to be malicious. - -If you enable this policy setting, Windows Defender SmartScreen warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. - - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing SmartScreen Filter warnings* -- GP name: *DisableSafetyFilterOverride* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines whether the user can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the user about executable files that Internet Explorer users do not commonly download from the Internet. - -If you enable this policy setting, Windows Defender SmartScreen warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass Windows Defender SmartScreen warnings. - - - - -ADMX Info: -- GP Friendly name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* -- GP name: *DisableSafetyFilterOverrideForAppRepUnknown* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableCompatView** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls the Compatibility View feature, which allows users to fix website display problems that they may encounter while browsing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Consistent Mime Handling | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableBypassOfSmartScreenWarnings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarnings +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarnings +``` + + + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. + +If you enable this policy setting, SmartScreen Filter warnings block the user. + +If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSafetyFilterOverride | +| Friendly Name | Prevent bypassing SmartScreen Filter warnings | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\PhishingFilter | +| Registry Value Name | PreventOverride | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableBypassOfSmartScreenWarningsAboutUncommonFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles +``` + + + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. + +If you enable this policy setting, SmartScreen Filter warnings block the user. + +If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSafetyFilterOverrideForAppRepUnknown | +| Friendly Name | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\PhishingFilter | +| Registry Value Name | PreventOverrideAppRepUnknown | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableCompatView + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCompatView +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCompatView +``` + + + + +This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she may encounter while browsing. If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Compatibility View* -- GP name: *CompatView_DisableList* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - -Supported values: -- 0 - Disabled (Default) -- 1 - Enabled - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | CompatView_DisableList | +| Friendly Name | Turn off Compatibility View | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Compatibility View | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\BrowserEmulation | +| Registry Value Name | DisableSiteListEditing | +| ADMX File Name | inetres.admx | + - -**InternetExplorer/DisableConfiguringHistory** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableConfiguringHistory - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableConfiguringHistory +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableConfiguringHistory +``` + -
    - - - -This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, do the following: - -1. From the Menu bar, on the Tools menu, click Internet Options. -1. Click the General tab, and then click Settings under Browsing history. + + +This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history. If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. + - + + + - -ADMX Info: -- GP Friendly name: *Disable "Configuring History"* -- GP name: *RestrictHistory* -- GP path: *Windows Components/Internet Explorer/Delete Browsing History* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableCrashDetection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RestrictHistory | +| Friendly Name | Disable "Configuring History" | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Delete Browsing History | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | History | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableCrashDetection -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCrashDetection +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCrashDetection +``` + + + + This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Crash Detection* -- GP name: *AddonManagement_RestrictCrashDetection* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddonManagement_RestrictCrashDetection | +| Friendly Name | Turn off Crash Detection | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Restrictions | +| Registry Value Name | NoCrashDetection | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableCustomerExperienceImprovementProgramParticipation -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation +``` + + + + This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. @@ -3151,49 +2713,65 @@ If you enable this policy setting, the user cannot participate in the CEIP, and If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. If you do not configure this policy setting, the user can choose to participate in the CEIP. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent participation in the Customer Experience Improvement Program* -- GP name: *SQM_DisableCEIP* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableDeletingUserVisitedWebsites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SQM_DisableCEIP | +| Friendly Name | Prevent participation in the Customer Experience Improvement Program | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\SQM | +| Registry Value Name | DisableCustomerImprovementProgram | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableDeletingUserVisitedWebsites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableDeletingUserVisitedWebsites +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableDeletingUserVisitedWebsites +``` + + + + This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box. If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete. @@ -3203,259 +2781,325 @@ If you disable this policy setting, websites that the user has visited are delet If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent deleting websites that the user has visited* -- GP name: *DBHDisableDeleteHistory* -- GP path: *Windows Components/Internet Explorer/Delete Browsing History* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableEnclosureDownloading** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DBHDisableDeleteHistory | +| Friendly Name | Prevent deleting websites that the user has visited | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Delete Browsing History | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Privacy | +| Registry Value Name | CleanHistory | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableEnclosureDownloading -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEnclosureDownloading +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEnclosureDownloading +``` + + + + This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent downloading of enclosures* -- GP name: *Disable_Downloading_of_Enclosures* -- GP path: *Windows Components/RSS Feeds* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableEncryptionSupport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Disable_Downloading_of_Enclosures | +| Friendly Name | Prevent downloading of enclosures | +| Location | Computer and User Configuration | +| Path | Windows Components > RSS Feeds | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Feeds | +| Registry Value Name | DisableEnclosureDownload | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableEncryptionSupport -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEncryptionSupport +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableEncryptionSupport +``` + + + + This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. -> [!NOTE] -> SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. +Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off encryption support* -- GP name: *Advanced_SetWinInetProtocols* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableFeedsBackgroundSync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_SetWinInetProtocols | +| Friendly Name | Turn off encryption support | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableFeedsBackgroundSync -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFeedsBackgroundSync +``` - - -This policy setting allows you to choose whether or not to have background synchronization for feeds and Web Slices. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFeedsBackgroundSync +``` + + + + +This policy setting controls whether to have background synchronization for feeds and Web Slices. If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off background synchronization for feeds and Web Slices* -- GP name: *Disable_Background_Syncing* -- GP path: *Windows Components/RSS Feeds* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - -Supported values: -- 0 - Enabled (Default) -- 1 - Disabled - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Disable_Background_Syncing | +| Friendly Name | Turn off background synchronization for feeds and Web Slices | +| Location | Computer and User Configuration | +| Path | Windows Components > RSS Feeds | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Feeds | +| Registry Value Name | BackgroundSyncStatus | +| ADMX File Name | inetres.admx | + - -**InternetExplorer/DisableFirstRunWizard** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableFirstRunWizard - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFirstRunWizard +``` + -
    - - - -This policy setting prevents Internet Explorer from running the First Run wizard, the first time a user starts the browser after installing Internet Explorer or Windows. + + +This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. If you enable this policy setting, you must make one of the following choices: -- Skip the First Run wizard, and go directly to the user's home page. -- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. +• Skip the First Run wizard, and go directly to the user's home page. +• Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard, the first time the browser is started after installation. +If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent running First Run wizard* -- GP name: *NoFirstRunCustomise* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableFlipAheadFeature** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoFirstRunCustomise | +| Friendly Name | Prevent running First Run wizard | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableFlipAheadFeature -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFlipAheadFeature +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableFlipAheadFeature +``` + + + + This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. @@ -3465,155 +3109,327 @@ If you enable this policy setting, flip ahead with page prediction is turned off If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the flip ahead with page prediction feature* -- GP name: *Advanced_DisableFlipAhead* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableGeolocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_DisableFlipAhead | +| Friendly Name | Turn off the flip ahead with page prediction feature | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\FlipAhead | +| Registry Value Name | Enabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableGeolocation -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableGeolocation +``` - - -This policy setting allows you to disable browser geolocation support. This prevents websites from requesting location data about the user. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableGeolocation +``` + + + + +This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the user. If you enable this policy setting, browser geolocation support is turned off. If you disable this policy setting, browser geolocation support is turned on. If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off browser geolocation* -- GP name: *GeolocationDisable* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - -Supported values: -- 0 - Disabled (Default) -- 1 - Enabled - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | GeolocationDisable | +| Friendly Name | Turn off browser geolocation | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Geolocation | +| Registry Value Name | PolicyDisableGeolocation | +| ADMX File Name | inetres.admx | + - -**InternetExplorer/DisableHomePageChange** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableHTMLApplication - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.1060] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHTMLApplication +``` -> [!div class = "checklist"] -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHTMLApplication +``` + -
    + + +This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. - - -The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. +If you enable this policy setting, running the HTML Application (HTA file) will be blocked. -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. +If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed. + -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable changing home page settings* -- GP name: *RestrictHomePage* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableInternetExplorerApp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableHTMLApplication | +| Friendly Name | Disable HTML Application | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Hta | +| Registry Value Name | DisableHTMLApplication | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableIgnoringCertificateErrors -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableIgnoringCertificateErrors +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableIgnoringCertificateErrors +``` + + + + +This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. + +If you enable this policy setting, the user cannot continue browsing. + +If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoCertError | +| Friendly Name | Prevent ignoring certificate errors | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | PreventIgnoreCertErrors | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableInPrivateBrowsing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInPrivateBrowsing +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInPrivateBrowsing +``` + + + + +This policy setting allows you to turn off the InPrivate Browsing feature. + +InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data. + +If you enable this policy setting, InPrivate Browsing is turned off. + +If you disable this policy setting, InPrivate Browsing is available for use. + +If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableInPrivateBrowsing | +| Friendly Name | Turn off InPrivate Browsing | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Privacy | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Privacy | +| Registry Value Name | EnableInPrivateBrowsing | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableInternetExplorerApp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp +``` + + + + This policy lets you restrict launching of Internet Explorer as a standalone browser. If you enable this policy, it: @@ -3622,22 +3438,44 @@ If you enable this policy, it: - Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. - Overrides any other policies that redirect to Internet Explorer 11. -If you disable, or do not configure this policy, all sites are opened using the current active browser settings. +If you disable, or don’t configure this policy, all sites are opened using the current active browser settings. -> [!NOTE] -> Microsoft Edge Stable Channel must be installed for this policy to take effect. +**Note**: Microsoft Edge Stable Channel must be installed for this policy to take effect. + - + + + - -ADMX Info: -- GP Friendly name: *Disable Internet Explorer 11 as a standalone browser* -- GP name: *DisableInternetExplorerApp* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableInternetExplorerApp | +| Friendly Name | Disable Internet Explorer 11 as a standalone browser | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -3659,492 +3497,484 @@ ADMX Info: ``` - -**InternetExplorer/DisableIgnoringCertificateErrors** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableProcessesInEnhancedProtectedMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProcessesInEnhancedProtectedMode +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProcessesInEnhancedProtectedMode +``` + -
    + + +This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. - - -This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. +Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used. -If you enable this policy setting, the user cannot continue browsing. +If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. -If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. - - - - -ADMX Info: -- GP Friendly name: *Prevent ignoring certificate errors* -- GP name: *NoCertError* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableInPrivateBrowsing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to turn off the InPrivate Browsing feature. - -InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data. - -If you enable this policy setting, InPrivate Browsing is turned off. - -If you disable this policy setting, InPrivate Browsing is available for use. - -If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. - - - - -ADMX Info: -- GP Friendly name: *Turn off InPrivate Browsing* -- GP name: *DisableInPrivateBrowsing* -- GP path: *Windows Components/Internet Explorer/Privacy* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/DisableProcessesInEnhancedProtectedMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility), when running in Enhanced Protected Mode on 64-bit versions of Windows. - -> [!IMPORTANT] -> Some ActiveX controls and toolbars may not be available when 64-bit processes are used. - -If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows. - -If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows. +If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows* -- GP name: *Advanced_EnableEnhancedProtectedMode64Bit* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableProxyChange** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_EnableEnhancedProtectedMode64Bit | +| Friendly Name | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | Isolation64Bit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableProxyChange -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange +``` + + + + This policy setting specifies if a user can change proxy settings. If you enable this policy setting, the user will not be able to configure proxy settings. If you disable or do not configure this policy setting, the user can configure proxy settings. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing proxy settings* -- GP name: *RestrictProxy* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableSearchProviderChange** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RestrictProxy | +| Friendly Name | Prevent changing proxy settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | Proxy | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSearchProviderChange -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSearchProviderChange +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSearchProviderChange +``` + + + + This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. -If you enable this policy setting, the user cannot change the default search provider. +If you enable this policy setting, disableprocessesthe user cannot change the default search provider. If you disable or do not configure this policy setting, the user can change the default search provider. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent changing the default search provider* -- GP name: *NoSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableSecondaryHomePageChange** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSearchProvider | +| Friendly Name | Prevent changing the default search provider | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | NoChangeDefaultSearchProvider | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSecondaryHomePageChange -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange +``` + + + + Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. If you disable or do not configure this policy setting, the user can add secondary home pages. -> [!NOTE] -> If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. +Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. + - + + + - -ADMX Info: -- GP Friendly name: *Disable changing secondary home page settings* -- GP name: *SecondaryHomePages* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableSecuritySettingsCheck** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SecondaryHomePages | +| Friendly Name | Disable changing secondary home page settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSecuritySettingsCheck -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecuritySettingsCheck +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecuritySettingsCheck +``` + + + + This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the Security Settings Check feature* -- GP name: *Disable_Security_Settings_Check* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableUpdateCheck** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Disable_Security_Settings_Check | +| Friendly Name | Turn off the Security Settings Check feature | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Security | +| Registry Value Name | DisableSecuritySettingsCheck | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableUpdateCheck -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck +``` + - - + + Prevents Internet Explorer from checking whether a new version of the browser is available. -If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifies users if a new version is available. +If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. + - + + + - -ADMX Info: -- GP Friendly name: *Disable Periodic Check for Internet Explorer software updates* -- GP name: *NoUpdateCheck* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DisableWebAddressAutoComplete** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoUpdateCheck | +| Friendly Name | Disable Periodic Check for Internet Explorer software updates | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | NoUpdateCheck | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableWebAddressAutoComplete -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableWebAddressAutoComplete +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableWebAddressAutoComplete +``` + + + + This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar. -If you enable this policy setting, users are not suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. +If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. -If you disable this policy setting, users are suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. +If you disable this policy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. -If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. +If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the auto-complete feature for web addresses* -- GP name: *RestrictWebAddressSuggest* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - -Supported values: -- yes - Disabled (Default) -- no - Enabled - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | RestrictWebAddressSuggest | +| Friendly Name | Turn off the auto-complete feature for web addresses | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete | +| Registry Value Name | AutoSuggest | +| ADMX File Name | inetres.admx | + - -**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DoNotAllowActiveXControlsInProtectedMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowActiveXControlsInProtectedMode +``` + -
    - - - + + This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. @@ -4154,48 +3984,61 @@ When Enhanced Protected Mode is enabled, and a user encounters a website that at If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled* -- GP name: *Advanced_DisableEPMCompat* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DoNotAllowUsersToAddSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Advanced_DisableEPMCompat | +| Friendly Name | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Advanced Page | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | DisableEPMCompat | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowUsersToAddSites -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowUsersToAddSites +``` + - - + + Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) @@ -4204,52 +4047,64 @@ If you disable this policy or do not configure it, users can add Web sites to or This policy prevents users from changing site management settings for security zones established by the administrator. -> [!NOTE] -> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. +Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. + - + + + - -ADMX Info: -- GP Friendly name: *Security Zones: Do not allow users to add/delete sites* -- GP name: *Security_zones_map_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DoNotAllowUsersToChangePolicies** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Security_zones_map_edit | +| Friendly Name | Security Zones: Do not allow users to add/delete sites | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | Security_zones_map_edit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotAllowUsersToChangePolicies -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotAllowUsersToChangePolicies +``` + - - + + Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. @@ -4258,53 +4113,68 @@ If you disable this policy or do not configure it, users can change the settings This policy prevents users from changing security zone settings established by the administrator. -> [!NOTE] -> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. +Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. + - + + + - -ADMX Info: -- GP Friendly name: *Security Zones: Do not allow users to change policies* -- GP name: *Security_options_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DoNotBlockOutdatedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Security_options_edit | +| Friendly Name | Security Zones: Do not allow users to change policies | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | Security_options_edit | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotBlockOutdatedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControls +``` + + + + This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. @@ -4312,715 +4182,856 @@ If you enable this policy setting, Internet Explorer stops blocking outdated Act If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* -- GP name: *VerMgmtDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerMgmtDisable | +| Friendly Name | Turn off blocking of outdated ActiveX controls for Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | VersionCheckEnabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotBlockOutdatedActiveXControlsOnSpecificDomains -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains +``` + + + + This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com". -2. "hostname". For example, if you want to include http://example, use "example". -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm". +1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +2. "hostname". For example, if you want to include https://example, use "example" +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* -- GP name: *VerMgmtDomainAllowlist* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/EnableExtendedIEModeHotkeys** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerMgmtDomainAllowlist | +| Friendly Name | Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | ListBox_DomainAllowlist | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableExtendedIEModeHotkeys -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.143] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/EnableExtendedIEModeHotkeys +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/EnableExtendedIEModeHotkeys +``` + + + + This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality. -- If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer. +If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer. -- If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode. +If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode. - - -The following list shows the supported values: +For more information, see + -- 0 (default) - Disabled -- 1 - Enabled + + + - - -ADMX Info: -- GP Friendly name: *Enable extended hot keys in Internet Explorer mode* -- GP name: *EnableExtendedIEModeHotkeys* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/EnableGlobalWindowListInIEMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableExtendedIEModeHotkeys | +| Friendly Name | Enable extended hot keys in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | EnableExtendedIEModeHotkeys | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableGlobalWindowListInIEMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.558] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/EnableGlobalWindowListInIEMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/EnableGlobalWindowListInIEMode +``` + + + + This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. -- If you enable this policy, Internet Explorer mode will use the global window list. +If you enable this policy, Internet Explorer mode will use the global window list. -- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. +If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. - - -The following list shows the supported values: +To learn more about Internet Explorer mode, see +To learn more about disabling Internet Explorer 11 as a standalone browser, see + -- 0 (default) - Disabled -- 1 - Enabled + + + - - -ADMX Info: -- GP Friendly name: *Enable global window list in Internet Explorer mode* -- GP name: *EnableGlobalWindowListInIEMode* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/HideInternetExplorer11RetirementNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableGlobalWindowListInIEMode | +| Friendly Name | Enable global window list in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | EnableGlobalWindowListInIEMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|No| -|Windows SE|No|No| -|Business|Yes|No| -|Enterprise|Yes|No| -|Education|Yes|No| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IncludeAllLocalSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllLocalSites +``` - - -This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllLocalSites +``` + -- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. - -- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. - - - -The following list shows the supported values: - -- 0 (default) - Disabled -- 1 - Enabled - - - -ADMX Info: -- GP Friendly name: *Hide Internet Explorer 11 retirement notification* -- GP name: *DisableIEAppDeprecationNotification* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* - - - - -
    - -**InternetExplorer/IncludeAllLocalSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls, whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. + + +This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered in the Intranet Zone (so would typically be in the Internet Zone). +If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. + - + + + - -ADMX Info: -- GP Friendly name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* -- GP name: *IZ_IncludeUnspecifiedLocalSites* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IncludeAllNetworkPaths** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_IncludeUnspecifiedLocalSites | +| Friendly Name | Intranet Sites: Include all local (intranet) sites not listed in other zones | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | +| Registry Value Name | IntranetName | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IncludeAllNetworkPaths -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllNetworkPaths +``` - - -This policy setting controls, whether URLs representing UNCs are mapped into the local Intranet security zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IncludeAllNetworkPaths +``` + + + + +This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. If you enable this policy setting, all network paths are mapped into the Intranet Zone. If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. + - + + + - -ADMX Info: -- GP Friendly name: *Intranet Sites: Include all network paths (UNCs)* -- GP name: *IZ_UNCAsIntranet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_UNCAsIntranet | +| Friendly Name | Intranet Sites: Include all network paths (UNCs) | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | +| Registry Value Name | UNCAsIntranet | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowCopyPasteViaScript** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowCopyPasteViaScript -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowCopyPasteViaScript +``` - - -This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowCopyPasteViaScript +``` + + + + +This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. -If you select Prompt in the drop-down box, users are queried, whether to perform clipboard operations. +If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. If you disable this policy setting, a script cannot perform a clipboard operation. If you do not configure this policy setting, a script can perform a clipboard operation. + - + + + - -ADMX Info: -- GP Friendly name: *Allow cut, copy or paste operations from the clipboard via script* -- GP name: *IZ_PolicyAllowPasteViaScript_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowPasteViaScript | +| Friendly Name | Allow cut, copy or paste operations from the clipboard via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowDragAndDropCopyAndPasteFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +``` - - -This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles +``` + + + + +This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow drag and drop or copy and paste files* -- GP name: *IZ_PolicyDropOrPasteFiles_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDropOrPasteFiles | +| Friendly Name | Allow drag and drop or copy and paste files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowLoadingOfXAMLFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles +``` + + + + This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. @@ -5028,195 +5039,320 @@ If you enable this policy setting and set the drop-down box to Enable, XAML file If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Allow loading of XAML files* -- GP name: *IZ_Policy_XAML_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_XAML | +| Friendly Name | Allow loading of XAML files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` - - -This policy setting controls, whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` + + + + +This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use ActiveX controls without prompt* -- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt | +| Friendly Name | Allow only approved domains to use ActiveX controls without prompt | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` - - -This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` + + + + +This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. If you disable this policy setting, the TDC Active X control will run from all sites in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use the TDC ActiveX control* -- GP name: *IZ_PolicyAllowTDCControl_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowScriptInitiatedWindows** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowTDCControl | +| Friendly Name | Allow only approved domains to use the TDC ActiveX control | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` + + + + +This policy setting determines whether a page can control embedded WebBrowser controls via script. + +If you enable this policy setting, script access to the WebBrowser control is allowed. + +If you disable this policy setting, script access to the WebBrowser control is not allowed. + +If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_WebBrowserControl | +| Friendly Name | Allow scripting of Internet Explorer WebBrowser controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## InternetZoneAllowScriptInitiatedWindows + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptInitiatedWindows +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptInitiatedWindows +``` + + + + This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. @@ -5224,301 +5360,325 @@ If you enable this policy setting, Windows Restrictions security will not apply If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + - + + + - -ADMX Info: -- GP Friendly name: *Allow script-initiated windows without size or position constraints* -- GP name: *IZ_PolicyWindowsRestrictionsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyWindowsRestrictionsURLaction | +| Friendly Name | Allow script-initiated windows without size or position constraints | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptlets +``` - - -This policy setting determines, whether a page can control embedded WebBrowser controls via script. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowScriptlets +``` + -If you enable this policy setting, script access to the WebBrowser control is allowed. - -If you disable this policy setting, script access to the WebBrowser control is not allowed. - -If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. - - - - -ADMX Info: -- GP Friendly name: *Allow scripting of Internet Explorer WebBrowser controls* -- GP name: *IZ_Policy_WebBrowserControl_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/InternetZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneAllowUpdatesToStatusBarViaScript -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to manage, whether script is allowed to update the status bar within the zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript +``` + + + + +This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. + - + + + - -ADMX Info: -- GP Friendly name: *Allow updates to status bar via script* -- GP name: *IZ_Policy_ScriptStatusBar_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowUserDataPersistence** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_ScriptStatusBar | +| Friendly Name | Allow updates to status bar via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowUserDataPersistence -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUserDataPersistence +``` - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneAllowVBScriptToRunInInternetExplorer -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer +``` - - -This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer +``` + + + + +This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. If you selected Enable in the drop-down box, VBScript can run without user intervention. @@ -5527,351 +5687,456 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t If you selected Disable in the drop-down box, VBScript is prevented from running. If you do not configure or disable this policy setting, VBScript is prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Allow VBScript to run in Internet Explorer* -- GP name: *IZ_PolicyAllowVBScript_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowVBScript | +| Friendly Name | Allow VBScript to run in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneDoNotRunAntimalwareAgainstActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls +``` + + + + This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - + + + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneDownloadSignedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneDownloadSignedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadSignedActiveXControls +``` - - -This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadSignedActiveXControls +``` + + + + +This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. + - + + + - -ADMX Info: -- GP Friendly name: *Download signed ActiveX controls* -- GP name: *IZ_PolicyDownloadSignedActiveX_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadSignedActiveX | +| Friendly Name | Download signed ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneDownloadUnsignedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +``` - - -This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneDownloadUnsignedActiveXControls +``` + + + + +This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. + - + + + - -ADMX Info: -- GP Friendly name: *Download unsigned ActiveX controls* -- GP name: *IZ_PolicyDownloadUnsignedActiveX_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadUnsignedActiveX | +| Friendly Name | Download unsigned ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneEnableCrossSiteScriptingFilter -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter +``` + + + + This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Cross-Site Scripting Filter* -- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTurnOnXSSFilter | +| Friendly Name | Turn on Cross-Site Scripting Filter | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` + -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. - +In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. + - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains across windows* -- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows | +| Friendly Name | Enable dragging of content from different domains across windows | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` + -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. -In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. - +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains within a window* -- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* +In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/InternetZoneEnableMIMESniffing** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow | +| Friendly Name | Enable dragging of content from different domains within a window | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## InternetZoneEnableMIMESniffing - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableMIMESniffing +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableMIMESniffing +``` + + + + This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. @@ -5879,149 +6144,194 @@ If you enable this policy setting, the MIME Sniffing Safety Feature will not app If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Enable MIME Sniffing* -- GP name: *IZ_PolicyMimeSniffingURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneEnableProtectedMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyMimeSniffingURLaction | +| Friendly Name | Enable MIME Sniffing | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneEnableProtectedMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableProtectedMode +``` - - -This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities, by reducing the locations that Internet Explorer can write to in the registry and the file system. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneEnableProtectedMode +``` + + + + +This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. If you do not configure this policy setting, the user can turn on or turn off Protected Mode. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Protected Mode* -- GP name: *IZ_Policy_TurnOnProtectedMode_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_TurnOnProtectedMode | +| Friendly Name | Turn on Protected Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneIncludeLocalPathWhenUploadingFilesToServer -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +``` - - -This policy setting controls whether or not local path information is sent, when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer +``` + + + + +This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. + - + + + - -ADMX Info: -- GP Friendly name: *Include local path when user is uploading files to a server* -- GP name: *IZ_Policy_LocalPathForUpload_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_LocalPathForUpload | +| Friendly Name | Include local path when user is uploading files to a server | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneInitializeAndScriptActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -6031,937 +6341,1183 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe** +**ADMX mapping**: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - + - - + +## InternetZoneJavaPermissions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -**InternetExplorer/InternetZoneJavaPermissions** + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneJavaPermissions +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneJavaPermissions +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to High Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneLaunchingApplicationsAndFilesInIFRAME -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +``` - - -This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME +``` + -If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone, without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. + + +This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. + +If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Launching applications and files in an IFRAME* -- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneLogonOptions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME | +| Friendly Name | Launching applications and files in an IFRAME | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneLogonOptions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLogonOptions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneLogonOptions +``` + + + + This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. -Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol. +Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. -Automatic logon, only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. +Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. + - + + + - -ADMX Info: -- GP Friendly name: *Logon options* -- GP name: *IZ_PolicyLogon_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLogon | +| Friendly Name | Logon options | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` - - -This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` + -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components. + + +This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. If you do not configure this policy setting, Internet Explorer will execute signed managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components signed with Authenticode* -- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicySignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` - - -This policy setting controls, whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` + + + + +This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. + - + + + - -ADMX Info: -- GP Friendly name: *Show security warning for potentially unsafe files* -- GP name: *IZ_Policy_UnsafeFiles_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/InternetZoneUsePopupBlocker** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_UnsafeFiles | +| Friendly Name | Show security warning for potentially unsafe files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetZoneUsePopupBlocker -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneUsePopupBlocker +``` - - -This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened, when the end user clicks a link are not blocked. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/InternetZoneUsePopupBlocker +``` + + + + +This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. + - + + + - -ADMX Info: -- GP Friendly name: *Use Pop-up Blocker* -- GP name: *IZ_PolicyBlockPopupWindows_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyBlockPopupWindows | +| Friendly Name | Use Pop-up Blocker | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag, and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/IntranetZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## IntranetZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneDoNotRunAntimalwareAgainstActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls +``` - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls +``` + + + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - + + + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneInitializeAndScriptActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -6971,182 +7527,315 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntranetZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/IntranetZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/KeepIntranetSitesInInternetExplorer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## JScriptReplacement -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/JScriptReplacement +``` - - -This policy setting prevents intranet sites from being opened in any browser except Internet Explorer. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/JScriptReplacement +``` + -> [!NOTE] -> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) policy is not enabled, then this policy has no effect. + + +This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations. + +If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated. + +If you disable this policy, then JScript will be utilized. + +If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | JScriptReplacement | +| Friendly Name | Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC. | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | JScriptReplacement | +| ADMX File Name | inetres.admx | + + + + + + + + + +## KeepIntranetSitesInInternetExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/KeepIntranetSitesInInternetExplorer +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/KeepIntranetSitesInInternetExplorer +``` + + + + +Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled, this policy has no effect. If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. -If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge. -We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. +If you disable or don’t configure this policy, all intranet sites are automatically opened in Microsoft Edge. + +We strongly recommend keeping this policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally, it’s best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. Related policies: -- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) -- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) +- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’) +- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’) -For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration) +For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see . + - + + + - -ADMX Info: -- GP Friendly name: *Keep all Intranet Sites in Internet Explorer* -- GP name: *KeepIntranetSitesInInternetExplorer* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | KeepIntranetSitesInInternetExplorer | +| Friendly Name | Keep all intranet sites in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | KeepIntranetSitesInInternetExplorer | +| ADMX File Name | inetres.admx | + + + + +**Example**: - - ```xml @@ -7168,535 +7857,681 @@ ADMX Info: ``` - -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## LocalMachineZoneAllowAccessToDataSources - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAccessToDataSources +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAccessToDataSources +``` + -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LocalMachineZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +``` - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls +``` + -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. - +If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LocalMachineZoneInitializeAndScriptActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -7706,606 +8541,785 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Medium Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalMachineZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage whether, .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LockedDownInternetZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneInitializeAndScriptActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -8315,662 +9329,856 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownInternetZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LockedDownIntranetZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneInitializeAndScriptActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -8980,550 +10188,714 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownIntranetZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LockedDownLocalMachineZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneInitializeAndScriptActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -9533,1215 +10905,785 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownLocalMachineZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## LockedDownRestrictedSitesZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage permissions for Java applets. - -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. - -Low Safety enables applets to perform all operations. - -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. - -High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. - -If you disable this policy setting, Java applets cannot run. - -If you do not configure this policy setting, Java applets are disabled. - - - - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. - -If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - - - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. - - - - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting controls whether, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. - -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. - -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. - - - - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -10751,155 +11693,1053 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LockedDownRestrictedSitesZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. + +If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowAccessToDataSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowFontDownloads + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowLessPrivilegedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents +``` + + + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowSmartScreenIE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE +``` + + + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneAllowUserDataPersistence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls +``` + + + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneJavaPermissions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions +``` + + + + +This policy setting allows you to manage permissions for Java applets. + +If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. + +Low Safety enables applets to perform all operations. + +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. + +High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. + +If you disable this policy setting, Java applets cannot run. + +If you do not configure this policy setting, Java applets are disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## LockedDownTrustedSitesZoneNavigateWindowsAndFrames + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames +``` + + + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MimeSniffingSafetyFeatureInternetExplorerProcesses -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses +``` + + + + +This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. + +If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. + +If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. + +If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING | +| ADMX File Name | inetres.admx | + + + + + + + + + +## MKProtocolSecurityRestrictionInternetExplorerProcesses + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses +``` + + + + The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. @@ -10907,461 +12747,516 @@ If you enable this policy setting, the MK Protocol is prevented for File Explore If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. + - + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_3* -- GP path: *Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NewTabDefaultPage -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/NewTabDefaultPage +``` - - -This policy setting determines, whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/NewTabDefaultPage +``` + -If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. - -If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. - -If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_6* -- GP path: *Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/NewTabDefaultPage** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to specify, what is displayed when the user opens a new tab. + + +This policy setting allows you to specify what is displayed when the user opens a new tab. If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. -If you disable or do not configure this policy setting, users can select their preference for this behavior. +If you disable or do not configure this policy setting, the user can select his or her preference for this behavior. + - + + + - -ADMX Info: -- GP Friendly name: *Specify default behavior for a new tab* -- GP name: *NewTabAction* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -Supported values: -- 0 - NewTab_AboutBlank (about:blank) -- 1 - NewTab_Homepage (Home page) -- 2 - NewTab_AboutTabs (New tab page) -- 3 - NewTab_AboutNewsFeed (New tab page with my news feed) (Default) - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NewTabAction | +| Friendly Name | Specify default behavior for a new tab | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing | +| ADMX File Name | inetres.admx | + -
    + + + - -**InternetExplorer/NotificationBarInternetExplorerProcesses** + - + +## NotificationBarInternetExplorerProcesses -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/NotificationBarInternetExplorerProcesses +``` - -[Scope](./policy-configuration-service-provider.md#policy-scope): +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/NotificationBarInternetExplorerProcesses +``` + -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. + + +This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes. If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. + - + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_10* -- GP path: *Windows Components/Internet Explorer/Security Features/Notification bar* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/PreventManagingSmartScreenFilter** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Notification bar | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PreventManagingSmartScreenFilter -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/PreventManagingSmartScreenFilter +``` - - -This policy setting prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/PreventManagingSmartScreenFilter +``` + -If you enable this policy setting, the user is not prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. + + +This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. -If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. +If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. - +If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. + - -ADMX Info: -- GP Friendly name: *Prevent managing SmartScreen Filter* -- GP name: *Disable_Managing_Safety_Filter_IE9* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/PreventPerUserInstallationOfActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Disable_Managing_Safety_Filter_IE9 | +| Friendly Name | Prevent managing SmartScreen Filter | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\PhishingFilter | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## PreventPerUserInstallationOfActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/PreventPerUserInstallationOfActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/PreventPerUserInstallationOfActiveXControls +``` + + + + This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent per-user installation of ActiveX controls* -- GP name: *DisablePerUserActiveXInstall* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisablePerUserActiveXInstall | +| Friendly Name | Prevent per-user installation of ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Security\ActiveX | +| Registry Value Name | BlockNonAdminActiveXInstall | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProtectionFromZoneElevationInternetExplorerProcesses -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +``` - - -Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation, if there is no security context. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses +``` + + + + +Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. If you disable this policy setting, no zone receives such protection for Internet Explorer processes. If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. + - + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_9* -- GP path: *Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RemoveRunThisTimeButtonForOutdatedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +``` + + + + This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. -If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. +If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. -If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. +If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + - + + + - -ADMX Info: -- GP Friendly name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer* -- GP name: *VerMgmtDisableRunThisTime* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/ResetZoomForDialogInIEMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerMgmtDisableRunThisTime | +| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext | +| Registry Value Name | RunThisTimeEnabled | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ResetZoomForDialogInIEMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.261] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
    :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ResetZoomForDialogInIEMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ResetZoomForDialogInIEMode +``` + + + + This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. -- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. +If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. -- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. +If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. - - -The following list shows the supported values: +For more information, see + -- 0 (default) - Disabled -- 1 - Enabled + + + - - -ADMX Info: -- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* -- GP name: *ResetZoomForDialogInIEMode* -- GP path: *Windows Components/Internet Explorer/Main* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ResetZoomForDialogInIEMode | +| Friendly Name | Reset zoom to default for HTML dialogs in Internet Explorer mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | ResetZoomForDialogInIEMode | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictActiveXInstallInternetExplorerProcesses -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses +``` + + + + This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. @@ -11369,297 +13264,322 @@ If you enable this policy setting, prompting for ActiveX control installations w If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes. If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. + - + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_11* -- GP path: *Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +``` - - -This policy setting enables blocking of file download prompts that are not user initiated. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources +``` + -If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. - -If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. - -If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_12* -- GP path: *Windows Components/Internet Explorer/Security Features/Restrict File Download* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowActiveScripting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowActiveScripting -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowActiveScripting +``` - - -This policy setting allows you to manage, whether script code on pages in the zone is run. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowActiveScripting +``` + + + + +This policy setting allows you to manage whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. If you disable this policy setting, script code on pages in the zone is prevented from running. If you do not configure this policy setting, script code on pages in the zone is prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Allow active scripting* -- GP name: *IZ_PolicyActiveScripting_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyActiveScripting | +| Friendly Name | Allow active scripting | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowBinaryAndScriptBehaviors -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors +``` + + + + This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. @@ -11667,50 +13587,65 @@ If you enable this policy setting, binary and script behaviors are available. If If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. + - + + + - -ADMX Info: -- GP Friendly name: *Allow binary and script behaviors* -- GP name: *IZ_PolicyBinaryBehaviors_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyBinaryBehaviors | +| Friendly Name | Allow binary and script behaviors | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowCopyPasteViaScript -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +``` - - -This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript +``` + + + + +This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. @@ -11719,249 +13654,324 @@ If you select Prompt in the drop-down box, users are queried as to whether to pe If you disable this policy setting, a script cannot perform a clipboard operation. If you do not configure this policy setting, a script cannot perform a clipboard operation. + - + + + - -ADMX Info: -- GP Friendly name: *Allow cut, copy or paste operations from the clipboard via script* -- GP name: *IZ_PolicyAllowPasteViaScript_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowPasteViaScript | +| Friendly Name | Allow cut, copy or paste operations from the clipboard via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +``` - - -This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles +``` + + + + +This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Allow drag and drop or copy and paste files* -- GP name: *IZ_PolicyDropOrPasteFiles_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDropOrPasteFiles | +| Friendly Name | Allow drag and drop or copy and paste files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFileDownloads +``` - - -This policy setting allows you to manage, whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFileDownloads +``` + + + + +This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. If you enable this policy setting, files can be downloaded from the zone. If you disable this policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy setting, files are prevented from being downloaded from the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Allow file downloads* -- GP name: *IZ_PolicyFileDownload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFileDownload | +| Friendly Name | Allow file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowLoadingOfXAMLFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles +``` + + + + This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. @@ -11969,547 +13979,711 @@ If you enable this policy setting and set the drop-down box to Enable, XAML file If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Allow loading of XAML files* -- GP name: *IZ_Policy_XAML_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_XAML | +| Friendly Name | Allow loading of XAML files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowMETAREFRESH -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +``` - - -This policy setting allows you to manage, whether a user's browser can be redirected to another Web page, if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH +``` + + + + +This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. + - + + + - -ADMX Info: -- GP Friendly name: *Allow META REFRESH* -- GP name: *IZ_PolicyAllowMETAREFRESH_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowMETAREFRESH | +| Friendly Name | Allow META REFRESH | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls +``` + + + + This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. -If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control, to run from the current site or from all sites. +If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use ActiveX controls without prompt* -- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt | +| Friendly Name | Allow only approved domains to use ActiveX controls without prompt | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` - - -This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl +``` + + + + +This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. If you disable this policy setting, the TDC Active X control will run from all sites in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Allow only approved domains to use the TDC ActiveX control* -- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowTDCControl | +| Friendly Name | Allow only approved domains to use the TDC ActiveX control | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` - - -This policy setting allows you to manage restrictions on script-initiated pop-up windows, and windows that include the title and status bars. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls +``` + -If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. - -If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone, as dictated by the Scripted Windows Security Restrictions feature control setting for the process. - -If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone<> as dictated by the Scripted Windows Security Restrictions feature control setting for the process. - - - - -ADMX Info: -- GP Friendly name: *Allow script-initiated windows without size or position constraints* -- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -
    - - -**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
    - - - -This policy setting determines, whether a page can control embedded WebBrowser controls via script. + + +This policy setting determines whether a page can control embedded WebBrowser controls via script. If you enable this policy setting, script access to the WebBrowser control is allowed. If you disable this policy setting, script access to the WebBrowser control is not allowed. If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scripting of Internet Explorer WebBrowser controls* -- GP name: *IZ_Policy_WebBrowserControl_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_WebBrowserControl | +| Friendly Name | Allow scripting of Internet Explorer WebBrowser controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowScriptInitiatedWindows -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows +``` + + + + +This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. + +If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. + +If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + +If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyWindowsRestrictionsURLaction | +| Friendly Name | Allow script-initiated windows without size or position constraints | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## RestrictedSitesZoneAllowScriptlets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptlets +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneAllowUpdatesToStatusBarViaScript -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to manage, whether script is allowed to update the status bar within the zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript +``` + + + + +This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. If you disable or do not configure this policy setting, script is not allowed to update the status bar. + - + + + - -ADMX Info: -- GP Friendly name: *Allow updates to status bar via script* -- GP name: *IZ_Policy_ScriptStatusBar_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_ScriptStatusBar | +| Friendly Name | Allow updates to status bar via script | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowUserDataPersistence -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +``` - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer +``` - - -This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer +``` + + + + +This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. If you selected Enable in the drop-down box, VBScript can run without user intervention. @@ -12518,351 +14692,456 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t If you selected Disable in the drop-down box, VBScript is prevented from running. If you do not configure or disable this policy setting, VBScript is prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Allow VBScript to run in Internet Explorer* -- GP name: *IZ_PolicyAllowVBScript_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAllowVBScript | +| Friendly Name | Allow VBScript to run in Internet Explorer | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` + -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. - +If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneDownloadSignedActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls +``` + + + + +This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. If you do not configure this policy setting, signed controls cannot be downloaded. + - + + + - -ADMX Info: -- GP Friendly name: *Download signed ActiveX controls* -- GP name: *IZ_PolicyDownloadSignedActiveX_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadSignedActiveX | +| Friendly Name | Download signed ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneDownloadUnsignedActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +``` - - -This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls +``` + + + + +This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. + - + + + - -ADMX Info: -- GP Friendly name: *Download unsigned ActiveX controls* -- GP name: *IZ_PolicyDownloadUnsignedActiveX_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDownloadUnsignedActiveX | +| Friendly Name | Download unsigned ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneEnableCrossSiteScriptingFilter -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter +``` - - -This policy controls, whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter +``` + + + + +This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Cross-Site Scripting Filter* -- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyTurnOnXSSFilter | +| Friendly Name | Turn on Cross-Site Scripting Filter | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows +``` + -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. - +In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. + - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains across windows* -- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows | +| Friendly Name | Enable dragging of content from different domains across windows | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows +``` + -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + + +This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. -In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. - +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. - -ADMX Info: -- GP Friendly name: *Enable dragging of content from different domains within a window* -- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* +In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. + - - + + + -
    + +**Description framework properties**: - -**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow | +| Friendly Name | Enable dragging of content from different domains within a window | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    + +## RestrictedSitesZoneEnableMIMESniffing - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneEnableMIMESniffing +``` + + + + This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. @@ -12870,99 +15149,129 @@ If you enable this policy setting, the MIME Sniffing Safety Feature will not app If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. + - + + + - -ADMX Info: -- GP Friendly name: *Enable MIME Sniffing* -- GP name: *IZ_PolicyMimeSniffingURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyMimeSniffingURLaction | +| Friendly Name | Enable MIME Sniffing | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +``` - - -This policy setting controls, whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer +``` + + + + +This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. -If you do not configure this policy setting, the user can choose whether path information is sent, when he or she is uploading a file via an HTML form. By default, path information is sent. +If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. + - + + + - -ADMX Info: -- GP Friendly name: *Include local path when user is uploading files to a server* -- GP name: *IZ_Policy_LocalPathForUpload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_LocalPathForUpload | +| Friendly Name | Include local path when user is uploading files to a server | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneInitializeAndScriptActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -12972,160 +15281,205 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, Java applets are disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +``` - - -This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME +``` + + + + +This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. + - + + + - -ADMX Info: -- GP Friendly name: *Launching applications and files in an IFRAME* -- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneLogonOptions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME | +| Friendly Name | Launching applications and files in an IFRAME | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneLogonOptions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLogonOptions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneLogonOptions +``` + + + + This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. -Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol. +Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. @@ -13136,100 +15490,130 @@ Automatic logon with current user name and password to attempt logon using Windo If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Prompt for username and password. + - + + + - -ADMX Info: -- GP Friendly name: *Logon options* -- GP name: *IZ_PolicyLogon_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyLogon | +| Friendly Name | Logon options | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneRunActiveXControlsAndPlugins -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +``` - - -This policy setting allows you to manage, whether ActiveX controls and plug-ins can be run on pages from the specified zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins +``` + + + + +This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. If you enable this policy setting, controls and plug-ins can run without user intervention. @@ -13238,100 +15622,130 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t If you disable this policy setting, controls and plug-ins are prevented from running. If you do not configure this policy setting, controls and plug-ins are prevented from running. + - + + + - -ADMX Info: -- GP Friendly name: *Run ActiveX controls and plugins* -- GP name: *IZ_PolicyRunActiveXControls_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyRunActiveXControls | +| Friendly Name | Run ActiveX controls and plugins | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` - - -This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode +``` + -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components. + + +This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. If you do not configure this policy setting, Internet Explorer will not execute signed managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components signed with Authenticode* -- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicySignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +``` - - -This policy setting allows you to manage, whether an ActiveX control marked safe for scripting can interact with a script. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting +``` + + + + +This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. If you enable this policy setting, script interaction can occur automatically without user intervention. @@ -13340,50 +15754,65 @@ If you select Prompt in the drop-down box, users are queried to choose whether t If you disable this policy setting, script interaction is prevented from occurring. If you do not configure this policy setting, script interaction is prevented from occurring. + - + + + - -ADMX Info: -- GP Friendly name: *Script ActiveX controls marked safe for scripting* -- GP name: *IZ_PolicyScriptActiveXMarkedSafe_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXMarkedSafe | +| Friendly Name | Script ActiveX controls marked safe for scripting | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneScriptingOfJavaApplets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets +``` - - -This policy setting allows you to manage, whether applets are exposed to scripts within the zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets +``` + + + + +This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user intervention. @@ -13392,99 +15821,129 @@ If you select Prompt in the drop-down box, users are queried to choose whether t If you disable this policy setting, scripts are prevented from accessing applets. If you do not configure this policy setting, scripts are prevented from accessing applets. + - + + + - -ADMX Info: -- GP Friendly name: *Scripting of Java applets* -- GP name: *IZ_PolicyScriptingOfJavaApplets_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptingOfJavaApplets | +| Friendly Name | Scripting of Java applets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` - - -This policy setting controls, whether or not the "Open File - Security Warning" message appears, when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles +``` + + + + +This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. If you disable this policy setting, these files do not open. If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. + - + + + - -ADMX Info: -- GP Friendly name: *Show security warning for potentially unsafe files* -- GP name: *IZ_Policy_UnsafeFiles_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_UnsafeFiles | +| Friendly Name | Show security warning for potentially unsafe files | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneTurnOnProtectedMode -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode +``` + + + + This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. @@ -13492,199 +15951,321 @@ If you enable this policy setting, Protected Mode is turned on. The user cannot If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. If you do not configure this policy setting, the user can turn on or turn off Protected Mode. + - + + + - -ADMX Info: -- GP Friendly name: *Turn on Protected Mode* -- GP name: *IZ_Policy_TurnOnProtectedMode_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/RestrictedSitesZoneUsePopupBlocker** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_TurnOnProtectedMode | +| Friendly Name | Turn on Protected Mode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictedSitesZoneUsePopupBlocker -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneUsePopupBlocker +``` - - -This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictedSitesZoneUsePopupBlocker +``` + + + + +This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. + - + + + - -ADMX Info: -- GP Friendly name: *Use Pop-up Blocker* -- GP name: *IZ_PolicyBlockPopupWindows_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyBlockPopupWindows | +| Friendly Name | Use Pop-up Blocker | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictFileDownloadInternetExplorerProcesses -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +``` - - -Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts pop-up windows, and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/RestrictFileDownloadInternetExplorerProcesses +``` + -If you enable this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes. + + +This policy setting enables blocking of file download prompts that are not user initiated. -If you disable this policy setting, scripts can continue to create pop-up windows and windows that obfuscate other windows. +If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. -If you do not configure this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes. +If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. - +If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. + - -ADMX Info: -- GP Friendly name: *Internet Explorer Processes* -- GP name: *IESF_PolicyExplorerProcesses_8* -- GP path: *Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/SearchProviderList** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Restrict File Download | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## ScriptedWindowSecurityRestrictionsInternetExplorerProcesses -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses +``` + + + + +Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. + +If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. + +If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows. + +If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IESF_PolicyExplorerProcesses | +| Friendly Name | Internet Explorer Processes | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS | +| ADMX File Name | inetres.admx | + + + + + + + + + +## SearchProviderList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/SearchProviderList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SearchProviderList +``` + + + + This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. -> [!NOTE] -> This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. +**Note**: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. If you disable or do not configure this policy setting, the user can configure his or her list of search providers. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict search providers to a specific list* -- GP name: *SpecificSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/SecurityZonesUseOnlyMachineSettings** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SpecificSearchProvider | +| Friendly Name | Restrict search providers to a specific list | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions | +| Registry Value Name | UsePolicySearchProvidersOnly | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SecurityZonesUseOnlyMachineSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SecurityZonesUseOnlyMachineSettings +``` + - - + + Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. @@ -13694,71 +16275,110 @@ If you disable this policy or do not configure it, users of the same computer ca This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user. Also, see the "Security zones: Do not allow users to change policies" policy. + - + + + - -ADMX Info: -- GP Friendly name: *Security Zones: Use only machine settings* -- GP name: *Security_HKLM_only* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Security_HKLM_only | +| Friendly Name | Security Zones: Use only machine settings | +| Location | Computer Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings | +| Registry Value Name | Security_HKLM_only | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SendSitesNotInEnterpriseSiteListToEdge -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge +``` - - -This setting lets you decide, whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting, and you must include at least one site in the Enterprise Mode Site List. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge +``` + -If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. + + +This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List. -If you disable, or not configure this setting, then it opens all sites based on the currently active browser. +Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. -> [!NOTE] -> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11. +Disabling, or not configuring this setting, opens all sites based on the currently active browser. - - - -ADMX Info: -- GP Friendly name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *RestrictInternetExplorer* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* +Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. + + + > [!NOTE] > This MDM policy is still outstanding. - - + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictInternetExplorer | +| Friendly Name | Send all sites not included in the Enterprise Mode Site List to Microsoft Edge | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | +| Registry Value Name | RestrictIE | +| ADMX File Name | inetres.admx | + + + + +**Example**: + ```xml @@ -13780,583 +16400,745 @@ ADMX Info: ``` - -**InternetExplorer/SpecifyUseOfActiveXInstallerService** + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SpecifyUseOfActiveXInstallerService - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/SpecifyUseOfActiveXInstallerService +``` -> [!div class = "checklist"] -> * User -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/SpecifyUseOfActiveXInstallerService +``` + -
    - - - + + This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. + - + + + - -ADMX Info: -- GP Friendly name: *Specify use of ActiveX Installer Service for installation of ActiveX controls* -- GP name: *OnlyUseAXISForActiveXInstall* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | OnlyUseAXISForActiveXInstall | +| Friendly Name | Specify use of ActiveX Installer Service for installation of ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\AxInstaller | +| Registry Value Name | OnlyUseAXISForActiveXInstall | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowAccessToDataSources -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +``` - - -This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAccessToDataSources +``` + + + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + - + + + - -ADMX Info: -- GP Friendly name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Friendly Name | Access data sources across domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowAutomaticPromptingForActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` - - -This policy setting manages, whether users will be automatically prompted for ActiveX control installations. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls +``` + + + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Friendly Name | Automatic prompting for ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowAutomaticPromptingForFileDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` - - -This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads +``` + + + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + - + + + - -ADMX Info: -- GP Friendly name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Friendly Name | Automatic prompting for file downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowFontDownloads -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowFontDownloads +``` - - -This policy setting allows you to manage, whether pages of the zone may download HTML fonts. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowFontDownloads +``` + + + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. + - + + + - -ADMX Info: -- GP Friendly name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyFontDownload | +| Friendly Name | Allow font downloads | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowLessPrivilegedSites -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +``` - - -This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites +``` + + + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. + - + + + - -ADMX Info: -- GP Friendly name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyZoneElevationURLaction | +| Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowNETFrameworkReliantComponents -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +``` - - -This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents +``` + -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + - + + + - -ADMX Info: -- GP Friendly name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowScriptlets** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowScriptlets -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowScriptlets +``` - - -This policy setting allows you to manage, whether the user can run scriptlets. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowScriptlets +``` + + + + +This policy setting allows you to manage whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. + - + + + - -ADMX Info: -- GP Friendly name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_Policy_AllowScriptlets | +| Friendly Name | Allow scriptlets | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneAllowSmartScreenIE -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +``` - - -This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowSmartScreenIE +``` + -If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, Windows Defender SmartScreen does not scan pages in this zone for malicious content. +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -> [!NOTE] -> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + - -ADMX Info: -- GP Friendly name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_Policy_Phishing | +| Friendly Name | Turn on SmartScreen Filter scan | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## TrustedSitesZoneAllowUserDataPersistence -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneAllowUserDataPersistence +``` + + + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + - + + + - -ADMX Info: -- GP Friendly name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyUserdataPersistence | +| Friendly Name | Userdata persistence | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` - - -This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls +``` + -If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. + + +This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. - +If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. + - -ADMX Info: -- GP Friendly name: *Don't run antimalware programs against ActiveX controls* -- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Friendly Name | Don't run antimalware programs against ActiveX controls | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User -> * Device + +## TrustedSitesZoneInitializeAndScriptActiveXControls -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls +``` + + + + This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -14366,128 +17148,369 @@ If you enable this policy setting and select Prompt in the drop-down box, users If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + - + + + - -ADMX Info: -- GP Friendly name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneJavaPermissions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Friendly Name | Initialize and script ActiveX controls not marked as safe | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneJavaPermissions -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneJavaPermissions +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneJavaPermissions +``` + + + + This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to Low Safety. + - + + + - -ADMX Info: -- GP Friendly name: *Java permissions* -- GP name: *IZ_PolicyJavaPermissions_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IZ_PolicyJavaPermissions | +| Friendly Name | Java permissions | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TrustedSitesZoneNavigateWindowsAndFrames -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +``` - - -This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. +```Device +./Device/Vendor/MSFT/Policy/Config/InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames +``` + -If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + - + + + - -ADMX Info: -- GP Friendly name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Friendly Name | Navigate windows and frames across different domains | +| Location | Computer and User Configuration | +| Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | +| Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 | +| ADMX File Name | inetres.admx | + + + + + + + + + +## AllowAutoComplete + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete +``` + + + + +This AutoComplete feature can remember and suggest User names and passwords on Forms. + +If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". + +If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. + +If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictFormSuggestPW | +| Friendly Name | Turn on the auto-complete feature for user names and passwords on forms | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | FormSuggest Passwords | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableActiveXVersionListAutoDownload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload +``` + + + + +This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. + +If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. + +If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML. + +For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | VersionListAutomaticDownloadDisable | +| Friendly Name | Turn off automatic download of the ActiveX VersionList | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Internet Explorer\VersionManager | +| Registry Value Name | DownloadVersionList | +| ADMX File Name | inetres.admx | + + + + + + + + + +## DisableHomePageChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange +``` + + + + +The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. + +If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. + +If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictHomePage | +| Friendly Name | Disable changing home page settings | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | HomePage | +| ADMX File Name | inetres.admx | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 5756469e38ecd742d8d1f3b9c6573f9b19b99eb9 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Mon, 2 Jan 2023 17:28:37 -0500 Subject: [PATCH 085/152] kerbernos --- .../mdm/policy-csp-kerberos.md | 1204 +++++++++-------- 1 file changed, 653 insertions(+), 551 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 0950cd842a..9fe15efb61 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,672 +1,774 @@ --- -title: Policy CSP - Kerberos -description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). +title: Kerberos Policy CSP +description: Learn more about the Kerberos Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/02/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Kerberos -
    - - -## Kerberos policies - -
    -
    - Kerberos/AllowForestSearchOrder -
    -
    - Kerberos/CloudKerberosTicketRetrievalEnabled -
    -
    - Kerberos/KerberosClientSupportsClaimsCompoundArmor -
    -
    - Kerberos/PKInitHashAlgorithmConfiguration -
    -
    - Kerberos/PKInitHashAlgorithmSHA1 -
    -
    - Kerberos/PKInitHashAlgorithmSHA256 -
    -
    - Kerberos/PKInitHashAlgorithmSHA384 -
    -
    - Kerberos/PKInitHashAlgorithmSHA512 -
    -
    - Kerberos/RequireKerberosArmoring -
    -
    - Kerberos/RequireStrictKDCValidation -
    -
    - Kerberos/SetMaximumContextTokenSize -
    -
    - Kerberos/UPNNameHints -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**Kerberos/AllowForestSearchOrder** + +## AllowForestSearchOrder - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/AllowForestSearchOrder +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the Kerberos client searches the forests in this list, if it's unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. +If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. -If you disable or don't configure this policy setting, the Kerberos client doesn't search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name isn't found, NTLM authentication might be used. +If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + - + + + - -ADMX Info: -- GP Friendly name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Kerberos/CloudKerberosTicketRetrievalEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | forestsearch | +| Friendly Name | Use forest search order | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | UseForestSearch | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CloudKerberosTicketRetrievalEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled +``` + - - -This policy allows retrieving the cloud Kerberos ticket during the sign in. + + +This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon. -- If you disable (0) or don't configure this policy setting, the cloud Kerberos ticket isn't retrieved during the sign in. +If you disable or do not configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket is not retrieved during logon. -- If you enable (1) this policy, the cloud Kerberos ticket is retrieved during the sign in. - +If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon. + - -Valid values: -0 (default) - Disabled -1 - Enabled + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow retrieving the cloud Kerberos ticket during the logon* -- GP name: *CloudKerberosTicketRetrievalEnabled* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
    +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | CloudKerberosTicketRetrievalEnabled | +| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | CloudKerberosTicketRetrievalEnabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KerberosClientSupportsClaimsCompoundArmor -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/KerberosClientSupportsClaimsCompoundArmor +``` + - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring, using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. -If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition. +If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + - + + + - -ADMX Info: -- GP Friendly name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Kerberos/PKInitHashAlgorithmConfiguration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableCbacAndArmor | +| Friendly Name | Kerberos client support for claims, compound authentication and Kerberos armoring | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | EnableCbacAndArmor | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKInitHashAlgorithmConfiguration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
    - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration +``` + + + This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. -If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies. +If you enable this policy, you will be able to configure one of four states for each algorithm: + +- “Default” sets the algorithm to the recommended state. + +- “Supported” enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +- “Audited” enables usage of the algorithm and reports an event (ID 206) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled. + +- “Not Supported” disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. + +If you disable or do not configure this policy, each algorithm will assume the “Default” state. +More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at . + +Events generated by this configuration: 205, 206, 207, 208. + + + + + + + +**Description framework properties**: -If you disable or don't configure this policy, each algorithm will assume the **Default** state. - -* 0 - **Disabled** -* 1 - **Enabled** - -More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037. - - - - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
    - - -**Kerberos/PKInitHashAlgorithmSHA1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: - -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. - -If you don't configure this policy, the SHA1 algorithm will assume the **Default** state. - - - - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
    - - -**Kerberos/PKInitHashAlgorithmSHA256** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: - -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. - -If you don't configure this policy, the SHA256 algorithm will assume the **Default** state. - - - - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
    - - -**Kerberos/PKInitHashAlgorithmSHA384** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: - -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. - -If you don't configure this policy, the SHA384 algorithm will assume the **Default** state. - - - - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
    - - -**Kerberos/PKInitHashAlgorithmSHA512** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: - -* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -* 1 - **Default**: This state sets the algorithm to the recommended state. -* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. -* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. - -If you don't configure this policy, the SHA512 algorithm will assume the **Default** state. - - - - -ADMX Info: -- GP Friendly name: *Configure Hash algorithms for certificate logon* -- GP name: *PKInitHashAlgorithmConfiguration* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - -
    - - -**Kerberos/RequireKerberosArmoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls whether a computer requires that Kerberos message exchanges being armored when communicating with a domain controller. - -> [!WARNING] -> When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled / Not Configured | +| 1 | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmConfiguration | +| Friendly Name | Configure hash algorithms for certificate logon | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | PKInitHashAlgorithmConfigurationEnabled | +| ADMX File Name | Kerberos.admx | + + + + + + + + + +## PKInitHashAlgorithmSHA1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA1 +``` + + + + +Configure SHA-1 hash algorithm for certificate logon + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not Supported | +| 1 (Default) | Default | +| 2 | Audited | +| 3 | Supported | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA1 | +| Path | Kerberos > AT > System > kerberos | + + + + + + + + + +## PKInitHashAlgorithmSHA256 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA256 +``` + + + + +Configure SHA-256 hash algorithm for certificate logon + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not Supported | +| 1 (Default) | Default | +| 2 | Audited | +| 3 | Supported | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA256 | +| Path | Kerberos > AT > System > kerberos | + + + + + + + + + +## PKInitHashAlgorithmSHA384 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA384 +``` + + + + +Configure SHA-384 hash algorithm for certificate logon + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not Supported | +| 1 (Default) | Default | +| 2 | Audited | +| 3 | Supported | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA384 | +| Path | Kerberos > AT > System > kerberos | + + + + + + + + + +## PKInitHashAlgorithmSHA512 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmSHA512 +``` + + + + +Configure SHA-512 hash algorithm for certificate logon + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not Supported | +| 1 (Default) | Default | +| 2 | Audited | +| 3 | Supported | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | PKInitHashAlgorithmSHA512 | +| Path | Kerberos > AT > System > kerberos | + + + + + + + + + +## RequireKerberosArmoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/RequireKerberosArmoring +``` + + + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. + +Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. -> [!NOTE] -> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. +Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. -If you disable or don't configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. +If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + - + + + - -ADMX Info: -- GP Friendly name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Kerberos/RequireStrictKDCValidation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClientRequireFast | +| Friendly Name | Fail authentication requests when Kerberos armoring is not available | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | RequireFast | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequireStrictKDCValidation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/RequireStrictKDCValidation +``` + - - + + This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. -If you disable or don't configure this policy setting, the Kerberos client requires only the KDC certificate that contains the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server. +If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + - + + + - -ADMX Info: -- GP Friendly name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Kerberos/SetMaximumContextTokenSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ValidateKDC | +| Friendly Name | Require strict KDC validation | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | KdcValidation | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetMaximumContextTokenSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/SetMaximumContextTokenSize +``` + - - -This policy setting allows you to set the value returned to applications that request the maximum size of the SSPI context token buffer size. + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. -If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. +If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. -> [!NOTE] -> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8, the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes. +Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + - + + + - -ADMX Info: -- GP Friendly name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**Kerberos/UPNNameHints** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxTokenSize | +| Friendly Name | Set maximum Kerberos SSPI context token buffer size | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | System\CurrentControlSet\Control\Lsa\Kerberos\Parameters | +| Registry Value Name | EnableMaxTokenSize | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## UPNNameHints -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Kerberos/UPNNameHints +``` + - - -Adds a list of domains that an Azure Active Directory-joined device can attempt to contact when it can't resolve a UPN to a principal. + + +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. + -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures, when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. + + + - - + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - - + + + - - -
    + - + + + -## Related topics + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From e5f68bb6e9412bbb141aff4dd4e8cc0d9dfa849d Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 3 Jan 2023 10:05:10 -0500 Subject: [PATCH 086/152] kioskbrowser --- .../mdm/policy-csp-kioskbrowser.md | 496 ++++++++++-------- 1 file changed, 282 insertions(+), 214 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 693f130feb..162f7c6bb1 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,313 +1,381 @@ --- -title: Policy CSP - KioskBrowser -description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. +title: KioskBrowser Policy CSP +description: Learn more about the KioskBrowser Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - KioskBrowser -These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). + + + + +## BlockedUrlExceptions -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -## KioskBrowser policies + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrlExceptions +``` -
    -
    - KioskBrowser/BlockedUrlExceptions -
    -
    - KioskBrowser/BlockedUrls -
    -
    - KioskBrowser/DefaultURL -
    -
    - KioskBrowser/EnableEndSessionButton -
    -
    - KioskBrowser/EnableHomeButton -
    -
    - KioskBrowser/EnableNavigationButtons -
    -
    - KioskBrowser/RestartOnIdleTime -
    -
    +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrlExceptions +``` + + + +List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. + -
    - - -**KioskBrowser/BlockedUrlExceptions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -List of exceptions to the blocked website URLs (with wildcard support). This policy is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**KioskBrowser/BlockedUrls** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## BlockedUrls - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrls +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/BlockedUrls +``` + -
    - - - -List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character. + + +List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + - -**KioskBrowser/DefaultURL** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DefaultURL - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/DefaultURL +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/DefaultURL +``` + -
    - - - + + Configures the default URL kiosk browsers to navigate on launch and restart. + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**KioskBrowser/EnableEndSessionButton** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## EnableEndSessionButton - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +``` -> [!div class = "checklist"] -> * Device +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +``` + -
    + + +Enable/disable kiosk browser's end session button. + - - -Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. + + +When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user selects the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk browser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**KioskBrowser/EnableHomeButton** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableHomeButton -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/EnableHomeButton +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/EnableHomeButton +``` + + + + Enable/disable kiosk browser's home button. + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**KioskBrowser/EnableNavigationButtons** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableNavigationButtons -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/EnableNavigationButtons +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/EnableNavigationButtons +``` + + + + Enable/disable kiosk browser's navigation buttons (forward/back). + + + > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**KioskBrowser/RestartOnIdleTime** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestartOnIdleTime -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/KioskBrowser/RestartOnIdleTime +``` - - -Amount of time in minutes, the session is idle until the kiosk browser restarts in a fresh state. +```Device +./Device/Vendor/MSFT/Policy/Config/KioskBrowser/RestartOnIdleTime +``` + + + +Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. + + + + The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. + - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-1440]` | +| Default Value | 0 | + -## Related topics + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 98999f3a39bf5beea272e42d0137c8c00bba6048 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 10:31:38 -0500 Subject: [PATCH 087/152] ADMX Help Policy Review --- .../mdm/policy-csp-admx-help.md | 394 ++++++++++-------- 1 file changed, 213 insertions(+), 181 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 80b40e5fdd..1e23d7534a 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,265 +1,297 @@ --- -title: Policy CSP - ADMX_Help -description: Learn about the Policy CSP - ADMX_Help. +title: ADMX_Help Policy CSP +description: Learn more about the ADMX_Help Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/03/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Help ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Help policies + +## DisableHHDEP -
    -
    - ADMX_Help/DisableHHDEP -
    -
    - ADMX_Help/HelpQualifiedRootDir_Comp -
    -
    - ADMX_Help/RestrictRunFromHelp -
    -
    - ADMX_Help/RestrictRunFromHelp_Comp -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/DisableHHDEP +``` + -
    - - -**ADMX_Help/DisableHHDEP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. -If you enable this policy setting, DEP for HTML Help Executable is turned off. This turn off will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. +If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. -If you disable or don't configure this policy setting, DEP is turned on for HTML Help Executable. This turn on provides one more security benefit, but HTML Help stops if DEP detects system memory abnormalities. +If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTLM Help stops if DEP detects system memory abnormalities. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Data Execution Prevention for HTML Help Executable* -- GP name: *DisableHHDEP* -- GP path: *System* -- GP ADMX file name: *Help.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Help/HelpQualifiedRootDir_Comp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableHHDEP | +| Friendly Name | Turn off Data Execution Prevention for HTML Help Executible | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableHHDEP | +| ADMX File Name | Help.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HelpQualifiedRootDir_Comp -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HelpQualifiedRootDir_Comp +``` + - - -This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It's recommended that only folders requiring administrative privileges be added to this policy setting. + + +This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. To restrict the commands to one or more folders, enable the policy setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder". -> [!NOTE] -> An environment variable may be used, (for example, %windir%), as long as it's defined on the system. For example, %programfiles% is not defined on some early versions of Windows. +Note: An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows. The "Shortcut" command is used to add a link to a Help topic, and runs executables that are external to the Help file. The "WinHelp" command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on the Settings tab of the Policy Properties dialog box blank. -If you disable or don't configure this policy setting, these commands are fully functional for all Help files. +If you disable or do not configure this policy setting, these commands are fully functional for all Help files. -> [!NOTE] -> Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. +Note: Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. -For more options, see the "Restrict these programs from being launched from Help" policy. +For additional options, see the "Restrict these programs from being launched from Help" policy. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict potentially unsafe HTML Help functions to specified folders* -- GP name: *HelpQualifiedRootDir_Comp* -- GP path: *System* -- GP ADMX file name: *Help.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Help/RestrictRunFromHelp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HelpQualifiedRootDir_Comp | +| Friendly Name | Restrict potentially unsafe HTML Help functions to specified folders | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RestrictRunFromHelp_Comp -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/RestrictRunFromHelp_Comp +``` + - - + + This policy setting allows you to restrict programs from being run from online Help. -If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names of the programs you want to restrict, separated by commas. +If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. -If you disable or don't configure this policy setting, users can run all applications from online Help. +If you disable or do not configure this policy setting, users can run all applications from online Help. -> [!NOTE] -> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. -> -> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help. +Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. - +Note: This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help + + + + - -ADMX Info: -- GP Friendly name: *Restrict these programs from being launched from Help* -- GP name: *RestrictRunFromHelp* -- GP path: *System* -- GP ADMX file name: *Help.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Help/RestrictRunFromHelp_Comp** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | RestrictRunFromHelp_Comp | +| Friendly Name | Restrict these programs from being launched from Help | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RestrictRunFromHelp -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Help/RestrictRunFromHelp +``` + + + + This policy setting allows you to restrict programs from being run from online Help. -If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names of the programs you want to restrict, separated by commas. +If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. -If you disable or don't configure this policy setting, users can run all applications from online Help. +If you disable or do not configure this policy setting, users can run all applications from online Help. -> [!NOTE] -> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. -> -> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help. - +Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. +Note: This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help + - -ADMX Info: -- GP Friendly name: *Restrict these programs from being launched from Help* -- GP name: *RestrictRunFromHelp_Comp* -- GP path: *System* -- GP ADMX file name: *Help.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | RestrictRunFromHelp | +| Friendly Name | Restrict these programs from being launched from Help | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From f32de8326d26613981a3d37a6f2267e84938ce78 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 10:36:47 -0500 Subject: [PATCH 088/152] ADMX HelpAndSupport policy review --- .../mdm/policy-csp-admx-helpandsupport.md | 373 ++++++++++-------- 1 file changed, 206 insertions(+), 167 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index f4b99642f1..2098f1a31d 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,241 +1,280 @@ --- -title: Policy CSP - ADMX_HelpAndSupport -description: Learn about the Policy CSP - ADMX_HelpAndSupport. +title: ADMX_HelpAndSupport Policy CSP +description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/03/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_HelpAndSupport ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_HelpAndSupport policies + +## ActiveHelp -
    -
    - ADMX_HelpAndSupport/ActiveHelp -
    -
    - ADMX_HelpAndSupport/HPExplicitFeedback -
    -
    - ADMX_HelpAndSupport/HPImplicitFeedback -
    -
    - ADMX_HelpAndSupport/HPOnlineAssistance -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/ActiveHelp +``` + -
    - - -**ADMX_HelpAndSupport/ActiveHelp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. -If you enable this policy setting, active content links aren't rendered. The text is displayed, but there are no clickable links for these elements. +If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. -If you disable or don't configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). +If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Active Help* -- GP name: *ActiveHelp* -- GP path: *Windows Components/Online Assistance* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_HelpAndSupport/HPExplicitFeedback** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ActiveHelp | +| Friendly Name | Turn off Active Help | +| Location | Computer Configuration | +| Path | Windows Components > Online Assistance | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoActiveHelp | +| ADMX File Name | HelpAndSupport.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HPExplicitFeedback -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/HPExplicitFeedback +``` + - - + + This policy setting specifies whether users can provide ratings for Help content. -If you enable this policy setting, ratings controls aren't added to Help content. +If you enable this policy setting, ratings controls are not added to Help content. -If you disable or don't configure this policy setting, ratings controls are added to Help topics. +If you disable or do not configure this policy setting, ratings controls are added to Help topics. Users can use the control to provide feedback on the quality and usefulness of the Help and Support content. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help Ratings* -- GP name: *HPExplicitFeedback* -- GP path: *System/Internet Communication Management/Internet Communication settings* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_HelpAndSupport/HPImplicitFeedback** - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HPExplicitFeedback | +| Friendly Name | Turn off Help Ratings | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoExplicitFeedback | +| ADMX File Name | HelpAndSupport.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HPImplicitFeedback -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/HPImplicitFeedback +``` + + + + This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. -If you enable this policy setting, users can't participate in the Help Experience Improvement program. +If you enable this policy setting, users cannot participate in the Help Experience Improvement program. -If you disable or don't configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. +If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help Experience Improvement Program* -- GP name: *HPImplicitFeedback* -- GP path: *System/Internet Communication Management/Internet Communication settings* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_HelpAndSupport/HPOnlineAssistance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HPImplicitFeedback | +| Friendly Name | Turn off Help Experience Improvement Program | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoImplicitFeedback | +| ADMX File Name | HelpAndSupport.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HPOnlineAssistance -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_HelpAndSupport/HPOnlineAssistance +``` + - - + + This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. -If you disable or don't configure this policy setting, users can access online assistance if they have a connection to the Internet and haven't disabled Windows Online from the Help and Support Options page. +If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Online* -- GP name: *HPOnlineAssistance* -- GP path: *System/Internet Communication Management/Internet Communication settings* -- GP ADMX file name: *HelpAndSupport.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | HPOnlineAssistance | +| Friendly Name | Turn off Windows Online | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Assistance\Client\1.0 | +| Registry Value Name | NoOnlineAssist | +| ADMX File Name | HelpAndSupport.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 0f734a513f1b368098bb8a0fe01f9a9ceb5034a8 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 10:55:29 -0500 Subject: [PATCH 089/152] ADMX_HotSpotAuth policy review --- .../mdm/policy-csp-admx-hotspotauth.md | 133 +++++++++--------- 1 file changed, 70 insertions(+), 63 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 56106a030b..3d1f933b5d 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,93 +1,100 @@ --- -title: Policy CSP - ADMX_HotSpotAuth -description: Learn about the Policy CSP - ADMX_HotSpotAuth. +title: ADMX_hotspotauth Policy CSP +description: Learn more about the ADMX_hotspotauth Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/15/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- -# Policy CSP - ADMX_HotSpotAuth + + + +# Policy CSP - ADMX_hotspotauth > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_HotSpotAuth policies + +## HotspotAuth_Enable -
    -
    - ADMX_HotSpotAuth/HotspotAuth_Enable -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_hotspotauth/HotspotAuth_Enable +``` + - -**ADMX_HotSpotAuth/HotspotAuth_Enable** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - + + This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support. -- If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. +If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. -- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. +If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. -- If you enable this policy setting, or if you don't configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. +If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. + -- If you disable this policy setting, WLAN hotspots aren't probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Hotspot Authentication* -- GP name: *HotspotAuth_Enable* -- GP path: *Network\Hotspot Authentication* -- GP ADMX file name: *HotSpotAuth.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | HotspotAuth_Enable | +| Friendly Name | Enable Hotspot Authentication | +| Location | Computer Configuration | +| Path | Network > Hotspot Authentication | +| Registry Key Name | Software\Policies\Microsoft\Windows\HotspotAuthentication | +| Registry Value Name | Enabled | +| ADMX File Name | hotspotauth.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 5a7e0b7f2531d1f16a964ed27631733019eb16d1 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 3 Jan 2023 12:33:25 -0500 Subject: [PATCH 090/152] lanmanworkstation licensing localpoliciessecurityoptions --- .../mdm/policy-csp-lanmanworkstation.md | 129 +- .../mdm/policy-csp-licensing.md | 225 +- ...policy-csp-localpoliciessecurityoptions.md | 5706 +++++++++-------- 3 files changed, 3117 insertions(+), 2943 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 6e47698868..842f4da6b6 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,85 +1,100 @@ --- -title: Policy CSP - LanmanWorkstation -description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server. +title: LanmanWorkstation Policy CSP +description: Learn more about the LanmanWorkstation Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LanmanWorkstation -
    + + + - -## LanmanWorkstation policies + +## EnableInsecureGuestLogons -
    -
    - LanmanWorkstation/EnableInsecureGuestLogons -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons +``` + - -**LanmanWorkstation/EnableInsecureGuestLogons** + + +This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. - +If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, the SMB client will reject insecure guest logons. - -
    +Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access." + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - -This policy setting determines, if the SMB client will allow insecure guest sign in to an SMB server. + +**Allowed values**: -If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign in. +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled | +| 1 | Enabled | + -If you disable this policy setting, the SMB client will reject insecure guest sign in. + +**Group policy mapping**: -Insecure guest sign in are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign in are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication, and don't use insecure guest sign in by default. Since insecure guest sign in are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign in are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign in and configuring file servers to require authenticated access. +| Name | Value | +|:--|:--| +| Name | Pol_EnableInsecureGuestLogons | +| Friendly Name | Enable insecure guest logons | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AllowInsecureGuestAuth | +| ADMX File Name | LanmanWorkstation.admx | + - - -ADMX Info: -- GP Friendly name: *Enable insecure guest logons* -- GP name: *Pol_EnableInsecureGuestLogons* -- GP path: *Network/Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* + + + - - -This setting supports a range of values between 0 and 1. + - - -
    + + + - + -## Related topics +## Related articles -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 4e778754ce..4510db53df 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,135 +1,166 @@ --- -title: Policy CSP - Licensing -description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices. +title: Licensing Policy CSP +description: Learn more about the Licensing Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Licensing -
    + + + - -## Licensing policies + +## AllowWindowsEntitlementReactivation -
    -
    - Licensing/AllowWindowsEntitlementReactivation -
    -
    - Licensing/DisallowKMSClientOnlineAVSValidation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Licensing/AllowWindowsEntitlementReactivation +``` + - -**Licensing/AllowWindowsEntitlementReactivation** + + +This policy setting controls whether OS Reactivation is blocked on a device. +Policy Options: +- Not Configured (default -- Windows registration and reactivation is allowed) +- Disabled (Windows registration and reactivation is not allowed) +- Enabled (Windows registration is allowed) + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 | Disable Windows license reactivation on managed devices. | +| 1 (Default) | Enable Windows license reactivation on managed devices. | + -
    + +**Group policy mapping**: - - -Enables or Disable Windows license reactivation on managed devices. +| Name | Value | +|:--|:--| +| Name | AllowWindowsEntitlementReactivation | +| Friendly Name | Control Device Reactivation for Retail devices | +| Location | Computer Configuration | +| Path | Windows Components > Software Protection Platform | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform | +| Registry Value Name | AllowWindowsEntitlementReactivation | +| ADMX File Name | AVSValidationGP.admx | + - - -ADMX Info: -- GP Friendly name: *Control Device Reactivation for Retail devices* -- GP name: *AllowWindowsEntitlementReactivation* -- GP path: *Windows Components/Software Protection Platform* -- GP ADMX file name: *AVSValidationGP.admx* + + + - - -The following list shows the supported values: + -- 0 – Disable Windows license reactivation on managed devices. -- 1 (default) – Enable Windows license reactivation on managed devices. + +## DisallowKMSClientOnlineAVSValidation - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/Licensing/DisallowKMSClientOnlineAVSValidation +``` + - -**Licensing/DisallowKMSClientOnlineAVSValidation** + + +This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +If you disable or do not configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates. +Policy Options: +- Not Configured (default -- data will be automatically sent to Microsoft) +- Disabled (data will be automatically sent to Microsoft) +- Enabled (data will not be sent to Microsoft) + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Allowed values**: -> [!div class = "checklist"] -> * Device +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + -
    + +**Group policy mapping**: - - -Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. +| Name | Value | +|:--|:--| +| Name | NoAcquireGT | +| Friendly Name | Turn off KMS Client Online AVS Validation | +| Location | Computer Configuration | +| Path | Windows Components > Software Protection Platform | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform | +| Registry Value Name | NoGenTicket | +| ADMX File Name | AVSValidationGP.admx | + - - -ADMX Info: -- GP Friendly name: *Turn off KMS Client Online AVS Validation* -- GP name: *NoAcquireGT* -- GP path: *Windows Components/Software Protection Platform* -- GP ADMX file name: *AVSValidationGP.admx* + + + - - -The following list shows the supported values: + -- 0 (default) – Disabled -- 1 – Enabled + + + - - -
    + +## Related articles - - -## Related topics - -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 73346cab09..a3014db5d5 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,2850 +1,2978 @@ --- -title: Policy CSP - LocalPoliciesSecurityOptions -description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. +title: LocalPoliciesSecurityOptions Policy CSP +description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 12/16/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LocalPoliciesSecurityOptions -
    - - -## LocalPoliciesSecurityOptions policies - -
    -
    - LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts -
    -
    - LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus -
    - LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus -
    -
    - LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly -
    -
    - LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount -
    -
    - LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount -
    -
    - LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon -
    -
    - LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia -
    -
    - LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters -
    -
    - LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -
    -
    - LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways -
    -
    - LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares -
    -
    - LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic -
    -
    - LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers -
    -
    - LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn -
    -
    - LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode -
    -
    - LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations -
    -
    - -
    - + + > [!NOTE] > To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). + + + +## Accounts_BlockMicrosoftAccounts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts +``` + + + + +This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (users will be able to use Microsoft accounts with Windows). | +| 1 | Enabled (users can't add Microsoft accounts). | +| 3 | Users can't add or log on with Microsoft accounts | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Block Microsoft accounts | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Accounts_EnableAdministratorAccountStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus +``` + + + + +This security setting determines whether the local Administrator account is enabled or disabled. + +**Note** s If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Administrator account status | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Accounts_EnableGuestAccountStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus +``` + + + + +This security setting determines if the Guest account is enabled or disabled. Default: Disabled. + +**Note**: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Guest account status | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly +``` + + + + +Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. + +**Warning**: Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. + +**Note** s This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Limit local account use of blank passwords to console logon only | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Accounts_RenameAdministratorAccount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount +``` + + + + +Accounts: Rename administrator account This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Administrator | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Rename administrator account | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Accounts_RenameGuestAccount + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount +``` + + + + +Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | Guest | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Accounts: Rename guest account | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Devices_AllowedToFormatAndEjectRemovableMedia + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia +``` + + + + +Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Allowed to format and eject removable media | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Devices_AllowUndockWithoutHavingToLogon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon +``` + + + + +Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Block | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Allow undock without having to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters +``` + + + + +Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Prevent users from installing printer drivers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly +``` + + + + +Devices: Restrict CD-ROM access to locally logged-on user only This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Devices: Restrict CD-ROM access to locally logged-on user only | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked +``` + + + + +Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Do not display user information (3) Domain and user names only (4) + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | User display name, domain and user names | +| 2 | User display name only | +| 3 | Do not display user information | +| 4 | Domain and user names only | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Display user information when the session is locked | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DoNotDisplayLastSignedIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn +``` + + + + +Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled (username will be shown) | +| 1 | Enabled (username will not be shown) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Don't display last signed-in | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DoNotDisplayUsernameAtSignIn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn +``` + + + + +Interactive logon: Don't display username at sign-in This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled (username will be shown) | +| 1 (Default) | Enabled (username will not be shown) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Don't display username at sign-in | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_DoNotRequireCTRLALTDEL + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL +``` + + + + +Interactive logon: Do not require CTRL+ALT+DEL This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled (a user is not required to press CTRL+ALT+DEL to log on) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Do not require CTRL+ALT+DEL | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## InteractiveLogon_MachineInactivityLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit +``` + + + + +Interactive logon: Machine inactivity limit. Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-599940]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Interactive logon: Machine inactivity limit | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + +**Validate**: - -**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer. Switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system. - -If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Block Microsoft accounts* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - disabled (users will be able to use Microsoft accounts with Windows). -- 1 - enabled (users can't add Microsoft accounts). - - - - -
    - - -**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting allows the administrator to enable the local Administrator account. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Enable Administrator Account Status* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - disabled (local Administrator account is disabled). -- 1 - enabled (local Administrator account is enabled). - - - - -
    - -**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This setting allows the administrator to enable the guest Administrator account. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Enable Guest Account Status* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - disabled (local Administrator account is disabled). -- 1 - enabled (local Administrator account is enabled). - - - - -
    - - -**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard. - -Default: Enabled - -> [!WARNING] -> Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers. -> -> If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. - -This setting doesn't affect sign in that use domain accounts. -It's possible for applications that use remote interactive sign in to bypass this setting. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Limit local account use of blank passwords to console logon only* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. -- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard. - - - - -
    - - -**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator - -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Rename administrator account* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest - -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Accounts: Rename guest account* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Allow undock without having to sign in - -This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer. - -Default: Enabled - -> [!CAUTION] -> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - -GP Info: -- GP Friendly name: *Devices: Allow undock without having to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -- Administrators. -- Administrators and Interactive Users. - -Default: This policy isn't defined, and only Administrators have this ability. - - - -GP Info: -- GP Friendly name: *Devices: Allowed to format and eject removable media* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled -Default on workstations: Disabled - ->[!NOTE] ->This setting doesn't affect the ability to add a local printer. This setting doesn't affect Administrators. - - - -GP Info: -- GP Friendly name: *Devices: Prevent users from installing printer drivers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy isn't defined and CD-ROM access isn't restricted to the locally logged-on user. - - - -GP Info: -- GP Friendly name: *Devices: Restrict CD-ROM access to locally logged-on user only* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive Logon: Display user information when the session is locked - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Display user information when the session is locked* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 1 - User display name, domain and user names. -- 2 - User display name only. -- 3 - Don't display user information. - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Don't display last signed-in - -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. - -If this policy is enabled, the username won't be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Don't display last signed-in* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled (username will be shown). -- 1 - enabled (username won't be shown). - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Don't display username at sign-in - -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. - -If this policy is enabled, the username won't be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Don't display username at sign-in* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled (username will be shown). -- 1 - enabled (username won't be shown). - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Don't require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in. - -If this policy is enabled on a computer, a user isn't required to press CTRL+ALT+DEL to sign in. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users sign in ensures that users are communicating through a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8 / Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Do not require CTRL+ALT+DEL* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in). - - - - -
    - - -**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Interactive logon: Machine inactivity limit - -Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: Not enforced - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Interactive logon: Machine inactivity limit* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - Valid values: From 0 to 599940, where the value is the amount of inactivity time (in seconds) after which the session will be locked. If it's set to zero (0), the setting is disabled. + - - + -
    + +## InteractiveLogon_MessageTextForUsersAttemptingToLogOn - -**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Interactive logon: Message text for users attempting to log on This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + -
    + +**Group policy mapping**: - - -Interactive logon: Message text for users attempting to sign in +| Name | Value | +|:--|:--| +| Name | Interactive logon: Message text for users attempting to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + -This security setting specifies a text message that is displayed to users when they sign in. + + + -This text is often used for legal reasons. For example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. + -Default: No message + +## InteractiveLogon_MessageTitleForUsersAttemptingToLogOn -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + - - -GP Info: -- GP Friendly name: *Interactive logon: Message text for users attempting to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn +``` + - - + + +Interactive logon: Message title for users attempting to log on This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. + -
    + + + - -**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Interactive logon: Message title for users attempting to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## InteractiveLogon_SmartCardRemovalBehavior - - -Interactive logon: Message title for users attempting to sign in + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior +``` + -Default: No message + + +Interactive logon: Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. -This policy supports the following: -- Supported value type is string. -- Supported operations are Add, Get, Replace, and Delete. +**Note**: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. + - - -GP Info: -- GP Friendly name: *Interactive logon: Message title for users attempting to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - -**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior** + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | No Action | +| 1 | Lock Workstation | +| 2 | Force Logoff | +| 3 | Disconnect if a Remote Desktop Services session | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Group policy mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Interactive logon: Smart card removal behavior | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - -Interactive logon: Smart card removal behavior + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways +``` + -The options are: + + +Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. -- No Action -- Lock Workstation -- Force Logoff -- Disconnect if a Remote Desktop Services session +**Important**: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. +**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: . + -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed. + + + -If you click Disconnect on a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation. + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network client: Digitally sign communications (always) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees +``` + + + + +Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled. + +**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable | +| 0 | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network client: Digitally sign communications (if server agrees) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers +``` + + + + +Microsoft network client: Send unencrypted password to connect to third-party SMB servers If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network client: Send unencrypted password to third-party SMB servers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkServer_DigitallySignCommunicationsAlways + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways +``` + + + + +Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. + +**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. + +**Important**: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network server: Digitally sign communications (always) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees +``` + + + + +Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only. + +**Important**: For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: . + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Microsoft network server: Digitally sign communications (if client agrees) | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_AllowAnonymousSIDOrNameTranslation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_AllowAnonymousSIDOrNameTranslation +``` + + + + +Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Allow anonymous SID/name translation | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts +``` + + + + +Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. + +**Important**: This policy has no impact on domain controllers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enabled | +| 0 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Do not allow anonymous enumeration of SAM accounts | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares +``` + + + + +Network access: Do not allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enabled | +| 0 (Default) | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Do not allow anonymous enumeration of SAM accounts and shares | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares +``` + + + + +Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable | +| 0 | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Restrict anonymous access to Named Pipes and Shares | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM +``` + + + + +Network access: Restrict clients allowed to make remote calls to SAM This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be used. This policy is supported on at least Windows Server 2016. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network access: Restrict clients allowed to make remote calls to SAM | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +``` + + + + +Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008. + +**Note**: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Allow | +| 0 | Block | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Allow Local System to use computer identity for NTLM | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_AllowPKU2UAuthenticationRequests + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests +``` + + + + +Network security: Allow PKU2U authentication requests to this computer to use online identities. This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Block | +| 1 (Default) | Allow | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Allow PKU2U authentication requests to this computer to use online identities. | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange > [!NOTE] -> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy isn't defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - -GP Info: -- GP Friendly name: *Interactive logon: Smart card removal behavior* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled - -> [!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). - - - -GP Info: -- GP Friendly name: *Microsoft network client: Digitally sign communications (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled - -> [!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -> -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). - - - -GP Info: -- GP Friendly name: *Microsoft network client: Digitally sign communications (if server agrees)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled - - - -GP Info: -- GP Friendly name: *Microsoft network client: Send unencrypted password to third-party SMB servers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -> [!WARNING] -> Starting in Windows 10, version 1803, this policy is deprecated. - -Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default: This policy isn't defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - -GP Info: -- GP Friendly name: *Microsoft network server: Amount of idle time required before suspending session* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client, unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled for member servers. Enabled for domain controllers. - -> [!NOTE] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> -> Similarly, if client-side SMB signing is required, that client won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). - - - -GP Info: -- GP Friendly name: *Microsoft network server: Digitally sign communications (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -> [!NOTE] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -> -> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). - - - -GP Info: -- GP Friendly name: *Microsoft network server: Digitally sign communications (if client agrees)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Don't allow anonymous enumeration of SAM accounts - -This security setting determines what other permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. - -This security option allows more restrictions to be placed on anonymous connections as follows: - -Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No extra restrictions. Rely on default permissions. - -Default on workstations: Enabled -Default on server: Enabled - -> [!IMPORTANT] -> This policy has no impact on domain controllers. - - - -GP Info: -- GP Friendly name: *Network access: Do not allow anonymous enumeration of SAM accounts* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Don't allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled - - - -GP Info: -- GP Friendly name: *Network access: Do not allow anonymous enumeration of SAM accounts and shares* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -- Network access: Named pipes that can be accessed anonymously. -- Network access: Shares that can be accessed anonymously. -- Default: Enabled. - - - -GP Info: -- GP Friendly name: *Network access: Restrict anonymous access to Named Pipes and Shares* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - -GP Info: -- GP Friendly name: *Network access: Restrict clients allowed to make remote calls to SAM* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Allow Local System to use computer identity for NTLM. - -When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. - -When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) - - - -GP Info: -- GP Friendly name: *Network security: Allow Local System to use computer identity for NTLM* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - Disabled. -- 1 - Enabled (Allow Local System to use computer identity for NTLM). - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Network security: Allow PKU2U authentication requests to this computer to use online identities.* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities). - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Don't store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked. - -- Default on Windows Vista and above: Enabled -- Default on Windows XP: Disabled - - - -GP Info: -- GP Friendly name: *Network security: Do not store LAN Manager hash value on next password change* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logon. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -- Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -- Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -- Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -- Default: - -- windows XP: send LM and NTLM responses. - -- Windows Server 2003: Send NTLM response only. - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only. - - - -GP Info: -- GP Friendly name: *Network security: LAN Manager authentication level* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. - -This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. -- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated. - -- Default: - -- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. - -- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. - - - -GP Info: -- GP Friendly name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. - -- Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated. - -- Default: - -- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. - -- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. - - - -GP Info: -- GP Friendly name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) servers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication, if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you don't configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions, the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or don't configure this policy setting, the server won't log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -> [!NOTE] -> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or don't configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain sign in and display an NTLM blocked error, but allow local account sign in. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -> [!NOTE] -> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Incoming NTLM traffic* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or don't configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This logging allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer can't authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -> [!NOTE] -> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - -GP Info: -- GP Friendly name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
    - - -**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Shutdown: Allow system to be shut down without having to sign in - -This security setting determines whether a computer can be shut down without having to sign in to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -- Default on workstations: Enabled. -- Default on servers: Disabled. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *Shutdown: Allow system to be shut down without having to log on* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (allow system to be shut down without having to sign in). - - - - -
    - - -**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they aren't used. On a running system, this pagefile is opened exclusively by the operating system, and it's well protected. However, systems that are configured to allow booting to other operating systems might have to ensure that the system pagefile is wiped clean when this system shuts down. This cleaning ensures that sensitive information from process memory that might go into the pagefile isn't available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled - - - -GP Info: -- GP Friendly name: *Shutdown: Clear virtual memory pagefile* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -Disabled: (Default) - -The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -Valid values: -- 0 - disabled. -- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop). - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -- 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - - > [!NOTE] - > Use this option only in the most constrained environments. - -- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -- 2 - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -- 3 - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -- 4 - Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Behavior of the elevation prompt for standard users - -This policy setting controls the behavior of the elevation prompt for standard users. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Behavior of the elevation prompt for standard users* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user, may choose this setting to reduce help desk calls. -- 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -- Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -- Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - -GP Info: -- GP Friendly name: *User Account Control: Detect application installations and prompt for elevation* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run, by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: -- 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run. -- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Only elevate executables that are signed and validated* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls, whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations: - -- .\Program Files\, including subfolders -- .\Windows\system32\ -- .\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -> [!NOTE] -> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: -- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system. -- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Only elevate UIAccess applications that are installed in secure locations* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: -- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. - - > [!NOTE] - > If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced. - -- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Run all administrators in Admin Approval Mode* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: -- 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. -- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Switch to the secure desktop when prompting for elevation* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - -GP Info: -- GP Friendly name: *User Account Control: Admin Approval Mode for the Built-in Administrator account* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - -
    - - -**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -This policy supports the following: -- Supported value type is integer. -- Supported operations are Add, Get, Replace, and Delete. - - - -GP Info: -- GP Friendly name: *User Account Control: Virtualize file and registry write failures to per-user locations* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - -The following list shows the supported values: - -- 0 - Disabled: Applications that write data to protected locations fail. -- 1 - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - - - -
    - - - -## Related topics +> This policy is deprecated and may be removed in a future release. + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange +``` + + + + +Network security: Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. + +**Important**: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable | +| 0 | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Do not store LAN Manager hash value on next password change | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_ForceLogoffWhenLogonHoursExpire + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_ForceLogoffWhenLogonHoursExpire +``` + + + + +Network security: Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default: Enabled. + +**Note**: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Force logoff when logon hours expire | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_LANManagerAuthenticationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel +``` + + + + +Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). + +**Important**: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Send LM and NTLM responses | +| 1 | Send LM and NTLM-use NTLMv2 session security if negotiated | +| 2 | Send LM and NTLM responses only | +| 3 (Default) | Send LM and NTLMv2 responses only | +| 4 | Send LM and NTLMv2 responses only. Refuse LM | +| 5 | Send LM and NTLMv2 responses only. Refuse LM and NTLM | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: LAN Manager authentication level | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +``` + + + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 536870912 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | None | +| 524288 | Require NTLMv2 session security | +| 536870912 (Default) | Require 128-bit encryption | +| 537395200 | Require NTLM and 128-bit encryption | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers +``` + + + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 536870912 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | None | +| 524288 | Require NTLMv2 session security | +| 536870912 (Default) | Require 128-bit encryption | +| 537395200 | Require NTLM and 128-bit encryption | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication +``` + + + + +Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic +``` + + + + +Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +**Note**: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disable | +| 1 | Enable auditing for domain accounts | +| 2 | Enable auditing for all accounts | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Audit Incoming NTLM Traffic | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic +``` + + + + +Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +**Note**: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow all | +| 1 | Deny all domain accounts | +| 2 | Deny all accounts | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Incoming NTLM traffic | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers +``` + + + + +Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +**Note**: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow all | +| 1 | Deny all domain accounts | +| 2 | Deny all accounts | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn +``` + + + + +Shutdown: Allow system to be shut down without having to log on This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. Default on workstations: Enabled. Default on servers: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | disabled | +| 1 (Default) | enabled (allow system to be shut down without having to log on) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Shutdown: Allow system to be shut down without having to log on | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## Shutdown_ClearVirtualMemoryPageFile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile +``` + + + + +Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Shutdown: Clear virtual memory pagefile | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_AllowUIAccessApplicationsToPromptForElevation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation +``` + + + + +User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. • Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. • Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | disabled | +| 1 | enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_BehaviorOfTheElevationPromptForAdministrators + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators +``` + + + + +User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. + +**Note**: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 5 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Elevate without prompting | +| 1 | Prompt for credentials on the secure desktop | +| 2 | Prompt for consent on the secure desktop | +| 3 | Prompt for credentials | +| 4 | Prompt for consent | +| 5 (Default) | Prompt for consent for non-Windows binaries | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers +``` + + + + +User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: • Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Automatically deny elevation requests | +| 1 | Prompt for credentials on the secure desktop | +| 3 (Default) | Prompt for credentials | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Behavior of the elevation prompt for standard users | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_DetectApplicationInstallationsAndPromptForElevation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation +``` + + + + +User Account Control: Detect application installations and prompt for elevation This policy setting controls the behavior of application installation detection for the computer. The options are: Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 (Default) | Enable | +| 0 | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Detect application installations and prompt for elevation | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated +``` + + + + +User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: • Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. • Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled: Does not enforce validation. | +| 1 | Enabled: Enforces validation. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Only elevate executables that are signed and validated | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations +``` + + + + +User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: • Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. • Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled: Application runs with UIAccess integrity even if it does not reside in a secure location. | +| 1 (Default) | Enabled: Application runs with UIAccess integrity only if it resides in secure location. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Only elevate UIAccess applications that are installed in secure locations | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_RunAllAdministratorsInAdminApprovalMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode +``` + + + + +User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. + +**Note**: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Run all administrators in Admin Approval Mode | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation +``` + + + + +User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. • Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Switch to the secure desktop when prompting for elevation | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_UseAdminApprovalMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode +``` + + + + +User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable | +| 0 (Default) | Disable | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Admin Approval Mode for the Built-in Administrator account | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + +## UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations +``` + + + + +User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: • Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. • Disabled: Applications that write data to protected locations fail. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled | +| 1 (Default) | Enabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | User Account Control: Virtualize file and registry write failures to per-user locations | +| Path | Windows Settings > Security Settings > Local Policies > Security Options | + + + + + + + + + + + + + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) From 48f92bd38307ee88ea99e3b0e6d6cbcc1b0a4e0d Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 13:42:42 -0500 Subject: [PATCH 091/152] ADMX_ICM policy review --- .../mdm/policy-csp-admx-icm.md | 2442 +++++++++-------- 1 file changed, 1349 insertions(+), 1093 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index 757dd29c41..a42e2c3941 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,1415 +1,1671 @@ --- -title: Policy CSP - ADMX_ICM -description: Learn about the Policy CSP - ADMX_ICM. +title: ADMX_ICM Policy CSP +description: Learn more about the ADMX_ICM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ICM ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_ICM policies + +## CEIPEnable -
    -
    - ADMX_ICM/CEIPEnable -
    -
    - ADMX_ICM/CertMgr_DisableAutoRootUpdates -
    -
    - ADMX_ICM/DisableHTTPPrinting_1 -
    -
    - ADMX_ICM/DisableWebPnPDownload_1 -
    -
    - ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate -
    -
    - ADMX_ICM/EventViewer_DisableLinks -
    -
    - ADMX_ICM/HSS_HeadlinesPolicy -
    -
    - ADMX_ICM/HSS_KBSearchPolicy -
    -
    - ADMX_ICM/InternetManagement_RestrictCommunication_1 -
    -
    - ADMX_ICM/InternetManagement_RestrictCommunication_2 -
    -
    - ADMX_ICM/NC_ExitOnISP -
    -
    - ADMX_ICM/NC_NoRegistration -
    -
    - ADMX_ICM/PCH_DoNotReport -
    -
    - ADMX_ICM/RemoveWindowsUpdate_ICM -
    -
    - ADMX_ICM/SearchCompanion_DisableFileUpdates -
    -
    - ADMX_ICM/ShellNoUseInternetOpenWith_1 -
    -
    - ADMX_ICM/ShellNoUseInternetOpenWith_2 -
    -
    - ADMX_ICM/ShellNoUseStoreOpenWith_1 -
    -
    - ADMX_ICM/ShellNoUseStoreOpenWith_2 -
    -
    - ADMX_ICM/ShellPreventWPWDownload_1 -
    -
    - ADMX_ICM/ShellRemoveOrderPrints_1 -
    -
    - ADMX_ICM/ShellRemoveOrderPrints_2 -
    -
    - ADMX_ICM/ShellRemovePublishToWeb_1 -
    -
    - ADMX_ICM/ShellRemovePublishToWeb_2 -
    -
    - ADMX_ICM/WinMSG_NoInstrumentation_1 -
    -
    - ADMX_ICM/WinMSG_NoInstrumentation_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/CEIPEnable +``` + -
    - - -**ADMX_ICM/CEIPEnable** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft won't collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It's simple and user-friendly. + + +This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. -If you don't configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. +If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Customer Experience Improvement Program* -- GP name: *CEIPEnable* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/CertMgr_DisableAutoRootUpdates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CEIPEnable | +| Friendly Name | Turn off Windows Customer Experience Improvement Program | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\SQMClient\Windows | +| Registry Value Name | CEIPEnable | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CertMgr_DisableAutoRootUpdates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/CertMgr_DisableAutoRootUpdates +``` + - - + + This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. -If you enable this policy setting, when you're presented with a certificate issued by an untrusted root authority, your computer won't contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. +If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. -If you disable or don't configure this policy setting, your computer will contact the Windows Update website. +If you disable or do not configure this policy setting, your computer will contact the Windows Update website. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Automatic Root Certificates Update* -- GP name: *CertMgr_DisableAutoRootUpdates* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/DisableHTTPPrinting_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CertMgr_DisableAutoRootUpdates | +| Friendly Name | Turn off Automatic Root Certificates Update | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\SystemCertificates\AuthRoot | +| Registry Value Name | DisableRootAutoUpdate | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DriverSearchPlaces_DontSearchWindowsUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate +``` + - - -This policy setting specifies whether to allow printing over HTTP from this client. - -Printing over HTTP allows a client to print to printers on the intranet and the Internet. - -> [!NOTE] -> This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. - -If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. - -If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. - - - - - -ADMX Info: -- GP Friendly name: *Turn off printing over HTTP* -- GP name: *DisableHTTPPrinting_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/DisableWebPnPDownload_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies whether to allow this client to download print driver packages over HTTP. - -To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. - -> [!NOTE] -> This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP. - -It only prohibits downloading drivers that aren't already installed locally. - -If you enable this policy setting, print drivers can't be downloaded over HTTP. - -If you disable or don't configure this policy setting, users can download print drivers over HTTP. - - - - - -ADMX Info: -- GP Friendly name: *Turn off downloading of print drivers over HTTP* -- GP name: *DisableWebPnPDownload_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. -If you enable this policy setting, Windows Update isn't searched when a new device is installed. +If you enable this policy setting, Windows Update is not searched when a new device is installed. If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. -If you don't configure this policy setting, searching Windows Update is optional when installing a device. +If you do not configure this policy setting, searching Windows Update is optional when installing a device. -Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver isn't found locally. +Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. -> [!NOTE] -> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. +Note: This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Update device driver searching* -- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/EventViewer_DisableLinks** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DriverSearchPlaces_DontSearchWindowsUpdate | +| Friendly Name | Turn off Windows Update device driver searching | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\DriverSearching | +| Registry Value Name | DontSearchWindowsUpdate | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EventViewer_DisableLinks -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/EventViewer_DisableLinks +``` + - - + + This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred. -If you enable this policy setting, event description hyperlinks aren't activated and the text "More Information" isn't displayed at the end of the description. +If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description. -If you disable or don't configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. +If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". + -Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off Event Viewer "Events.asp" links* -- GP name: *EventViewer_DisableLinks* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_ICM/HSS_HeadlinesPolicy** +| Name | Value | +|:--|:--| +| Name | EventViewer_DisableLinks | +| Friendly Name | Turn off Event Viewer "Events.asp" links | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\EventViewer | +| Registry Value Name | MicrosoftEventVwrDisableLinks | +| ADMX File Name | ICM.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## HSS_HeadlinesPolicy - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/HSS_HeadlinesPolicy +``` + -
    - - - + + This policy setting specifies whether to show the "Did you know?" section of Help and Support Center. This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. -If you disable or don't configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. +If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. -You might want to enable this policy setting for users who don't have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. +You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help and Support Center "Did you know?" content* -- GP name: *HSS_HeadlinesPolicy* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/HSS_KBSearchPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HSS_HeadlinesPolicy | +| Friendly Name | Turn off Help and Support Center "Did you know?" content | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\HelpSvc | +| Registry Value Name | Headlines | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## HSS_KBSearchPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/HSS_KBSearchPolicy +``` + - - + + This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options. If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. -If you disable or don't configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and hasn't disabled the Knowledge Base search from the Search Options page. +If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Help and Support Center Microsoft Knowledge Base search* -- GP name: *HSS_KBSearchPolicy* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/InternetManagement_RestrictCommunication_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | HSS_KBSearchPolicy | +| Friendly Name | Turn off Help and Support Center Microsoft Knowledge Base search | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\HelpSvc | +| Registry Value Name | MicrosoftKBSearch | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetManagement_RestrictCommunication_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/InternetManagement_RestrictCommunication_2 +``` + - - + + This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. -If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can't access the Internet. +If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. -If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. +If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. -If you don't configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured. +If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict Internet communication* -- GP name: *InternetManagement_RestrictCommunication_1* -- GP path: *System\Internet Communication Management* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/InternetManagement_RestrictCommunication_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InternetManagement_RestrictCommunication | +| Friendly Name | Restrict Internet communication | +| Location | Computer Configuration | +| Path | System > Internet Communication Management | +| Registry Key Name | Software\Policies\Microsoft\InternetManagement | +| Registry Value Name | RestrictCommunication | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_ExitOnISP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/NC_ExitOnISP +``` + - - -This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. - -If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can't access the Internet. - -If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. - -If you don't configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured. - - - - -ADMX Info: -- GP Friendly name: *Restrict Internet communication* -- GP name: *InternetManagement_RestrictCommunication_2* -- GP path: *System\Internet Communication Management* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/NC_ExitOnISP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). -If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This exit prevents users from retrieving the list of ISPs, which resides on Microsoft servers. +If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. -If you disable or don't configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. +If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com* -- GP name: *NC_ExitOnISP* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/NC_NoRegistration** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_ExitOnISP | +| Friendly Name | Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Internet Connection Wizard | +| Registry Value Name | ExitOnMSICW | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_NoRegistration -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/NC_NoRegistration +``` + - - + + This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. -If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users can't register their copy of Windows online. +If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. -If you disable or don't configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. +If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. -Registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but doesn't involve submitting any personal information (except the country/region you live in). +Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Registration if URL connection is referring to Microsoft.com* -- GP name: *NC_NoRegistration* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/PCH_DoNotReport** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_NoRegistration | +| Friendly Name | Turn off Registration if URL connection is referring to Microsoft.com | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Registration Wizard Control | +| Registry Value Name | NoRegistration | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PCH_DoNotReport -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/PCH_DoNotReport +``` + - - + + This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. -If you enable this policy setting, users aren't given the option to report errors. +If you enable this policy setting, users are not given the option to report errors. -If you disable or don't configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. +If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. This policy setting overrides any user setting made from the Control Panel for error reporting. Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Error Reporting* -- GP name: *PCH_DoNotReport* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/RemoveWindowsUpdate_ICM** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PCH_DoNotReport | +| Friendly Name | Turn off Windows Error Reporting | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RemoveWindowsUpdate_ICM -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/RemoveWindowsUpdate_ICM +``` + - - + + This policy setting allows you to remove access to Windows Update. -If you enable this policy setting, all Windows Update features are removed. This list of features includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you won't get notified or receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. +If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at , from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. -If you disable or don't configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. +If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. -> [!NOTE] -> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. +Note: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off access to all Windows Update features* -- GP name: *RemoveWindowsUpdate_ICM* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/SearchCompanion_DisableFileUpdates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RemoveWindowsUpdate_ICM | +| Friendly Name | Turn off access to all Windows Update features | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | DisableWindowsUpdateAccess | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SearchCompanion_DisableFileUpdates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/SearchCompanion_DisableFileUpdates +``` + - - + + This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. -When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and more content files used to format and display results. +When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results. -If you enable this policy setting, Search Companion doesn't download content updates during searches. +If you enable this policy setting, Search Companion does not download content updates during searches. -If you disable or don't configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. +If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. -> [!NOTE] -> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. +Note: Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Search Companion content file updates* -- GP name: *SearchCompanion_DisableFileUpdates* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/ShellNoUseInternetOpenWith_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SearchCompanion_DisableFileUpdates | +| Friendly Name | Turn off Search Companion content file updates | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\SearchCompanion | +| Registry Value Name | DisableContentFileUpdates | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellNoUseInternetOpenWith_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseInternetOpenWith_2 +``` + - - + + This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. -When a user opens a file that has an extension that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. -If you disable or don't configure this policy setting, the user is allowed to use the Web service. +If you disable or do not configure this policy setting, the user is allowed to use the Web service. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Internet File Association service* -- GP name: *ShellNoUseInternetOpenWith_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/ShellNoUseInternetOpenWith_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellNoUseInternetOpenWith | +| Friendly Name | Turn off Internet File Association service | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetOpenWith | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellNoUseStoreOpenWith_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseStoreOpenWith_2 +``` + - - -This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. - -When a user opens a file that has an extension that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. - -If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. - -If you disable or don't configure this policy setting, the user is allowed to use the Web service. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Internet File Association service* -- GP name: *ShellNoUseInternetOpenWith_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/ShellNoUseStoreOpenWith_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. -When a user opens a file type or protocol that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. -If you disable or don't configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. +If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off access to the Store* -- GP name: *ShellNoUseStoreOpenWith_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/ShellNoUseStoreOpenWith_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellNoUseStoreOpenWith | +| Friendly Name | Turn off access to the Store | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUseStoreOpenWith | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellRemoveOrderPrints_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemoveOrderPrints_2 +``` + - - -This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. - -When a user opens a file type or protocol that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. - -If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. - -If you disable or don't configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. - - - - - -ADMX Info: -- GP Friendly name: *Turn off access to the Store* -- GP name: *ShellNoUseStoreOpenWith_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/ShellPreventWPWDownload_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. - -If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed. - -If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards. - -For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards. - - - - - -ADMX Info: -- GP Friendly name: *Turn off Internet download for Web publishing and online ordering wizards* -- GP name: *ShellPreventWPWDownload_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/ShellRemoveOrderPrints_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. - -The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. - -If you disable or don't configure this policy setting, the task is displayed. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the "Order Prints" picture task* -- GP name: *ShellRemoveOrderPrints_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/ShellRemoveOrderPrints_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. -If you disable or don't configure this policy setting, the task is displayed. +If you disable or do not configure this policy setting, the task is displayed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the "Order Prints" picture task* -- GP name: *ShellRemoveOrderPrints_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/ShellRemovePublishToWeb_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellRemoveOrderPrints | +| Friendly Name | Turn off the "Order Prints" picture task | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoOnlinePrintsWizard | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShellRemovePublishToWeb_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemovePublishToWeb_2 +``` + - - -This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. - -The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. - -If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or don't configure this policy setting, the tasks are shown. - - - - - -ADMX Info: -- GP Friendly name: *Turn off the "Publish to Web" task for files and folders* -- GP name: *ShellRemovePublishToWeb_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* - - - -
    - - -**ADMX_ICM/ShellRemovePublishToWeb_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. -If you disable or don't configure this policy setting, the tasks are shown. +If you disable or do not configure this policy setting, the tasks are shown. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the "Publish to Web" task for files and folders* -- GP name: *ShellRemovePublishToWeb_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/WinMSG_NoInstrumentation_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShellRemovePublishToWeb | +| Friendly Name | Turn off the "Publish to Web" task for files and folders | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPublishingWizard | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## WinMSG_NoInstrumentation_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/WinMSG_NoInstrumentation_2 +``` + - - -This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service are used. + + +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. -With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. -This information is used to improve the product in future releases. +If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. -If you enable this policy setting, Windows Messenger doesn't collect usage information, and the user settings to enable the collection of usage information aren't shown. +If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. -If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting isn't shown. If you don't configure this policy setting, users have the choice to opt in and allow information to be collected. +If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program* -- GP name: *WinMSG_NoInstrumentation_1* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ICM/WinMSG_NoInstrumentation_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WinMSG_NoInstrumentation | +| Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Messenger\Client | +| Registry Value Name | CEIP | +| ADMX File Name | ICM.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableHTTPPrinting_1 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableHTTPPrinting_1 +``` + - - -This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service are used. + + +This policy setting specifies whether to allow printing over HTTP from this client. -With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. -This information is used to improve the product in future releases. +Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. -If you enable this policy setting, Windows Messenger doesn't collect usage information, and the user settings to enable the collection of usage information aren't shown. +If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. -If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting isn't shown. +If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. -If you don't configure this policy setting, users have the choice to opt in and allow information to be collected. +Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off the Windows Messenger Customer Experience Improvement Program* -- GP name: *WinMSG_NoInstrumentation_2* -- GP path: *System\Internet Communication Management\Internet Communication settings* -- GP ADMX file name: *ICM.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableHTTPPrinting | +| Friendly Name | Turn off printing over HTTP | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableHTTPPrinting | +| ADMX File Name | ICM.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + +## DisableWebPnPDownload_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableWebPnPDownload_1 +``` + + + + +This policy setting specifies whether to allow this client to download print driver packages over HTTP. + +To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. + +Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. + +If you enable this policy setting, print drivers cannot be downloaded over HTTP. + +If you disable or do not configure this policy setting, users can download print drivers over HTTP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebPnPDownload | +| Friendly Name | Turn off downloading of print drivers over HTTP | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPnPDownload | +| ADMX File Name | ICM.admx | + + + + + + + + + +## InternetManagement_RestrictCommunication_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/InternetManagement_RestrictCommunication_1 +``` + + + + +This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. + +If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. + +If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. + +If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetManagement_RestrictCommunication | +| Friendly Name | Restrict Internet communication | +| Location | User Configuration | +| Path | System > Internet Communication Management | +| Registry Key Name | Software\Policies\Microsoft\InternetManagement | +| Registry Value Name | RestrictCommunication | +| ADMX File Name | ICM.admx | + + + + + + + + + +## ShellNoUseInternetOpenWith_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseInternetOpenWith_1 +``` + + + + +This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. + +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. + +If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Web service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellNoUseInternetOpenWith | +| Friendly Name | Turn off Internet File Association service | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetOpenWith | +| ADMX File Name | ICM.admx | + + + + + + + + + +## ShellNoUseStoreOpenWith_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseStoreOpenWith_1 +``` + + + + +This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. + +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. + +If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. + +If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellNoUseStoreOpenWith | +| Friendly Name | Turn off access to the Store | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUseStoreOpenWith | +| ADMX File Name | ICM.admx | + + + + + + + + + +## ShellPreventWPWDownload_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellPreventWPWDownload_1 +``` + + + + +This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. + +These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. + +If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. + +If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. + +See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellPreventWPWDownload | +| Friendly Name | Turn off Internet download for Web publishing and online ordering wizards | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWebServices | +| ADMX File Name | ICM.admx | + + + + + + + + + +## ShellRemoveOrderPrints_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemoveOrderPrints_1 +``` + + + + +This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. + +If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +If you disable or do not configure this policy setting, the task is displayed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellRemoveOrderPrints | +| Friendly Name | Turn off the "Order Prints" picture task | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoOnlinePrintsWizard | +| ADMX File Name | ICM.admx | + + + + + + + + + +## ShellRemovePublishToWeb_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemovePublishToWeb_1 +``` + + + + +This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. + +The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. + +If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. + +If you disable or do not configure this policy setting, the tasks are shown. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellRemovePublishToWeb | +| Friendly Name | Turn off the "Publish to Web" task for files and folders | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPublishingWizard | +| ADMX File Name | ICM.admx | + + + + + + + + + +## WinMSG_NoInstrumentation_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/WinMSG_NoInstrumentation_1 +``` + + + + +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. + +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. + +If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. + +If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. + +If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WinMSG_NoInstrumentation | +| Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Messenger\Client | +| Registry Value Name | CEIP | +| ADMX File Name | ICM.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 118f240d5c18f90a100dc082e47f356863404529 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 13:47:45 -0500 Subject: [PATCH 092/152] ADMX_IIS policy review --- .../mdm/policy-csp-admx-iis.md | 126 +++++++++--------- 1 file changed, 64 insertions(+), 62 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index 9310adaf97..a3cbe89e61 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,92 +1,94 @@ --- -title: Policy CSP - ADMX_IIS -description: Learn about the Policy CSP - ADMX_IIS. +title: ADMX_IIS Policy CSP +description: Learn more about the ADMX_IIS Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_IIS > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_IIS policies + +## PreventIISInstall -
    -
    - ADMX_IIS/PreventIISInstall -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_IIS/PreventIISInstall +``` + - -**ADMX_IIS/PreventIISInstall** + + +"This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> [!div class = "checklist"] -> * Machine +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PreventIISInstall | +| Friendly Name | Prevent IIS installation | +| Location | Computer Configuration | +| Path | Windows Components > Internet Information Services | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\IIS | +| Registry Value Name | PreventIISInstall | +| ADMX File Name | IIS.admx | + - - -This policy setting prevents installation of Internet Information Services (IIS) on this computer. + + + -If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting. + -Enabling this setting won't have any effect on IIS, if IIS is already installed on the computer. + + + -If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run." + - +## Related articles - - -ADMX Info: -- GP Friendly name: *Prevent IIS installation* -- GP name: *PreventIISInstall* -- GP path: *Windows Components\Internet Information Services* -- GP ADMX file name: *IIS.admx* - - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 3dce6b729b2c7cecf22005152cc5c68987608ff8 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:27:28 -0500 Subject: [PATCH 093/152] ADMX_Kerberos policy review --- .../mdm/policy-csp-admx-kerberos.md | 708 ++++++++++-------- 1 file changed, 393 insertions(+), 315 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 3838c7a105..aa6cfac797 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,463 +1,541 @@ --- -title: Policy CSP - ADMX_Kerberos -description: Learn about the Policy CSP - ADMX_Kerberos. +title: ADMX_Kerberos Policy CSP +description: Learn more about the ADMX_Kerberos Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Kerberos ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Kerberos policies + +## AlwaysSendCompoundId -
    -
    - ADMX_Kerberos/AlwaysSendCompoundId -
    -
    - ADMX_Kerberos/DevicePKInitEnabled -
    -
    - ADMX_Kerberos/HostToRealm -
    -
    - ADMX_Kerberos/KdcProxyDisableServerRevocationCheck -
    -
    - ADMX_Kerberos/KdcProxyServer -
    -
    - ADMX_Kerberos/MitRealms -
    -
    - ADMX_Kerberos/ServerAcceptsCompound -
    -
    - ADMX_Kerberos/StrictTarget -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/AlwaysSendCompoundId +``` + -
    - - -**ADMX_Kerberos/AlwaysSendCompoundId** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. -> [!NOTE] -> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. +Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. -If you disable or don't configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. +If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Always send compound authentication first* -- GP name: *AlwaysSendCompoundId* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Kerberos/DevicePKInitEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AlwaysSendCompoundId | +| Friendly Name | Always send compound authentication first | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | AlwaysSendCompoundId | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DevicePKInitEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/DevicePKInitEnabled +``` + - - -Support for device authentication using certificate will require connectivity to a DC in the device account domain that supports certificate authentication for computer accounts. + + +Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. -If you enable this policy setting, the device's credentials will be selected based on the following options: +If you enable this policy setting, the device’s credentials will be selected based on the following options: -- Automatic: Device will attempt to authenticate using its certificate. If the DC doesn't support computer account authentication using certificates, then authentication with password will be attempted. -- Force: Device will always authenticate using its certificate. If a DC can't be found which support computer account authentication using certificates, then authentication will fail. +Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. + +Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. If you disable this policy setting, certificates will never be used. +If you do not configure this policy setting, Automatic will be used. + -If you don't configure this policy setting, Automatic will be used. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Support device authentication using certificate* -- GP name: *DevicePKInitEnabled* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Kerberos/HostToRealm** +| Name | Value | +|:--|:--| +| Name | DevicePKInitEnabled | +| Friendly Name | Support device authentication using certificate | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | DevicePKInitEnabled | +| ADMX File Name | Kerberos.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## HostToRealm - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/HostToRealm +``` + -
    - - - + + This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. -If you don't configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. +If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define host name-to-Kerberos realm mappings* -- GP name: *HostToRealm* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | hosttorealm | +| Friendly Name | Define host name-to-Kerberos realm mappings | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos | +| Registry Value Name | domain_realm_Enabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KdcProxyDisableServerRevocationCheck -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/KdcProxyDisableServerRevocationCheck +``` + - - + + This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. -> [!WARNING] -> When revocation check is ignored, the server represented by the certificate isn't guaranteed valid. +Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. -If you disable or don't configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server isn't established if the revocation check fails. +If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Disable revocation checking for the SSL certificate of KDC proxy servers* -- GP name: *KdcProxyDisableServerRevocationCheck* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Kerberos/KdcProxyServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | KdcProxyDisableServerRevocationCheck | +| Friendly Name | Disable revocation checking for the SSL certificate of KDC proxy servers | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | NoRevocationCheck | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## KdcProxyServer -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/KdcProxyServer +``` + - - + + This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. -If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller can't be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable or don't configure this policy setting, the Kerberos client doesn't have KDC proxy servers settings defined by Group Policy. +If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify KDC proxy servers for Kerberos clients* -- GP name: *KdcProxyServer* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Kerberos/MitRealms** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | KdcProxyServer | +| Friendly Name | Specify KDC proxy servers for Kerberos clients | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos | +| Registry Value Name | KdcProxyServer_Enabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MitRealms -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/MitRealms +``` + - - + + This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. -If you don't configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. +If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define interoperable Kerberos V5 realm settings* -- GP name: *MitRealms* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Kerberos/ServerAcceptsCompound** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MitRealms | +| Friendly Name | Define interoperable Kerberos V5 realm settings | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos | +| Registry Value Name | MitRealms_Enabled | +| ADMX File Name | Kerberos.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ServerAcceptsCompound -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/ServerAcceptsCompound +``` + - - + + This policy setting controls configuring the device's Active Directory account for compound authentication. -Support for providing compound authentication that is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. +Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: -- Never: Compound authentication is never provided for this computer account. -- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. -- Always: Compound authentication is always provided for this computer account. +Never: Compound authentication is never provided for this computer account. + +Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. + +Always: Compound authentication is always provided for this computer account. If you disable this policy setting, Never will be used. +If you do not configure this policy setting, Automatic will be used. + -If you don't configure this policy setting, Automatic will be used. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Support compound authentication* -- GP name: *ServerAcceptsCompound* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Kerberos/StrictTarget** +| Name | Value | +|:--|:--| +| Name | ServerAcceptsCompound | +| Friendly Name | Support compound authentication | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | CompoundIdDisabled | +| ADMX File Name | Kerberos.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## StrictTarget - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Kerberos/StrictTarget +``` + -
    - - - + + This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. -If you disable or don't configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. +If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Require strict target SPN match on remote procedure calls* -- GP name: *StrictTarget* -- GP path: *System\Kerberos* -- GP ADMX file name: *Kerberos.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | StrictTarget | +| Friendly Name | Require strict target SPN match on remote procedure calls | +| Location | Computer Configuration | +| Path | System > Kerberos | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters | +| Registry Value Name | StrictTargetContext | +| ADMX File Name | Kerberos.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 9d3c5d14d98f2f704966aca3448a803f1e9f5315 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:36:23 -0500 Subject: [PATCH 094/152] localusersandgroups lockdown lsa --- .../mdm/policy-csp-localusersandgroups.md | 252 +++++++++--------- .../mdm/policy-csp-lockdown.md | 136 +++++----- .../client-management/mdm/policy-csp-lsa.md | 214 +++++++++------ 3 files changed, 332 insertions(+), 270 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 10e2076e07..3829efc9fb 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,65 +1,139 @@ --- -title: Policy CSP - LocalUsersAndGroups -description: Policy CSP - LocalUsersAndGroups +title: LocalUsersAndGroups Policy CSP +description: Learn more about the LocalUsersAndGroups Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LocalUsersAndGroups -
    + + + - -## LocalUsersAndGroups policies + +## Configure -
    -
    - LocalUsersAndGroups/Configure -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure +``` + - -**LocalUsersAndGroups/Configure** + + +This Setting allows an administrator to manage local groups on a Device. Possible settings: 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that are not specified in the policy remain untouched. 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group members that are not specified in the policy are removed. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. +> [!CAUTION] +> If the same group is configured with both Replace and Update, then Replace will win. + + + > [!NOTE] > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. > > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +
    +
    + Expand to see schema XML + +```xml + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + +``` + +
    + + + + +**Example**: Here is an example of the policy definition XML for group configuration: @@ -95,14 +169,10 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura > - `` is not valid for the R (Restrict) action and will be ignored if present. > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. - - - - **Examples** -Example 1: Azure Active Directory focused. +**Example 1**: Azure Active Directory focused. The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. @@ -116,12 +186,13 @@ The following example updates the built-in administrators group with the SID **S ``` -Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. +**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] > When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. -Example: +**Example**: + ```xml @@ -132,7 +203,7 @@ Example: ``` -Example 3: Update action for adding and removing group members on a hybrid joined machine. +**Example 3**: Update action for adding and removing group members on a hybrid joined machine. The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. @@ -147,13 +218,6 @@ The following example shows how you can update a local group (**Administrators** ``` - - - - - -
    - > [!NOTE] > > When Azure Active Directory group SID’s are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: @@ -233,70 +297,16 @@ To troubleshoot Name/SID lookup APIs: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force ``` + -```xml - - - - - - - - - - - - Group Configuration Action - - - - - - - - Group Member to Add - - - - - - - - Group Member to Remove - - - - - - - - Group property to configure - - - - - - - - - - - - - - - - Local Group Configuration - - - - - - -``` + - + + + -## Related topics + + +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index fd60ffcbaa..743e929abc 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,84 +1,98 @@ --- -title: Policy CSP - LockDown -description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch. +title: LockDown Policy CSP +description: Learn more about the LockDown Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - LockDown -
    + + + - -## LockDown policies + +## AllowEdgeSwipe -
    -
    - LockDown/AllowEdgeSwipe -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/LockDown/AllowEdgeSwipe +``` + - -**LockDown/AllowEdgeSwipe** + + +If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge. - +If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen edges. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Allows the user to invoke any system user interface by swiping in from any screen edge using touch. + + The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled. + - - -ADMX Info: -- GP Friendly name: *Allow edge swipe* -- GP name: *AllowEdgeSwipe* -- GP path: *Windows Components/Edge UI* -- GP ADMX file name: *EdgeUI.admx* + +**Description framework properties**: - - -The following list shows the supported values: +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + -- 0 - disallow edge swipe. -- 1 (default, not configured) - allow edge swipe. + +**Allowed values**: - - -
    +| Value | Description | +|:--|:--| +| 0 | Disallow edge swipe. | +| 1 (Default) | Allow edge swipe. | + - + +**Group policy mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | AllowEdgeSwipe | +| Friendly Name | Allow edge swipe | +| Location | Computer and User Configuration | +| Path | Windows Components > Edge UI | +| Registry Key Name | Software\Policies\Microsoft\Windows\EdgeUI | +| Registry Value Name | AllowEdgeSwipe | +| ADMX File Name | EdgeUI.admx | + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md index 89702a9f64..23573031f7 100644 --- a/windows/client-management/mdm/policy-csp-lsa.md +++ b/windows/client-management/mdm/policy-csp-lsa.md @@ -1,131 +1,169 @@ --- -title: Policy CSP - LocalSecurityAuthority -description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS). -ms.author: vinpa +title: LocalSecurityAuthority Policy CSP +description: Learn more about the LocalSecurityAuthority Area in Policy CSP author: vinaypamnani-msft -ms.reviewer: manager: aaroncz -ms.topic: reference +ms.author: vinpa +ms.date: 01/03/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -ms.localizationpriority: medium -ms.date: 08/26/2022 +ms.topic: reference --- -# Policy CSP - LocalSecurity Authority + - -
    - - -## LocalSecurityAuthority policies - -
    -
    - LocalSecurityAuthority/AllowCustomSSPsAPs -
    -
    - LocalSecurityAuthority/ConfigureLsaProtectedProcess -
    -
    + +# Policy CSP - LocalSecurityAuthority > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## AllowCustomSSPsAPs - -**LocalSecurityAuthority/AllowCustomSSPsAPs** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/AllowCustomSSPsAPs +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy controls the configuration under which LSASS loads custom SSPs and APs. - -
    +If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable this setting, LSA does not load custom SSPs and APs. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs). +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you disable this policy setting, LSASS will block custom SSPs and APs from loading. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCustomSSPsAPs | +| Friendly Name | Allow Custom SSPs and APs to be loaded into LSASS | +| Location | Computer Configuration | +| Path | System > Local Security Authority | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowCustomSSPsAPs | +| ADMX File Name | LocalSecurityAuthority.admx | + - -ADMX Info: -- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS* -- GP name: *AllowCustomSSPsAPs* -- GP path: *System/Local Security Authority* -- GP ADMX file name: *LocalSecurityAuthority.admx* + + + - - + -
    + +## ConfigureLsaProtectedProcess - -**Kerberos/ConfigureLsaProtectedProcess** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy controls the configuration under which LSASS is run. - -
    +If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you configure and set this policy setting to "Disabled", LSA will not run as a protected process. -> [!div class = "checklist"] -> * Device +If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked. -
    +If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked. + - - -This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process. + + + -If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process. + +**Description framework properties**: -If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable. + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. Default value. LSA will not run as protected process. | +| 1 | Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked. | +| 2 | Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked. | + - -ADMX Info: -- GP Friendly name: *Configure LSASS to run as a protected process* -- GP name: *ConfigureLsaProtectedProcess* -- GP path: *System/Local Security Authority* -- GP ADMX file name: *LocalSecurityAuthority.admx* + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | ConfigureLsaProtectedProcess | +| Friendly Name | Configures LSASS to run as a protected process | +| Location | Computer Configuration | +| Path | System > Local Security Authority | +| Registry Key Name | System\CurrentControlSet\Control\Lsa | +| ADMX File Name | LocalSecurityAuthority.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 1396181688a087cb33897ec34da775b4c359da4f Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:39:55 -0500 Subject: [PATCH 095/152] ADMX_LanmanServer policy review --- .../mdm/policy-csp-admx-lanmanserver.md | 402 ++++++++++-------- 1 file changed, 219 insertions(+), 183 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index 4f59845591..e67a81aae5 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,212 +1,210 @@ --- -title: Policy CSP - ADMX_LanmanServer -description: Learn about the Policy CSP - ADMX_LanmanServer. +title: ADMX_LanmanServer Policy CSP +description: Learn more about the ADMX_LanmanServer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LanmanServer ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_LanmanServer policies + +## Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanServer/Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanServer/Pol_HashPublication -
    -
    - ADMX_LanmanServer/Pol_HashSupportVersion -
    -
    - ADMX_LanmanServer/Pol_HonorCipherSuiteOrder -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_CipherSuiteOrder +``` + -
    - - -**ADMX_LanmanServer/Pol_CipherSuiteOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the cipher suites used by the SMB server. If you enable this policy setting, cipher suites are prioritized in the order specified. -If you enable this policy setting and don't specify at least one supported cipher suite, or if you disable or don't configure this policy setting, the default cipher suite order is used. +If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. SMB 3.11 cipher suites: -- AES_128_GCM -- AES_128_CCM +AES_128_GCM +AES_128_CCM +AES_256_GCM +AES_256_CCM SMB 3.0 and 3.02 cipher suites: -- AES_128_CCM +AES_128_CCM -**How to modify this setting:** +How to modify this setting: Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. -> [!NOTE] -> When configuring this security setting, changes will not take effect until you restart Windows. +Note: When configuring this security setting, changes will not take effect until you restart Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Cipher suite order* -- GP name: *Pol_CipherSuiteOrder* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Pol_CipherSuiteOrder_Name | +| Friendly Name | Cipher suite order | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + - -**ADMX_LanmanServer/Pol_HashPublication** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Pol_HashPublication - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_HashPublication +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configuration -Select one of the following options: +Select one of the following: + +- Not Configured. With this selection, hash publication settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache. -- Not Configured. With this selection, hash publication settings aren't applied to file servers. In the circumstance where file servers are domain members but you don't want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting isn't configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache. - Enabled. With this selection, hash publication is turned on for all file servers where Group Policy is applied. For example, if Hash Publication for BranchCache is enabled in domain Group Policy, hash publication is turned on for all domain member file servers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file shares. + - Disabled. With this selection, hash publication is turned off for all file servers where Group Policy is applied. In circumstances where this policy setting is enabled, you can also select the following configuration options: - Allow hash publication for all shared folders. With this option, BranchCache generates content information for all content in all shares on the file server. + - Allow hash publication only for shared folders on which BranchCache is enabled. With this option, content information is generated only for shared folders on which BranchCache is enabled. If you use this setting, you must enable BranchCache for individual shares in Share and Storage Management on the file server. -- Disallow hash publication on all shared folders. With this option, BranchCache doesn't generate content information for any shares on the computer and doesn't send content information to client computers that request content. - +- Disallow hash publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content. + + + + - -ADMX Info: -- GP Friendly name: *Hash Publication for BranchCache* -- GP name: *Pol_HashPublication* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_LanmanServer/Pol_HashSupportVersion** +| Name | Value | +|:--|:--| +| Name | Pol_HashPublication | +| Friendly Name | Hash Publication for BranchCache | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Pol_HashSupportVersion - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_HashSupportVersion +``` + -
    - - - + + This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. -If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it's the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. +If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. -For policy configuration, select one of the following options: +Policy configuration + +Select one of the following: + +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported. -- Not Configured. With this selection, BranchCache settings aren't applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported. - Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved. + - Disabled. With this selection, both V1 and V2 hash generation and retrieval are supported. In circumstances where this setting is enabled, you can also select and configure the following option: @@ -214,77 +212,115 @@ In circumstances where this setting is enabled, you can also select and configur Hash version supported: - To support V1 content information only, configure "Hash version supported" with the value of 1. + - To support V2 content information only, configure "Hash version supported" with the value of 2. + - To support both V1 and V2 content information, configure "Hash version supported" with the value of 3. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hash Version support for BranchCache* -- GP name: *Pol_HashSupportVersion* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_LanmanServer/Pol_HonorCipherSuiteOrder** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_HashSupportVersion | +| Friendly Name | Hash Version support for BranchCache | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| ADMX File Name | LanmanServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_HonorCipherSuiteOrder -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanServer/Pol_HonorCipherSuiteOrder +``` + - - + + This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. -If you disable or don't configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites. +If you disable or do not configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites. -> [!NOTE] -> When configuring this security setting, changes will not take effect until you restart Windows. +Note: When configuring this security setting, changes will not take effect until you restart Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Honor cipher suite order* -- GP name: *Pol_HonorCipherSuiteOrder* -- GP path: *Network/Lanman Server* -- GP ADMX file name: *LanmanServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_HonorCipherSuiteOrder_Name | +| Friendly Name | Honor cipher suite order | +| Location | Computer Configuration | +| Path | Network > Lanman Server | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanServer | +| Registry Value Name | HonorCipherSuiteOrder | +| ADMX File Name | LanmanServer.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From b603a8a25708e36a8418893e5e43a383270769d6 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 3 Jan 2023 15:42:25 -0500 Subject: [PATCH 096/152] tpm userexperiencevirtualization userprofiles --- .../mdm/policy-csp-admx-tpm.md | 906 +- ...y-csp-admx-userexperiencevirtualization.md | 10940 +++++++++------- .../mdm/policy-csp-admx-userprofiles.md | 763 +- 3 files changed, 7049 insertions(+), 5560 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index a17ffa7fcc..e130165336 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,374 +1,412 @@ --- -title: Policy CSP - ADMX_TPM -description: Learn about Policy CSP - ADMX_TPM. +title: ADMX_TPM Policy CSP +description: Learn more about the ADMX_TPM Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/25/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TPM + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_TPM policies + +## BlockedCommandsList_Name -
    -
    - ADMX_TPM/BlockedCommandsList_Name -
    -
    - ADMX_TPM/ClearTPMIfNotReady_Name -
    -
    - ADMX_TPM/IgnoreDefaultList_Name -
    -
    - ADMX_TPM/IgnoreLocalList_Name -
    -
    - ADMX_TPM/OSManagedAuth_Name -
    -
    - ADMX_TPM/OptIntoDSHA_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureDuration_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name -
    -
    - ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name -
    -
    - ADMX_TPM/UseLegacyDAP_Name -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/BlockedCommandsList_Name +``` + -
    - - -**ADMX_TPM/BlockedCommandsList_Name** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to manage the Policy list of Trusted Platform Module (TPM) commands blocked by Windows. + + +This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. -If you disable or don't configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. +If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. + - + + + - -ADMX Info: -- GP Friendly name: *Configure the list of blocked TPM commands* -- GP name: *BlockedCommandsList_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/ClearTPMIfNotReady_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BlockedCommandsList_Name | +| Friendly Name | Configure the list of blocked TPM commands | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands | +| Registry Value Name | Enabled | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ClearTPMIfNotReady_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user sign in only if the signed in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and sign in until the policy is disabled or until the TPM is in a Ready state. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/ClearTPMIfNotReady_Name +``` + - + + +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. + - -ADMX Info: -- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.* -- GP name: *ClearTPMIfNotReady_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_TPM/IgnoreDefaultList_Name** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | ClearTPMIfNotReady_Name | +| Friendly Name | Configure the system to clear the TPM if it is not in a ready state. | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| Registry Value Name | ClearTPMIfNotReadyGP | +| ADMX File Name | TPM.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## IgnoreDefaultList_Name - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/IgnoreDefaultList_Name +``` + + + + This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Policy or the local list. +If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. -The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Policy list of blocked TPM commands. +The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands. -If you disable or don't configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Policy and local lists of blocked TPM commands. +If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore the default list of blocked TPM commands* -- GP name: *IgnoreDefaultList_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/IgnoreLocalList_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IgnoreDefaultList_Name | +| Friendly Name | Ignore the default list of blocked TPM commands | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM\BlockedCommands | +| Registry Value Name | IgnoreDefaultList | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## IgnoreLocalList_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/IgnoreLocalList_Name +``` + + + + This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Policy or the default list. +If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. -The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Policy list of blocked TPM commands. +The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. -If you disable or don't configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Policy and default lists of blocked TPM commands. +If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands. + - + + + - -ADMX Info: -- GP Friendly name: *Ignore the local list of blocked TPM commands* -- GP name: *IgnoreLocalList_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/OSManagedAuth_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | IgnoreLocalList_Name | +| Friendly Name | Ignore the local list of blocked TPM commands | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM\BlockedCommands | +| Registry Value Name | IgnoreLocalList | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## OptIntoDSHA_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions that require TPM owner authorization without requiring the user to enter the TPM owner password. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/OptIntoDSHA_Name +``` + + + + +This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | OptIntoDSHA_Name | +| Friendly Name | Enable Device Health Attestation Monitoring and Reporting | +| Location | Computer Configuration | +| Path | System > Device Health Attestation Service | +| Registry Key Name | Software\Policies\Microsoft\DeviceHealthAttestationService | +| Registry Value Name | EnableDeviceHealthAttestationService | +| ADMX File Name | TPM.admx | + + + + + + + + + +## OSManagedAuth_Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/OSManagedAuth_Name +``` + + + + +This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. -Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that don't depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting to be changed before making the features that depend on the TPM anti-hammering logic usable. +Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used. Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting might cause issues with some TPM-based applications. -> [!NOTE] -> If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. +Note: If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. + - + + + - -ADMX Info: -- GP Friendly name: *Configure the level of TPM owner authorization information available to the operating system* -- GP name: *OSManagedAuth_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/OptIntoDSHA_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | OSManagedAuth_Name | +| Friendly Name | Configure the level of TPM owner authorization information available to the operating system | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## StandardUserAuthorizationFailureDuration_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or Configuration Manager), and won't interfere with their workflows. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/StandardUserAuthorizationFailureDuration_Name +``` + - - - -ADMX Info: -- GP Friendly name: *Enable Device Health Attestation Monitoring and Reporting* -- GP name: *OptIntoDSHA_Name* -- GP path: *System\Device Health Attestation Service* -- GP ADMX file name: *TPM.admx* - - - -
    - - -**ADMX_TPM/StandardUserAuthorizationFailureDuration_Name** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -377,195 +415,265 @@ An authorization failure occurs each time a standard user sends a command to the For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. -The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value isn't configured, a default value of 480 minutes (8 hours) is used. +If this value is not configured, a default value of 480 minutes (8 hours) is used. + - -> - -ADMX Info: -- GP Friendly name: *Standard User Lockout Duration* -- GP name: *StandardUserAuthorizationFailureDuration_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | StandardUserAuthorizationFailureDuration_Name | +| Friendly Name | Standard User Lockout Duration | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\Tpm | +| Registry Value Name | StandardUserAuthorizationFailureDuration | +| ADMX File Name | TPM.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## StandardUserAuthorizationFailureIndividualThreshold_Name - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name +``` + + + + This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. -For each standard user, two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -This value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. +This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. -The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value isn't configured, a default value of 4 is used. +If this value is not configured, a default value of 4 is used. -A value of 0 means the OS won't allow standard users to send commands to the TPM, which may cause an authorization failure. +A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. + - + + + - -ADMX Info: -- GP Friendly name: *Standard User Individual Lockout Threshold* -- GP name: *StandardUserAuthorizationFailureIndividualThreshold_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | StandardUserAuthorizationFailureIndividualThreshold_Name | +| Friendly Name | Standard User Individual Lockout Threshold | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\Tpm | +| Registry Value Name | StandardUserAuthorizationFailureIndividualThreshold | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## StandardUserAuthorizationFailureTotalThreshold_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name +``` + + + + This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. -For each standard user, two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. +For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. +The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. -This value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. +This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value isn't configured, a default value of 9 is used. +If this value is not configured, a default value of 9 is used. -A value of 0 means the OS won't allow standard users to send commands to the TPM, which may cause an authorization failure. +A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. + - + + + - -ADMX Info: -- GP Friendly name: *Standard User Total Lockout Threshold* -- GP name: *StandardUserAuthorizationFailureTotalThreshold_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TPM/UseLegacyDAP_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | StandardUserAuthorizationFailureTotalThreshold_Name | +| Friendly Name | Standard User Total Lockout Threshold | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\Tpm | +| Registry Value Name | StandardUserAuthorizationFailureTotalThreshold | +| ADMX File Name | TPM.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## UseLegacyDAP_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this Policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from Policy and b) clear the TPM on the system. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TPM/UseLegacyDAP_Name +``` + - + + +This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. - -ADMX Info: -- GP Friendly name: *Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.* -- GP name: *UseLegacyDAP_Name* -- GP path: *System\Trusted Platform Module Services* -- GP ADMX file name: *TPM.admx* +**Note** that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. + - - -
    + + + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | UseLegacyDAP_Name | +| Friendly Name | Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0. | +| Location | Computer Configuration | +| Path | System > Trusted Platform Module Services | +| Registry Key Name | Software\Policies\Microsoft\TPM | +| Registry Value Name | UseLegacyDictionaryAttackParameters | +| ADMX File Name | TPM.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index cc67fba5d3..d6f1454a45 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,6664 +1,7960 @@ --- -title: Policy CSP - ADMX_UserExperienceVirtualization -description: Learn about Policy CSP - ADMX_UserExperienceVirtualization. +title: ADMX_UserExperienceVirtualization Policy CSP +description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/30/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_UserExperienceVirtualization + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_UserExperienceVirtualization policies + +## Calculator -
    -
    - ADMX_UserExperienceVirtualization/Calculator -
    -
    - ADMX_UserExperienceVirtualization/ConfigureSyncMethod -
    -
    - ADMX_UserExperienceVirtualization/ConfigureVdi -
    -
    - ADMX_UserExperienceVirtualization/ContactITDescription -
    -
    - ADMX_UserExperienceVirtualization/ContactITUrl -
    -
    - ADMX_UserExperienceVirtualization/DisableWin8Sync -
    -
    - ADMX_UserExperienceVirtualization/DisableWindowsOSSettings -
    -
    - ADMX_UserExperienceVirtualization/EnableUEV -
    -
    - ADMX_UserExperienceVirtualization/Finance -
    -
    - ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled -
    -
    - ADMX_UserExperienceVirtualization/Games -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer8 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer9 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer10 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorer11 -
    -
    - ADMX_UserExperienceVirtualization/InternetExplorerCommon -
    -
    - ADMX_UserExperienceVirtualization/Maps -
    -
    - ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 -
    -
    - ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 -
    -
    - ADMX_UserExperienceVirtualization/Music -
    -
    - ADMX_UserExperienceVirtualization/News -
    -
    - ADMX_UserExperienceVirtualization/Notepad -
    -
    - ADMX_UserExperienceVirtualization/Reader -
    -
    - ADMX_UserExperienceVirtualization/RepositoryTimeout -
    -
    - ADMX_UserExperienceVirtualization/SettingsStoragePath -
    -
    - ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath -
    -
    - ADMX_UserExperienceVirtualization/Sports -
    -
    - ADMX_UserExperienceVirtualization/SyncEnabled -
    -
    - ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork -
    -
    - ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming -
    -
    - ADMX_UserExperienceVirtualization/SyncProviderPingEnabled -
    -
    - ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps -
    -
    - ADMX_UserExperienceVirtualization/Travel -
    -
    - ADMX_UserExperienceVirtualization/TrayIconEnabled -
    -
    - ADMX_UserExperienceVirtualization/Video -
    -
    - ADMX_UserExperienceVirtualization/Weather -
    -
    - ADMX_UserExperienceVirtualization/Wordpad -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Calculator +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Calculator +``` + - -**ADMX_UserExperienceVirtualization/Calculator** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting configures the synchronization of user settings of Calculator. - By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. - If you enable this policy setting, the Calculator user settings continue to synchronize. - If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Calculator* -- GP name: *Calculator* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/ConfigureSyncMethod** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Calculator | +| Friendly Name | Calculator | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftCalculator6 | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ConfigureSyncMethod -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureSyncMethod +``` - - -This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. - -With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureSyncMethod +``` + + + +This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. When SyncMethod is set to “None,” the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. - -Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users’ computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. - -These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. +Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users’ computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. With notifications enabled, UE-V users receive a message when the settings sync is delayed. The notification delay policy setting defines the delay before a notification appears. +If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure Sync Method* -- GP name: *ConfigureSyncMethod* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/ConfigureVdi** +| Name | Value | +|:--|:--| +| Name | ConfigureSyncMethod | +| Friendly Name | Configure Sync Method | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ConfigureVdi - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureVdi +``` -
    - - - -This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. - -UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. - -Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ConfigureVdi +``` + + + +This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. - If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. +If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. + -If you don't configure this policy, no UE-V rollback state is copied to the settings storage location. - + + + - -ADMX Info: -- GP Friendly name: *VDI Configuration* -- GP name: *ConfigureVdi* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserExperienceVirtualization/ContactITDescription** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ConfigureVdi | +| Friendly Name | VDI Configuration | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings | +| Registry Value Name | VdiState | +| ADMX File Name | UserExperienceVirtualization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ContactITDescription -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ContactITDescription +``` + + + + This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. - If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. +If you disable this policy setting, the Company Settings Center does not display an IT Contact link. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, the Company Settings Center doesn't display an IT Contact link. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Contact IT Link Text* -- GP name: *ContactITDescription* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/ContactITUrl** +| Name | Value | +|:--|:--| +| Name | ContactITDescription | +| Friendly Name | Contact IT Link Text | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ContactITUrl - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/ContactITUrl +``` + -
    - - - + + This policy setting specifies the URL for the Contact IT link in the Company Settings Center. - If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. +If you disable this policy setting, the Company Settings Center does not display an IT Contact link. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, the Company Settings Center doesn't display an IT Contact link. + + + -If you don't configure this policy setting, any defined values will be deleted. - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Contact IT URL* -- GP name: *ContactITUrl* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/DisableWin8Sync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ContactITURL | +| Friendly Name | Contact IT URL | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableWin8Sync -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWin8Sync +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWin8Sync +``` + + + + This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. - By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. - -If you enable this policy setting, the UE-V Agent won't synchronize settings for Windows apps. - +If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps. If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. +If you do not configure this policy setting, any defined values are deleted. +Note: If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. + -If you don't configure this policy setting, any defined values are deleted. + + + -> [!NOTE] -> If the user connects their Microsoft account for their computer then the UE-V Agent won't synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *don't synchronize Windows Apps* -- GP name: *DisableWin8Sync* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/DisableWindowsOSSettings** +| Name | Value | +|:--|:--| +| Name | DisableWin8Sync | +| Friendly Name | Do not synchronize Windows Apps | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | DontSyncWindows8AppSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableWindowsOSSettings - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWindowsOSSettings +``` -
    - - - -This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/DisableWindowsOSSettings +``` + + + +This policy setting configures the synchronization of Windows settings between computers. +Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. - If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize Windows settings* -- GP name: *DisableWindowsOSSettings* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/EnableUEV** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableWindowsOSSettings | +| Friendly Name | Synchronize Windows settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableUEV -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/EnableUEV +``` + - - -This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. + + +This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. + -Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable UEV* -- GP name: *EnableUEV* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/Finance** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableUEV | +| Friendly Name | Enable UEV | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent | +| Registry Value Name | Enabled | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Finance -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Finance +``` - - -This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Finance +``` + + + +This policy setting configures the synchronization of user settings for the Finance app. +By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. If you enable this policy setting, Finance user settings continue to sync. - If you disable this policy setting, Finance user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Finance* -- GP name: *Finance* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Finance | +| Friendly Name | Finance | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingFinance_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FirstUseNotificationEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - - -This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled +``` + + + +This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. +By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. - With this setting disabled, no notification appears. +If you do not configure this policy setting, any defined values are deleted. + -If you don't configure this policy setting, any defined values are deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *First Use Notification* -- GP name: *FirstUseNotificationEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/Games** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | FirstUseNotificationEnabled | +| Friendly Name | First Use Notification | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | FirstUseNotificationEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Games -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Games +``` - - -This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Games +``` + + + +This policy setting configures the synchronization of user settings for the Games app. +By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. If you enable this policy setting, Games user settings continue to sync. - If you disable this policy setting, Games user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Games* -- GP name: *Games* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/InternetExplorer8** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Games | +| Friendly Name | Games | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.XboxLIVEGames_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetExplorer10 -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer10 +``` - - -This policy setting configures the synchronization of user settings for Internet Explorer 8. - -By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. - -If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. - -If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer 8* -- GP name: *InternetExplorer8* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/InternetExplorer9** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. - -If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. - -If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. - -If you don't configure this policy setting, any defined values will be deleted. - - - - - -ADMX Info: -- GP Friendly name: *Internet Explorer 9* -- GP name: *InternetExplorer9* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* - - - -
    - - -**ADMX_UserExperienceVirtualization/InternetExplorer10** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer10 +``` + + + +This policy setting configures the synchronization of user settings of Internet Explorer 10. +By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. - If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Internet Explorer 10* -- GP name: *InternetExplorer10* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/InternetExplorer11** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InternetExplorer10 | +| Friendly Name | Internet Explorer 10 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version10 | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetExplorer11 -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer11 +``` - - -This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer11 +``` + + + +This policy setting configures the synchronization of user settings of Internet Explorer 11. +By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. - If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Internet Explorer 11* -- GP name: *InternetExplorer11* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/InternetExplorerCommon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InternetExplorer11 | +| Friendly Name | Internet Explorer 11 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version11 | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InternetExplorer8 -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer8 +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer8 +``` + + + + +This policy setting configures the synchronization of user settings for Internet Explorer 8. +By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. +If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. +If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetExplorer8 | +| Friendly Name | Internet Explorer 8 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version8 | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## InternetExplorer9 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer9 +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorer9 +``` + + + + +This policy setting configures the synchronization of user settings for Internet Explorer 9. +By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. +If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. +If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetExplorer9 | +| Friendly Name | Internet Explorer 9 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftInternetExplorer.Version9 | +| ADMX File Name | UserExperienceVirtualization.admx | + + + + + + + + + +## InternetExplorerCommon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorerCommon +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/InternetExplorerCommon +``` + + + + This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. - If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. - If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Internet Explorer Common Settings* -- GP name: *InternetExplorerCommon* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/Maps** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InternetExplorerCommon | +| Friendly Name | Internet Explorer Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Maps -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Maps +``` - - -This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Maps +``` + + + +This policy setting configures the synchronization of user settings for the Maps app. +By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. If you enable this policy setting, Maps user settings continue to sync. - If you disable this policy setting, Maps user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Maps* -- GP name: *Maps* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Maps | +| Friendly Name | Maps | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingMaps_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MaxPackageSizeInBytes -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes +``` - - -This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent doesn't report information about package file size. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes +``` + + + +This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. +If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. + -If you disable or don't configure this policy setting, no event is written to the event log to report settings package size. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Settings package size warning threshold* -- GP name: *MaxPackageSizeInBytes* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxPackageSizeInBytes | +| Friendly Name | Settings package size warning threshold | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010Access -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access +``` - - -This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Access 2010. +By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Access 2010* -- GP name: *MicrosoftOffice2010Access* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Access | +| Friendly Name | Microsoft Access 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010Common -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common +``` - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common +``` + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. +By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Office 2010 Common Settings* -- GP name: *MicrosoftOffice2010Common* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Common | +| Friendly Name | Microsoft Office 2010 Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010Excel -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel +``` - - -This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Excel 2010. +By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Excel 2010* -- GP name: *MicrosoftOffice2010Excel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Excel | +| Friendly Name | Microsoft Excel 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010InfoPath -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath +``` - - -This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath +``` + + + +This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. +By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft InfoPath 2010* -- GP name: *MicrosoftOffice2010InfoPath* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010InfoPath | +| Friendly Name | Microsoft InfoPath 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2010Lync - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Lync 2010. +By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Lync 2010* -- GP name: *MicrosoftOffice2010Lync* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Lync | +| Friendly Name | Microsoft Lync 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftLync2010 | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010OneNote -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote +``` - - -This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote +``` + + + +This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. +By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + - -ADMX Info: -- GP Friendly name: *Microsoft OneNote 2010* -- GP name: *MicrosoftOffice2010OneNote* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010OneNote | +| Friendly Name | Microsoft OneNote 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## MicrosoftOffice2010Outlook -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook +``` +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook +``` + + + + +This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. +By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Outlook 2010* -- GP name: *MicrosoftOffice2010Outlook* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Outlook | +| Friendly Name | Microsoft Outlook 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010PowerPoint -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint +``` - - -This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint +``` + + + +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. +By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft PowerPoint 2010* -- GP name: *MicrosoftOffice2010PowerPoint* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010PowerPoint | +| Friendly Name | Microsoft PowerPoint 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2010Project - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Project 2010. +By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Project 2010* -- GP name: *MicrosoftOffice2010Project* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Project | +| Friendly Name | Microsoft Project 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010Publisher -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher +``` - - -This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. +By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Publisher 2010* -- GP name: *MicrosoftOffice2010Publisher* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Publisher | +| Friendly Name | Microsoft Publisher 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2010SharePointDesigner - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner +``` + + + +This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. +By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft SharePoint Designer 2010* -- GP name: *MicrosoftOffice2010SharePointDesigner* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010SharePointDesigner | +| Friendly Name | Microsoft SharePoint Designer 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010SharePointWorkspace -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace +``` - - -This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace +``` + + + +This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. +By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft SharePoint Workspace 2010* -- GP name: *MicrosoftOffice2010SharePointWorkspace* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010SharePointWorkspace | +| Friendly Name | Microsoft SharePoint Workspace 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2010Visio - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Visio 2010. +By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Visio 2010* -- GP name: *MicrosoftOffice2010Visio* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Visio | +| Friendly Name | Microsoft Visio 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2010Word -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word +``` - - -This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Word 2010. +By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. - If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Word 2010* -- GP name: *MicrosoftOffice2010Word* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2010Word | +| Friendly Name | Microsoft Word 2010 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013Access -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access +``` - - -This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Access 2013. +By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + - -ADMX Info: -- GP Friendly name: *Microsoft Access 2013* -- GP name: *MicrosoftOffice2013Access* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Access | +| Friendly Name | Microsoft Access 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## MicrosoftOffice2013AccessBackup -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup +``` +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Access 2013. +Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Access 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Access 2013 backup only* -- GP name: *MicrosoftOffice2013AccessBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013AccessBackup | +| Friendly Name | Access 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013Common - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common +``` -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common +``` + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. +By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Office 2013 Common Settings* -- GP name: *MicrosoftOffice2013Common* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Common | +| Friendly Name | Microsoft Office 2013 Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013CommonBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup +``` + + + + This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. - Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. - If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. +If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Common 2013 backup only* -- GP name: *MicrosoftOffice2013CommonBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013CommonBackup | +| Friendly Name | Common 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013Excel - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel +``` + - - + + This policy setting configures the synchronization of user settings for Microsoft Excel 2013. - By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. - If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + - -ADMX Info: -- GP Friendly name: *Microsoft Excel 2013* -- GP name: *MicrosoftOffice2013Excel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Excel | +| Friendly Name | Microsoft Excel 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## MicrosoftOffice2013ExcelBackup -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup +``` +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup +``` + + + + +This policy setting configures the backup of certain user settings for Microsoft Excel 2013. +Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Excel 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Excel 2013 backup only* -- GP name: *MicrosoftOffice2013ExcelBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013ExcelBackup | +| Friendly Name | Excel 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013InfoPath - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath +``` + + + +This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. +By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft InfoPath 2013* -- GP name: *MicrosoftOffice2013InfoPath* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013InfoPath | +| Friendly Name | Microsoft InfoPath 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013InfoPathBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. +Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *InfoPath 2013 backup only* -- GP name: *MicrosoftOffice2013InfoPathBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013InfoPathBackup | +| Friendly Name | InfoPath 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013Lync - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Lync 2013. +By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Lync 2013* -- GP name: *MicrosoftOffice2013Lync* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Lync | +| Friendly Name | Microsoft Lync 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013LyncBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Lync 2013. +Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Lync 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Lync 2013 backup only* -- GP name: *MicrosoftOffice2013LyncBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013LyncBackup | +| Friendly Name | Lync 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013OneDriveForBusiness - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness +``` + + + +This policy setting configures the synchronization of user settings for OneDrive for Business 2013. +By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. - If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft OneDrive for Business 2013* -- GP name: *MicrosoftOffice2013OneDriveForBusiness* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OneDriveForBusiness | +| Friendly Name | Microsoft OneDrive for Business 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013OneNote - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote +``` + + + +This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. +By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft OneNote 2013* -- GP name: *MicrosoftOffice2013OneNote* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OneNote | +| Friendly Name | Microsoft OneNote 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013OneNoteBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. +Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft OneNote 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *OneNote 2013 backup only* -- GP name: *MicrosoftOffice2013OneNoteBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OneNoteBackup | +| Friendly Name | OneNote 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013Outlook - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. +By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Outlook 2013* -- GP name: *MicrosoftOffice2013Outlook* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Outlook | +| Friendly Name | Microsoft Outlook 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013OutlookBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. +Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Outlook 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Outlook 2013 backup only* -- GP name: *MicrosoftOffice2013OutlookBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013OutlookBackup | +| Friendly Name | Outlook 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013PowerPoint - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint +``` + + + +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. +By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft PowerPoint 2013* -- GP name: *MicrosoftOffice2013PowerPoint* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013PowerPoint | +| Friendly Name | Microsoft PowerPoint 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013PowerPointBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. +Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *PowerPoint 2013 backup only* -- GP name: *MicrosoftOffice2013PowerPointBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013PowerPointBackup | +| Friendly Name | PowerPoint 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013Project - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Project 2013. +By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Project 2013* -- GP name: *MicrosoftOffice2013Project* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Project | +| Friendly Name | Microsoft Project 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013ProjectBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Project 2013. +Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Project 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Project 2013 backup only* -- GP name: *MicrosoftOffice2013ProjectBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013ProjectBackup | +| Friendly Name | Project 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013Publisher - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. +By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Publisher 2013* -- GP name: *MicrosoftOffice2013Publisher* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Publisher | +| Friendly Name | Microsoft Publisher 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013PublisherBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. +Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Publisher 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Publisher 2013 backup only* -- GP name: *MicrosoftOffice2013PublisherBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013PublisherBackup | +| Friendly Name | Publisher 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013SharePointDesigner - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner +``` + + + +This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. +By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft SharePoint Designer 2013* -- GP name: *MicrosoftOffice2013SharePointDesigner* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    - +**ADMX mapping**: -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013SharePointDesigner | +| Friendly Name | Microsoft SharePoint Designer 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013SharePointDesignerBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. +Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *SharePoint Designer 2013 backup only* -- GP name: *MicrosoftOffice2013SharePointDesignerBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013SharePointDesignerBackup | +| Friendly Name | SharePoint Designer 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013UploadCenter - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. +By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. - If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Office 2013 Upload Center* -- GP name: *MicrosoftOffice2013UploadCenter* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013UploadCenter | +| Friendly Name | Microsoft Office 2013 Upload Center | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013Visio -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio +``` - - -This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Visio 2013. +By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Visio 2013* -- GP name: *MicrosoftOffice2013Visio* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Visio | +| Friendly Name | Microsoft Visio 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2013VisioBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Visio 2013. +Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Visio 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Visio 2013 backup only* -- GP name: *MicrosoftOffice2013VisioBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013VisioBackup | +| Friendly Name | Visio 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2013Word - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Word 2013. +By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. - If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Word 2013* -- GP name: *MicrosoftOffice2013Word* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013Word | +| Friendly Name | Microsoft Word 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2013WordBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Word 2013. +Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Word 2013 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Word 2013 backup only* -- GP name: *MicrosoftOffice2013WordBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2013WordBackup | +| Friendly Name | Word 2013 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016Access - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Access 2016. +By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Access 2016* -- GP name: *MicrosoftOffice2016Access* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Access | +| Friendly Name | Microsoft Access 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2016AccessBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Access 2016. +Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Access 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Access 2016 backup only* -- GP name: *MicrosoftOffice2016AccessBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016AccessBackup | +| Friendly Name | Access 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016Common - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common +``` + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. +By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. - If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 2016 Common Settings* -- GP name: *MicrosoftOffice2016Common* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Common | +| Friendly Name | Microsoft Office 2016 Common Settings | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016CommonBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup +``` + - - + + This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. - If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. +If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Common 2016 backup only* -- GP name: *MicrosoftOffice2016CommonBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016CommonBackup | +| Friendly Name | Common 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016Excel - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Excel 2016. +By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Excel 2016* -- GP name: *MicrosoftOffice2016Excel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Excel | +| Friendly Name | Microsoft Excel 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016ExcelBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Excel 2016. +Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Excel 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Excel 2016 backup only* -- GP name: *MicrosoftOffice2016ExcelBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016ExcelBackup | +| Friendly Name | Excel 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016Lync - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Lync 2016. +By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Lync 2016* -- GP name: *MicrosoftOffice2016Lync* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Lync | +| Friendly Name | Microsoft Lync 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016LyncBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Lync 2016. +Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Lync 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Lync 2016 backup only* -- GP name: *MicrosoftOffice2016LyncBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016LyncBackup | +| Friendly Name | Lync 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016OneDriveForBusiness - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness +``` + + + +This policy setting configures the synchronization of user settings for OneDrive for Business 2016. +By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. - If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft OneDrive for Business 2016* -- GP name: *MicrosoftOffice2016OneDriveForBusiness* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OneDriveForBusiness | +| Friendly Name | Microsoft OneDrive for Business 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016OneNote - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote +``` + + + +This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. +By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft OneNote 2016* -- GP name: *MicrosoftOffice2016OneNote* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OneNote | +| Friendly Name | Microsoft OneNote 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2016OneNoteBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. +Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft OneNote 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *OneNote 2016 backup only* -- GP name: *MicrosoftOffice2016OneNoteBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OneNoteBackup | +| Friendly Name | OneNote 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016Outlook - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. +By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Outlook 2016* -- GP name: *MicrosoftOffice2016Outlook* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Outlook | +| Friendly Name | Microsoft Outlook 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2016OutlookBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. +Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Outlook 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Outlook 2016 backup only* -- GP name: *MicrosoftOffice2016OutlookBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016OutlookBackup | +| Friendly Name | Outlook 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016PowerPoint - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint +``` + + + +This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. +By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft PowerPoint 2016* -- GP name: *MicrosoftOffice2016PowerPoint* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016PowerPoint | +| Friendly Name | Microsoft PowerPoint 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2016PowerPointBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. +Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *PowerPoint 2016 backup only* -- GP name: *MicrosoftOffice2016PowerPointBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016PowerPointBackup | +| Friendly Name | PowerPoint 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016Project - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project +``` + - - + + This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. - If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Project 2016* -- GP name: *MicrosoftOffice2016Project* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Project | +| Friendly Name | Microsoft Project 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016ProjectBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Project 2016. +Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Project 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Project 2016 backup only* -- GP name: *MicrosoftOffice2016ProjectBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016ProjectBackup | +| Friendly Name | Project 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016Publisher - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. +By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Publisher 2016* -- GP name: *MicrosoftOffice2016Publisher* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Publisher | +| Friendly Name | Microsoft Publisher 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016PublisherBackup - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup +``` -
    - - - -This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. +Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Publisher 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Publisher 2016 backup only* -- GP name: *MicrosoftOffice2016PublisherBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016PublisherBackup | +| Friendly Name | Publisher 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016UploadCenter - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. +By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. - If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 2016 Upload Center* -- GP name: *MicrosoftOffice2016UploadCenter* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016UploadCenter | +| Friendly Name | Microsoft Office 2016 Upload Center | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice2016Visio - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Visio 2016. +By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Visio 2016* -- GP name: *MicrosoftOffice2016Visio* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Visio | +| Friendly Name | Microsoft Visio 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2016VisioBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Visio 2016. +Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Visio 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Visio 2016 backup only* -- GP name: *MicrosoftOffice2016VisioBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016VisioBackup | +| Friendly Name | Visio 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice2016Word - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Word 2016. +By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. - If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Word 2016* -- GP name: *MicrosoftOffice2016Word* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016Word | +| Friendly Name | Microsoft Word 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice2016WordBackup -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup +``` - - -This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup +``` + + + +This policy setting configures the backup of certain user settings for Microsoft Word 2016. +Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. +If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, certain user settings of Microsoft Word 2016 won't be backed up. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Word 2016 backup only* -- GP name: *MicrosoftOffice2016WordBackup* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice2016WordBackup | +| Friendly Name | Word 2016 backup only | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MicrosoftOffice365Access2013 - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Access 2013* -- GP name: *MicrosoftOffice365Access2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Access2013 | +| Friendly Name | Microsoft Office 365 Access 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Access2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Access 2016* -- GP name: *MicrosoftOffice365Access2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Access2016 | +| Friendly Name | Microsoft Office 365 Access 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Common2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 +``` -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013 +``` + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. - If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Common 2013* -- GP name: *MicrosoftOffice365Common2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    - +**ADMX mapping**: -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Common2013 | +| Friendly Name | Microsoft Office 365 Common 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Common2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 +``` -
    - - - -This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016 +``` + + + +This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. - If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Common 2016* -- GP name: *MicrosoftOffice365Common2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Common2016 | +| Friendly Name | Microsoft Office 365 Common 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Excel2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Excel 2013* -- GP name: *MicrosoftOffice365Excel2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Excel2013 | +| Friendly Name | Microsoft Office 365 Excel 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Excel2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Excel 2016* -- GP name: *MicrosoftOffice365Excel2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Excel2016 | +| Friendly Name | Microsoft Office 365 Excel 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365InfoPath2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 InfoPath 2013* -- GP name: *MicrosoftOffice365InfoPath2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365InfoPath2013 | +| Friendly Name | Microsoft Office 365 InfoPath 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice365Lync2013 -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 +``` - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Lync 2013* -- GP name: *MicrosoftOffice365Lync2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Lync2013 | +| Friendly Name | Microsoft Office 365 Lync 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Lync2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Lync 2016* -- GP name: *MicrosoftOffice365Lync2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Lync2016 | +| Friendly Name | Microsoft Office 365 Lync 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365OneNote2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 OneNote 2013* -- GP name: *MicrosoftOffice365OneNote2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365OneNote2013 | +| Friendly Name | Microsoft Office 365 OneNote 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365OneNote2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 OneNote 2016* -- GP name: *MicrosoftOffice365OneNote2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365OneNote2016 | +| Friendly Name | Microsoft Office 365 OneNote 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Outlook2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Outlook 2013* -- GP name: *MicrosoftOffice365Outlook2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Outlook2013 | +| Friendly Name | Microsoft Office 365 Outlook 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Outlook2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Outlook 2016* -- GP name: *MicrosoftOffice365Outlook2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Outlook2016 | +| Friendly Name | Microsoft Office 365 Outlook 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365PowerPoint2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 PowerPoint 2013* -- GP name: *MicrosoftOffice365PowerPoint2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365PowerPoint2013 | +| Friendly Name | Microsoft Office 365 PowerPoint 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365PowerPoint2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 PowerPoint 2016* -- GP name: *MicrosoftOffice365PowerPoint2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365PowerPoint2016 | +| Friendly Name | Microsoft Office 365 PowerPoint 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Project2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Project 2013* -- GP name: *MicrosoftOffice365Project2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    - +**ADMX mapping**: -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Project2013 | +| Friendly Name | Microsoft Office 365 Project 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Project2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Project 2016* -- GP name: *MicrosoftOffice365Project2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Project2016 | +| Friendly Name | Microsoft Office 365 Project 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Publisher2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Publisher 2013* -- GP name: *MicrosoftOffice365Publisher2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Publisher2013 | +| Friendly Name | Microsoft Office 365 Publisher 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Publisher2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Publisher 2016* -- GP name: *MicrosoftOffice365Publisher2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Publisher2016 | +| Friendly Name | Microsoft Office 365 Publisher 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice365SharePointDesigner2013 -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 +``` - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 SharePoint Designer 2013* -- GP name: *MicrosoftOffice365SharePointDesigner2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365SharePointDesigner2013 | +| Friendly Name | Microsoft Office 365 SharePoint Designer 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Visio2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Visio 2013* -- GP name: *MicrosoftOffice365Visio2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Visio2013 | +| Friendly Name | Microsoft Office 365 Visio 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MicrosoftOffice365Visio2016 -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 +``` - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Visio 2016* -- GP name: *MicrosoftOffice365Visio2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Visio2016 | +| Friendly Name | Microsoft Office 365 Visio 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Word2013 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Word 2013* -- GP name: *MicrosoftOffice365Word2013* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Word2013 | +| Friendly Name | Microsoft Office 365 Word 2013 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MicrosoftOffice365Word2016 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 +``` -
    - - - -This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016 +``` + + + +This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. - If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Microsoft Office 365 Word 2016* -- GP name: *MicrosoftOffice365Word2016* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Music** +| Name | Value | +|:--|:--| +| Name | MicrosoftOffice365Word2016 | +| Friendly Name | Microsoft Office 365 Word 2016 | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Music - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Music +``` -
    - - - -This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Music +``` + + + +This policy setting configures the synchronization of user settings for the Music app. +By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. If you enable this policy setting, Music user settings continue to sync. - If you disable this policy setting, Music user settings are excluded from the synchronizing settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Music* -- GP name: *Music* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_UserExperienceVirtualization/News** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Music | +| Friendly Name | Music | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneMusic_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## News -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/News +``` - - -This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/News +``` + + + +This policy setting configures the synchronization of user settings for the News app. +By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. If you enable this policy setting, News user settings continue to sync. - If you disable this policy setting, News user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *News* -- GP name: *News* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Notepad** +| Name | Value | +|:--|:--| +| Name | News | +| Friendly Name | News | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingNews_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Notepad - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Notepad +``` -
    - - - -This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Notepad +``` + + + +This policy setting configures the synchronization of user settings of Notepad. +By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. If you enable this policy setting, the Notepad user settings continue to synchronize. - If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Notepad* -- GP name: *Notepad* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Reader** +| Name | Value | +|:--|:--| +| Name | Notepad | +| Friendly Name | Notepad | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftNotepad6 | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Reader - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Reader +``` -
    - - - -This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Reader +``` + + + +This policy setting configures the synchronization of user settings for the Reader app. +By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. If you enable this policy setting, Reader user settings continue to sync. - If you disable this policy setting, Reader user settings are excluded from the synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Reader* -- GP name: *Reader* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | Reader | +| Friendly Name | Reader | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.Reader_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/RepositoryTimeout** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## RepositoryTimeout - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/RepositoryTimeout +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/RepositoryTimeout +``` + + + +This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. +You can use this setting to override the default value of 2000 milliseconds. If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. +If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. + -If you disable or don't configure this policy setting, the default value of 2000 milliseconds is used. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Synchronization timeout* -- GP name: *RepositoryTimeout* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/SettingsStoragePath** +| Name | Value | +|:--|:--| +| Name | RepositoryTimeout | +| Friendly Name | Synchronization timeout | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SettingsStoragePath - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SettingsStoragePath +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SettingsStoragePath +``` + - - + + This policy setting configures where the settings package files that contain user settings are stored. - If you enable this policy setting, the user settings are stored in the specified location. +If you disable or do not configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment. + -If you disable or don't configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Settings storage path* -- GP name: *SettingsStoragePath* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath** +| Name | Value | +|:--|:--| +| Name | SettingsStoragePath | +| Friendly Name | Settings storage path | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SettingsTemplateCatalogPath - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath +``` + -
    - - - + + This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. - If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. - If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. - If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. +If you disable this policy setting, the UE-V Agent will not use the custom settings location templates. If you disable this policy setting after it has been enabled, the UE-V Agent will not restore the default Microsoft templates. +If you do not configure this policy setting, any defined values will be deleted. + -If you disable this policy setting, the UE-V Agent won't use the custom settings location templates. If you disable this policy setting after it has been enabled, the UE-V Agent won't restore the default Microsoft templates. + + + -If you don't configure this policy setting, any defined values will be deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Settings template catalog path* -- GP name: *SettingsTemplateCatalogPath* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SettingsTemplateCatalogPath | +| Friendly Name | Settings template catalog path | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/Sports** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Sports - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Sports +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Sports +``` + + + +This policy setting configures the synchronization of user settings for the Sports app. +By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. If you enable this policy setting, Sports user settings continue to sync. - If you disable this policy setting, Sports user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Sports* -- GP name: *Sports* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/SyncEnabled** +| Name | Value | +|:--|:--| +| Name | Sports | +| Friendly Name | Sports | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingSports_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SyncEnabled - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncEnabled +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncEnabled +``` + - - + + This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use User Experience Virtualization (UE-V)* -- GP name: *SyncEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SyncEnabled | +| Friendly Name | Use User Experience Virtualization (UE-V) | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SyncOverMeteredNetwork -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork +``` - - -This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent doesn't synchronize settings over a metered connection. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork +``` + + + +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. +By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. +With this setting disabled, the UE-V Agent does not synchronize settings over a metered connection. +If you do not configure this policy setting, any defined values are deleted. + -With this setting disabled, the UE-V Agent doesn't synchronize settings over a metered connection. + + + -If you don't configure this policy setting, any defined values are deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Sync settings over metered connections* -- GP name: *SyncOverMeteredNetwork* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SyncSettingsOverMetered | +| Friendly Name | Sync settings over metered connections | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncOverMeteredNetwork | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SyncOverMeteredNetworkWhenRoaming - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming +``` -> [!div class = "checklist"] -> * Device -> * User - -
    - - - -This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent doesn't synchronize settings over a metered connection that is roaming. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming +``` + + + +This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. +By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. +With this setting disabled, the UE-V Agent will not synchronize settings over a metered connection that is roaming. +If you do not configure this policy setting, any defined values are deleted. + -With this setting disabled, the UE-V Agent won't synchronize settings over a metered connection that is roaming. + + + -If you don't configure this policy setting, any defined values are deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Sync settings over metered connections even when roaming* -- GP name: *SyncOverMeteredNetworkWhenRoaming* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | SyncSettingsOverMeteredRoaming | +| Friendly Name | Sync settings over metered connections even when roaming | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncOverMeteredNetworkWhenRoaming | +| ADMX File Name | UserExperienceVirtualization.admx | + - -**ADMX_UserExperienceVirtualization/SyncProviderPingEnabled** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## SyncProviderPingEnabled - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncProviderPingEnabled +``` -> [!div class = "checklist"] -> * Device -> * User +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncProviderPingEnabled +``` + -
    - - - + + This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. - If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. - If you disable this policy setting, the sync provider doesn’t ping the settings storage location before synchronizing settings packages. +If you do not configure this policy, any defined values will be deleted. + -If you don't configure this policy, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Ping the settings storage location before sync* -- GP name: *SyncProviderPingEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps** +| Name | Value | +|:--|:--| +| Name | SyncProviderPingEnabled | +| Friendly Name | Ping the settings storage location before sync | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncProviderPingEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SyncUnlistedWindows8Apps - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps +``` + + + +This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. +By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. - With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized. +If you do not configure this policy setting, any defined values are deleted. + -If you don't configure this policy setting, any defined values are deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Sync Unlisted Windows Apps* -- GP name: *SyncUnlistedWindows8Apps* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Travel** +| Name | Value | +|:--|:--| +| Name | SyncUnlistedWindows8Apps | +| Friendly Name | Sync Unlisted Windows Apps | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | SyncUnlistedWindows8Apps | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Travel - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Travel +``` -
    - - - -This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Travel +``` + + + +This policy setting configures the synchronization of user settings for the Travel app. +By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. If you enable this policy setting, Travel user settings continue to sync. - If you disable this policy setting, Travel user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Travel* -- GP name: *Travel* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/TrayIconEnabled** +| Name | Value | +|:--|:--| +| Name | Travel | +| Friendly Name | Travel | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingTravel_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TrayIconEnabled - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/TrayIconEnabled +``` + -
    - - - + + This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. +With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. +If you do not configure this policy setting, any defined values are deleted. + -With this setting disabled, the tray icon doesn't appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. + + + -If you don't configure this policy setting, any defined values are deleted. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Tray Icon* -- GP name: *TrayIconEnabled* -- GP path: *Windows Components\Microsoft User Experience Virtualization* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Video** +| Name | Value | +|:--|:--| +| Name | TrayIconEnabled | +| Friendly Name | Tray Icon | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration | +| Registry Value Name | TrayIconEnabled | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Video - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Video +``` -
    - - - -This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Video +``` + + + +This policy setting configures the synchronization of user settings for the Video app. +By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. If you enable this policy setting, Video user settings continue to sync. - If you disable this policy setting, Video user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Video* -- GP name: *Video* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_UserExperienceVirtualization/Weather** +| Name | Value | +|:--|:--| +| Name | Video | +| Friendly Name | Video | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneVideo_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Weather - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Weather +``` -
    - - - -This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Weather +``` + + + +This policy setting configures the synchronization of user settings for the Weather app. +By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. If you enable this policy setting, Weather user settings continue to sync. - If you disable this policy setting, Weather user settings are excluded from synchronization. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Weather* -- GP name: *Weather* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Windows Apps* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    - +**ADMX mapping**: -**ADMX_UserExperienceVirtualization/Wordpad** +| Name | Value | +|:--|:--| +| Name | Weather | +| Friendly Name | Weather | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Windows Apps | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingWeather_8wekyb3d8bbwe | +| Registry Value Name | SyncSettings | +| ADMX File Name | UserExperienceVirtualization.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Wordpad - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Wordpad +``` -
    - - - -This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserExperienceVirtualization/Wordpad +``` + + + +This policy setting configures the synchronization of user settings of WordPad. +By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. If you enable this policy setting, the WordPad user settings continue to synchronize. - If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. +If you do not configure this policy setting, any defined values will be deleted. + -If you don't configure this policy setting, any defined values will be deleted. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *WordPad* -- GP name: *Wordpad* -- GP path: *Windows Components\Microsoft User Experience Virtualization\Applications* -- GP ADMX file name: *UserExperienceVirtualization.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Wordpad | +| Friendly Name | WordPad | +| Location | Computer and User Configuration | +| Path | Windows Components > Microsoft User Experience Virtualization > Applications | +| Registry Key Name | Software\Policies\Microsoft\UEV\Agent\Configuration\Applications | +| Registry Value Name | MicrosoftWordpad6 | +| ADMX File Name | UserExperienceVirtualization.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 67c7143e09..9b8a21444a 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,468 +1,553 @@ --- -title: Policy CSP - ADMX_UserProfiles -description: Learn about Policy CSP - ADMX_UserProfiles. +title: ADMX_UserProfiles Policy CSP +description: Learn more about the ADMX_UserProfiles Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/11/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_UserProfiles -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_UserProfiles policies +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_UserProfiles/CleanupProfiles -
    -
    - ADMX_UserProfiles/DontForceUnloadHive -
    -
    - ADMX_UserProfiles/LeaveAppMgmtData -
    -
    - ADMX_UserProfiles/LimitSize -
    -
    - ADMX_UserProfiles/ProfileErrorAction -
    -
    - ADMX_UserProfiles/SlowLinkTimeOut -
    -
    - ADMX_UserProfiles/USER_HOME -
    -
    - ADMX_UserProfiles/UserInfoAccessAction -
    -
    + + + + +## CleanupProfiles -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_UserProfiles/CleanupProfiles** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/CleanupProfiles +``` + - + + +This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**Note**: One day is interpreted as 24 hours after a specific user profile was accessed. - -
    +If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. + -> [!div class = "checklist"] -> * Device + + + -
    + +**Description framework properties**: - - -This policy setting allows an administrator to automatically delete user profiles on system restart that haven't been used within a specified number of days. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> One day is interpreted as 24 hours after a specific user profile was accessed. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that haven't been used within the specified number of days. +**ADMX mapping**: -If you disable or don't configure this policy setting, User Profile Service won't automatically delete any profiles on the next system restart. +| Name | Value | +|:--|:--| +| Name | CleanupProfiles | +| Friendly Name | Delete user profiles older than a specified number of days on system restart | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | UserProfiles.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Delete user profiles older than a specified number of days on system restart* -- GP name: *CleanupProfiles* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + - - -
    + +## DontForceUnloadHive - -**ADMX_UserProfiles/DontForceUnloadHive** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/DontForceUnloadHive +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. - -
    +Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. -> [!div class = "checklist"] -> * Device +If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. + -
    + + + - - -This policy setting controls whether Windows forcefully unloads the user's registry at sign out, even if there are open handles to the per-user registry keys. + +**Description framework properties**: -> [!NOTE] -> This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting, Windows won't forcefully unload the user's registry at sign out, but will unload the registry when all open handles to the per-user registry keys are closed. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you disable or don't configure this policy setting, Windows will always unload the user's registry at sign out, even if there are any open handles to the per-user registry keys at user sign out. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DontForceUnloadHive | +| Friendly Name | Do not forcefully unload the users registry at user logoff | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableForceUnload | +| ADMX File Name | UserProfiles.admx | + - -ADMX Info: -- GP Friendly name: *Do not forcefully unload the users registry at user logoff* -- GP name: *DontForceUnloadHive* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + + + - - -
    + - -**ADMX_UserProfiles/LeaveAppMgmtData** + +## LeaveAppMgmtData - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LeaveAppMgmtData +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. -By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time roaming users whose profiles were previously deleted on that client sign in, they'll need to reinstall all apps published via policy at sign in, increasing sign-in time. You can use this policy setting to change this behavior. +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. -If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This data retention will improve the performance of Group Policy-based Software Installation during user sign in when a user profile is deleted and that user later signs in to the machine. +If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. -If you disable or don't configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. +If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. -> [!NOTE] -> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. +Note: If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. + - + + + - -ADMX Info: -- GP Friendly name: *Leave Windows Installer and Group Policy Software Installation Data* -- GP name: *LeaveAppMgmtData* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/LimitSize** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | LeaveAppMgmtData | +| Friendly Name | Leave Windows Installer and Group Policy Software Installation Data | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | LeaveAppMgmtData | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## ProfileErrorAction -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/ProfileErrorAction +``` + -If you disable this policy setting or don't configure it, the system doesn't limit the size of user profiles. + + +This policy setting will automatically log off a user when Windows cannot load their profile. -If you enable this policy setting, you can: +If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. -- Set a maximum permitted user profile size. -- Determine whether the registry files are included in the calculation of the profile size. -- Determine whether users are notified when the profile exceeds the permitted maximum size. -- Specify a customized message notifying users of the oversized profile. -- Determine how often the customized message is displayed. +If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. - - - -ADMX Info: -- GP Friendly name: *Limit profile size* -- GP name: *LimitSize* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -
    - - -**ADMX_UserProfiles/ProfileErrorAction** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting will automatically sign out a user when Windows can't load their profile. - -If Windows can't access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. - -If you enable this policy setting, Windows won't sign in users with a temporary profile. Windows signs out the users if their profiles can't be loaded. - -If you disable this policy setting or don't configure it, Windows logs on the user with a temporary profile when Windows can't load their user profile. +If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. Also, see the "Delete cached copies of roaming profiles" policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Do not log users on with temporary profiles* -- GP name: *ProfileErrorAction* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/SlowLinkTimeOut** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ProfileErrorAction | +| Friendly Name | Do not log users on with temporary profiles | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | ProfileErrorAction | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## SlowLinkTimeOut -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/SlowLinkTimeOut +``` + + + + This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. -To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined. +To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer, the network's latency and connection speed are determined. This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. -If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there's no local copy of the roaming profile to load when the system detects a slow connection. +If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections. - +**Important**: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. + - -ADMX Info: -- GP Friendly name: *Control slow network connection timeout for user profiles* -- GP name: *SlowLinkTimeOut* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_UserProfiles/USER_HOME** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | SlowLinkTimeOut | +| Friendly Name | Control slow network connection timeout for user profiles | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | UserProfiles.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## USER_HOME - - -This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a sign-in session. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/USER_HOME +``` + + + + +This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. -To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. +To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. -Don't specify environment variables or ellipses in the path. Also, don't specify a placeholder for the user name because the user name will be appended at sign in. +Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. -> [!NOTE] -> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. +Note: The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. -If you disable or don't configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. +If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. + - + + + - -ADMX Info: -- GP Friendly name: *Set user home folder* -- GP name: *USER_HOME* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_UserProfiles/UserInfoAccessAction** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | USER_HOME | +| Friendly Name | Set user home folder | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | UserProfiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## UserInfoAccessAction -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/UserInfoAccessAction +``` + + + + This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: -- "Always on" - users won't be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. -- "Always off" - users won't be able to change this setting and the user's name and account picture won't be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability won't be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. +"Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. -If you don't configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn off the setting. +"Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. - +If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. + - -ADMX Info: -- GP Friendly name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)* -- GP name: *UserInfoAccessAction* -- GP path: *System\User Profiles* -- GP ADMX file name: *UserProfiles.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | UserInfoAccessAction_Name | +| Friendly Name | User management of sharing user name, account picture, and domain information with apps (not desktop apps) | +| Location | Computer Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | AllowUserInfoAccess | +| ADMX File Name | UserProfiles.admx | + + + + + + + + + +## LimitSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize +``` + + + + +This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. + +If you enable this policy setting, you can: + +-- Set a maximum permitted user profile size. +-- Determine whether the registry files are included in the calculation of the profile size. +-- Determine whether users are notified when the profile exceeds the permitted maximum size. +-- Specify a customized message notifying users of the oversized profile. +-- Determine how often the customized message is displayed. + +Note: In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LimitSize | +| Friendly Name | Limit profile size | +| Location | User Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableProfileQuota | +| ADMX File Name | UserProfiles.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From ce00286aaf82e9be720180c5c5d4c8c31de4e49a Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 15:47:49 -0500 Subject: [PATCH 097/152] ADMX_LanmanWorkstation policy review --- .../mdm/policy-csp-admx-lanmanworkstation.md | 311 ++++++++++-------- 1 file changed, 166 insertions(+), 145 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 7d6f194bfc..60fc930a3d 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,218 +1,239 @@ --- -title: Policy CSP - ADMX_LanmanWorkstation -description: Learn about the Policy CSP - ADMX_LanmanWorkstation. +title: ADMX_LanmanWorkstation Policy CSP +description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LanmanWorkstation ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_LanmanWorkstation policies + +## Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanWorkstation/Pol_CipherSuiteOrder -
    -
    - ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles -
    -
    - ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanWorkstation/Pol_CipherSuiteOrder +``` + -
    - - -**ADMX_LanmanWorkstation/Pol_CipherSuiteOrder** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines the cipher suites used by the SMB client. If you enable this policy setting, cipher suites are prioritized in the order specified. -If you enable this policy setting and don't specify at least one supported cipher suite, or if you disable or don't configure this policy setting, the default cipher suite order is used. +If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. SMB 3.11 cipher suites: -- AES_128_GCM -- AES_128_CCM -- AES_256_GCM -- AES_256_CCM - -> [!NOTE] -> AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore. +AES_128_GCM +AES_128_CCM +AES_256_GCM +AES_256_CCM SMB 3.0 and 3.02 cipher suites: -- AES_128_CCM +AES_128_CCM How to modify this setting: Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. -> [!NOTE] -> When configuring this security setting, changes will not take effect until you restart Windows. +Note: When configuring this security setting, changes will not take effect until you restart Windows. + - + +[!NOTE] +AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore. + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Cipher suite order* -- GP name: *Pol_CipherSuiteOrder* -- GP path: *Network\Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_CipherSuiteOrder_Name | +| Friendly Name | Cipher suite order | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| ADMX File Name | LanmanWorkstation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_EnableHandleCachingForCAFiles -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles +``` + - - + + This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. -If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This provision may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. +If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. -If you disable or don't configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. +If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. -> [!NOTE] -> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft doesn't recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. +Note: This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Handle Caching on Continuous Availability Shares* -- GP name: *Pol_EnableHandleCachingForCAFiles* -- GP path: *Network\Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_EnableHandleCachingForCAFiles_Name | +| Friendly Name | Handle Caching on Continuous Availability Shares | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | EnableHandleCachingForCAFiles | +| ADMX File Name | LanmanWorkstation.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_EnableOfflineFilesforCAShares -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares +``` + - - + + This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. -If you disable or don't configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. +If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. -> [!NOTE] -> Microsoft doesn't recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. +Note: Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Offline Files Availability on Continuous Availability Shares* -- GP name: *Pol_EnableOfflineFilesforCAShares* -- GP path: *Network\Lanman Workstation* -- GP ADMX file name: *LanmanWorkstation.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_EnableCSCforCAShares_Name | +| Friendly Name | Offline Files Availability on Continuous Availability Shares | +| Location | Computer Configuration | +| Path | Network > Lanman Workstation | +| Registry Key Name | Software\Policies\Microsoft\Windows\LanmanWorkstation | +| Registry Value Name | AllowOfflineFilesforCAShares | +| ADMX File Name | LanmanWorkstation.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 7f413184a1bc90042bdbf6a934428fc3c2acbb80 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 15:57:16 -0500 Subject: [PATCH 098/152] ADMX_LeakDiagnostic policy review --- .../mdm/policy-csp-admx-leakdiagnostic.md | 136 +++++++++--------- 1 file changed, 71 insertions(+), 65 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index 665083e58a..46666166e3 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,100 +1,106 @@ --- -title: Policy CSP - ADMX_LeakDiagnostic -description: Learn about the Policy CSP - ADMX_LeakDiagnostic. +title: ADMX_LeakDiagnostic Policy CSP +description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LeakDiagnostic > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_LeakDiagnostic policies + + + -
    -
    - ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy -
    -
    + +## WdiScenarioExecutionPolicy + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy +``` + - -**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy** + + +This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems. - +If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable this policy setting, the DPS is not able to diagnose memory leak problems. - -
    +This policy setting takes effect only under the following conditions: +-- If the diagnostics-wide scenario execution policy is not configured. +-- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Note: The DPS can be configured with the Services snap-in to the Microsoft Management Console. -> [!div class = "checklist"] -> * Machine +No operating system restart or service restart is required for this policy to take effect. Changes take effect immediately. + -
    + +[!NOTE] +For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + - - -This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. + +**Description framework properties**: -If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +**ADMX mapping**: -This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Memory Leak Diagnosis | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{eb73b633-3f4e-4ba0-8f60-8f3c6f53168f} | +| ADMX File Name | LeakDiagnostic.admx | + -The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + -> [!NOTE] -> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + - + + + + - -ADMX Info: -- GP Friendly name: *Configure custom alert text* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* -- GP ADMX file name: *LeakDiagnostic.admx* +## Related articles - - -
    - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 70b3b885a1dcc6bc383d367ed51908cecc84a628 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 16:05:16 -0500 Subject: [PATCH 099/152] ADMX_LinkLayerTopologyDiscovery policy review --- ...icy-csp-admx-linklayertopologydiscovery.md | 213 ++++++++++-------- 1 file changed, 115 insertions(+), 98 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 2360df199e..adbbc2cf3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,145 +1,162 @@ --- -title: Policy CSP - ADMX_LinkLayerTopologyDiscovery -description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery. +title: ADMX_LinkLayerTopologyDiscovery Policy CSP +description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/04/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LinkLayerTopologyDiscovery ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_LinkLayerTopologyDiscovery policies + +## LLTD_EnableLLTDIO -
    -
    - ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO -
    -
    - ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO +``` + -
    - - -**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. -If you enable this policy setting, more options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. +If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. -If you disable or don't configure this policy setting, the default behavior of LLTDIO will apply. +If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Mapper I/O (LLTDIO) driver* -- GP name: *LLTD_EnableLLTDIO* -- GP path: *Network/Link-Layer Topology Discovery* -- GP ADMX file name: *LinkLayerTopologyDiscovery.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LLTD_EnableLLTDIO | +| Friendly Name | Turn on Mapper I/O (LLTDIO) driver | +| Location | Computer Configuration | +| Path | Network > Link-Layer Topology Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\LLTD | +| Registry Value Name | EnableLLTDIO | +| ADMX File Name | LinkLayerTopologyDiscovery.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LLTD_EnableRspndr -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr +``` + - - + + This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. -If you enable this policy setting, more options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. +If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. -If you disable or don't configure this policy setting, the default behavior for the Responder will apply. +If you disable or do not configure this policy setting, the default behavior for the Responder will apply. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Responder (RSPNDR) driver* -- GP name: *LLTD_EnableRspndr* -- GP path: *Network/Link-Layer Topology Discovery* -- GP ADMX file name: *LinkLayerTopologyDiscovery.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | LLTD_EnableRspndr | +| Friendly Name | Turn on Responder (RSPNDR) driver | +| Location | Computer Configuration | +| Path | Network > Link-Layer Topology Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\LLTD | +| Registry Value Name | EnableRspndr | +| ADMX File Name | LinkLayerTopologyDiscovery.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From ac76019f0008ed26348f30f5cd85311638efdb93 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Tue, 3 Jan 2023 16:11:29 -0500 Subject: [PATCH 100/152] ADMX_LocationProviderAdm policy review --- .../policy-csp-admx-locationprovideradm.md | 136 +++++++++--------- 1 file changed, 71 insertions(+), 65 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index ef3c5aaed0..1c2c560e41 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,93 +1,99 @@ --- -title: Policy CSP - ADMX_LocationProviderAdm -description: Learn about Policy CSP - ADMX_LocationProviderAdm. +title: ADMX_LocationProviderAdm Policy CSP +description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_LocationProviderAdm -> [!WARNING] -> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_LocationProviderAdm policies + +[!WARNING] +Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + -
    -
    - ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 -
    -
    + +## DisableWindowsLocationProvider_1 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 +``` + - -**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
    - - - + + This policy setting turns off the Windows Location Provider feature for this computer. -- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer won't be able to use the Windows Location Provider feature. +If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. -- If you disable or don't configure this policy setting, all programs on this computer can use the Windows Location Provider feature. +If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Windows Location Provider* -- GP name: *DisableWindowsLocationProvider_1* -- GP path: *Windows Components\Location and Sensors\Windows Location Provider* -- GP ADMX file name: *LocationProviderAdm.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> These policies are currently only available as a part of Windows Insider release. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | DisableWindowsLocationProvider | +| Friendly Name | Turn off Windows Location Provider | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors > Windows Location Provider | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableWindowsLocationProvider | +| ADMX File Name | LocationProviderAdm.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From aa124a34650fc833dd943f831e643d2d71330bb6 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 3 Jan 2023 17:10:40 -0500 Subject: [PATCH 101/152] Changes per Nick's notes. --- .../mdm/policy-csp-abovelock.md | 1 - .../mdm/policy-csp-accounts.md | 3 +- .../mdm/policy-csp-admx-controlpanel.md | 1 - .../policy-csp-admx-controlpaneldisplay.md | 3 - .../mdm/policy-csp-admx-credui.md | 1 - .../mdm/policy-csp-admx-eaime.md | 12 +- .../mdm/policy-csp-admx-explorer.md | 1 - .../mdm/policy-csp-admx-framepanes.md | 212 +++--- .../mdm/policy-csp-admx-iscsi.md | 669 ++++++++++++++---- .../mdm/policy-csp-admx-kdc.md | 585 ++++++++------- 10 files changed, 986 insertions(+), 502 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 5adb27e901..9be972e3d9 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -98,7 +98,6 @@ If you disable this setting, the system will need to be unlocked for the user to -Added in Windows 10, version 1607. diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 59adf963ba..5da980cc1a 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -146,7 +146,6 @@ Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant -Added in Windows 10, version 1703. @@ -234,7 +233,7 @@ This setting determines whether to only allow enterprise device authentication f -Added in Windows 11, version 22H2. Most restricted value is 1. +Most restricted value is 1. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 721c8e5306..25cd051506 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -194,7 +194,6 @@ If users try to select a Control Panel item from the Properties item on a contex -Available in the latest Windows 10 Insider Preview Build. diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 324a63ed77..013ba7d794 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -240,7 +240,6 @@ If you disable or do not configure this policy setting, users that are not requi -Available in the latest Windows 10 Insider Preview Build. @@ -364,7 +363,6 @@ If you disable or do not configure this setting, the default theme will be appli -Available in the latest Windows 10 Insider Preview Build. @@ -1099,7 +1097,6 @@ If you enable this setting, none of the mouse pointer scheme settings can be cha -Available in the latest Windows 10 Insider Preview Build. diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 5b2471b164..63b8ff4f26 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -111,7 +111,6 @@ If you turn this policy setting on, local users won’t be able to set up and us -Available in the latest Windows 10 Insider Preview Build. diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 12856554a1..0b3e24725b 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_EAIME Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -52,7 +52,7 @@ If you disable or do not configure this policy setting, both Publishing Standard This policy setting applies to Japanese Microsoft IME only. -Note: Changes to this setting will not take effect until the user logs off. +**Note**: Changes to this setting will not take effect until the user logs off. @@ -128,7 +128,7 @@ If you disable or do not configure this policy setting, no range of characters a This policy setting applies to Japanese Microsoft IME only. -Note: Changes to this setting will not take effect until the user logs off. +**Note**: Changes to this setting will not take effect until the user logs off. @@ -195,7 +195,7 @@ If you disable or do not configure this policy setting, the custom dictionary ca This policy setting is applied to Japanese Microsoft IME. -Note: Changes to this setting will not take effect until the user logs off. +**Note**: Changes to this setting will not take effect until the user logs off. @@ -259,7 +259,7 @@ If you disable or do not configure this policy setting, history-based predictive This policy setting applies to Japanese Microsoft IME only. -Note: Changes to this setting will not take effect until the user logs off. +**Note**: Changes to this setting will not take effect until the user logs off. @@ -325,7 +325,7 @@ If you disable or do not configure this policy setting, the search integration f This policy setting applies to Japanese Microsoft IME. -Note: Changes to this setting will not take effect until the user logs off. +**Note**: Changes to this setting will not take effect until the user logs off. diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index a2e6109ed4..6a9ecf5e4d 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -170,7 +170,6 @@ Note: When the menu bar is not displayed, users can access the menu bar by press -Available in the latest Windows 10 Insider Preview Build. diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index 5e1a31bd4d..30f0229ac8 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,139 +1,161 @@ --- -title: Policy CSP - ADMX_FramePanes -description: Learn about the Policy CSP - ADMX_FramePanes. +title: ADMX_FramePanes Policy CSP +description: Learn more about the ADMX_FramePanes Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_FramePanes > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    - -## ADMX_FramePanes policies + + + -
    -
    - ADMX_FramePanes/NoReadingPane -
    -
    - ADMX_FramePanes/NoPreviewPane -
    -
    + +## NoPreviewPane + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FramePanes/NoPreviewPane +``` + - -**ADMX_FramePanes/NoReadingPane** - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting shows or hides the Details Pane in File Explorer. -If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user. +If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. -If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user. +If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user. -> [!NOTE] -> This has a side effect of not being able to toggle to the Preview Pane since the two can't be displayed at the same time. +**Note**: This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. -If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. +If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. This is the default policy setting. + -This setting is the default policy setting. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on or off details pane* -- GP name: *NoReadingPane* -- GP path: *Windows Components\File Explorer\Explorer Frame Pane* -- GP ADMX file name: *FramePanes.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_FramePanes/NoPreviewPane** +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NoPreviewPane | +| Friendly Name | Turn on or off details pane | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Explorer Frame Pane | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | FramePanes.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoReadingPane -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_FramePanes/NoReadingPane +``` + - - + + Hides the Preview Pane in File Explorer. -If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user. +If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. -If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user. +If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Preview Pane* -- GP name: *NoPreviewPane* -- GP path: *Windows Components\File Explorer\Explorer Frame Pane* -- GP ADMX file name: *FramePanes.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | NoReadingPane | +| Friendly Name | Turn off Preview Pane | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Explorer Frame Pane | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoReadingPane | +| ADMX File Name | FramePanes.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index 44fac81071..f7308d08d7 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,183 +1,604 @@ --- -title: Policy CSP - ADMX_iSCSI -description: Learn about the Policy CSP - ADMX_iSCSI. +title: ADMX_iSCSI Policy CSP +description: Learn more about the ADMX_iSCSI Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_iSCSI > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_iSCSI policies + +## iSCSIDiscovery_ConfigureiSNSServers -
    -
    - ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins -
    -
    - ADMX_iSCSI/iSCSIGeneral_ChangeIQNName -
    -
    - ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureiSNSServers +``` + -
    + + +If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + - -**ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_ConfigureiSNSServers | +| Friendly Name | Do not allow manual configuration of iSNS servers | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ConfigureiSNSServers | +| ADMX File Name | iSCSI.admx | + -
    + + + - - -If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. + -If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers; existing iSNS servers may be removed. + +## iSCSIDiscovery_ConfigureTargetPortals + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureTargetPortals +``` + - -ADMX Info: -- GP Friendly name: *Do not allow manual configuration of iSNS servers* -- GP name: *iSCSIGeneral_RestrictAdditionalLogins* -- GP path: *System\iSCSI\iSCSI Target Discovery* -- GP ADMX file name: *iSCSI.admx* + + +If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + - - -
    + + + - -**ADMX_iSCSI/iSCSIGeneral_ChangeIQNName** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_ConfigureTargetPortals | +| Friendly Name | Do not allow manual configuration of target portals | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ConfigureTargetPortals | +| ADMX File Name | iSCSI.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. + +## iSCSIDiscovery_ConfigureTargets -If disabled then new target portals may be added and thus new targets discovered on those portals; existing target portals may be removed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_ConfigureTargets +``` + - -ADMX Info: -- GP Friendly name: *Do not allow manual configuration of target portals* -- GP name: *iSCSIGeneral_ChangeIQNName* -- GP path: *System\iSCSI\iSCSI Target Discovery* -- GP ADMX file name: *iSCSI.admx* + + +If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. - - -
    +**Note**: if enabled there may be cases where this will break VDS. + - -**ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_ConfigureTargets | +| Friendly Name | Do not allow manual configuration of discovered targets | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ConfigureTargets | +| ADMX File Name | iSCSI.admx | + -
    + + + - - -If enabled then don't allow the initiator CHAP secret to be changed. + -If disabled then the initiator CHAP secret may be changed. + +## iSCSIDiscovery_NewStaticTargets - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIDiscovery_NewStaticTargets +``` + - -ADMX Info: -- GP Friendly name: *Do not allow changes to initiator CHAP secret* -- GP name: *iSCSISecurity_ChangeCHAPSecret* -- GP path: *System\iSCSI\iSCSI Security* -- GP ADMX file name: *iSCSI.admx* + + +If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. - - -
    +**Note**: if enabled there may be cases where this will break VDS. + + + + - + +**Description framework properties**: -## Related topics +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSIDiscovery_NewStaticTargets | +| Friendly Name | Do not allow adding new targets via manual configuration | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Target Discovery | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | NewStaticTargets | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSIGeneral_ChangeIQNName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIGeneral_ChangeIQNName +``` + + + + +If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSIGeneral_ChangeIQNName | +| Friendly Name | Do not allow changes to initiator iqn name | +| Location | Computer Configuration | +| Path | System > iSCSI > General iSCSI | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ChangeIQNName | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSIGeneral_RestrictAdditionalLogins + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins +``` + + + + +If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSIGeneral_RestrictAdditionalLogins | +| Friendly Name | Do not allow additional session logins | +| Location | Computer Configuration | +| Path | System > iSCSI > General iSCSI | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RestrictAdditionalLogins | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_ChangeCHAPSecret + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret +``` + + + + +If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_ChangeCHAPSecret | +| Friendly Name | Do not allow changes to initiator CHAP secret | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | ChangeCHAPSecret | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_RequireIPSec + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireIPSec +``` + + + + +If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_RequireIPSec | +| Friendly Name | Do not allow connections without IPSec | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RequireIPSec | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_RequireMutualCHAP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireMutualCHAP +``` + + + + +If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_RequireMutualCHAP | +| Friendly Name | Do not allow sessions without mutual CHAP | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RequireMutualCHAP | +| ADMX File Name | iSCSI.admx | + + + + + + + + + +## iSCSISecurity_RequireOneWayCHAP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_iSCSI/iSCSISecurity_RequireOneWayCHAP +``` + + + + +If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. + +**Note** that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | iSCSISecurity_RequireOneWayCHAP | +| Friendly Name | Do not allow sessions without one way CHAP | +| Location | Computer Configuration | +| Path | System > iSCSI > iSCSI Security | +| Registry Key Name | Software\Policies\Microsoft\Windows\iSCSI | +| Registry Value Name | RequireOneWayCHAP | +| ADMX File Name | iSCSI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index c0cab32903..beb1234d4b 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,206 +1,258 @@ --- -title: Policy CSP - ADMX_kdc -description: Learn about the Policy CSP - ADMX_kdc. +title: ADMX_kdc Policy CSP +description: Learn more about the ADMX_kdc Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_kdc ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_kdc policies + +## CbacAndArmor -
    -
    - ADMX_kdc/CbacAndArmor -
    -
    - ADMX_kdc/ForestSearch -
    -
    - ADMX_kdc/PKINITFreshness -
    -
    - ADMX_kdc/RequestCompoundId -
    -
    - ADMX_kdc/TicketSizeThreshold -
    -
    - ADMX_kdc/emitlili -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/CbacAndArmor +``` + -
    - - -**ADMX_kdc/CbacAndArmor** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. -If you disable or don't configure this policy setting, the domain controller doesn't support claims, compound authentication or armoring. +If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring. -If you configure the "Not supported" option, the domain controller doesn't support claims, compound authentication or armoring, which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. +If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. -> [!NOTE] -> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting isn't enabled, Kerberos authentication messages won't use these features. +**Note**: For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features. If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. -**Domain functional level requirements** - -For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier, then domain controllers behave as if the "Supported" option is selected. +Domain functional level requirements +For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and: - - If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. -> [!WARNING] -> When "Fail unarmored authentication requests" is set, then client computers which don't support Kerberos armoring will fail to authenticate to the domain controller. +**Warning**: When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled). Impact on domain controller performance when this policy setting is enabled: +- Secure Kerberos domain capability discovery is required resulting in additional message exchanges. +- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. +- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size. + -- Secure Kerberos domain capability discovery is required, resulting in more message exchanges. -- Claims and compound authentication for Dynamic Access Control increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size. -- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which result in increased processing time, but doesn't change the service ticket size. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *KDC support for claims, compound authentication and Kerberos armoring* -- GP name: *CbacAndArmor* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_kdc/ForestSearch** +| Name | Value | +|:--|:--| +| Name | CbacAndArmor | +| Friendly Name | KDC support for claims, compound authentication and Kerberos armoring | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | EnableCbacAndArmor | +| ADMX File Name | kdc.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## emitlili - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/emitlili +``` + -
    + + +This policy setting controls whether the domain controller provides information about previous logons to client computers. - - +If you enable this policy setting, the domain controller provides the information message about previous logons. + +For Windows Logon to leverage this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled. + +If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled. + +**Note**: Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | emitlili | +| Friendly Name | Provide information about previous logons to client computers | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | EmitLILI | +| ADMX File Name | kdc.admx | + + + + + + + + + +## ForestSearch + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/ForestSearch +``` + + + + This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the KDC will search the forests in this list if it's unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. +If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. -If you disable or don't configure this policy setting, the KDC won't search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name isn't found, NTLM authentication might be used. +If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_kdc/PKINITFreshness** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForestSearch | +| Friendly Name | Use forest search order | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | UseForestSearch | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PKINITFreshness -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/PKINITFreshness +``` + - - -Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain isn't at Windows Server 2016 DFL or higher, this policy won't be applied. + + +Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. @@ -208,177 +260,174 @@ If you enable this policy setting, the following options are supported: Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. -Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients that don't support the PKInit Freshness Extension will always fail when using public key credentials. +Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials. -If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. +If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *KDC support for PKInit Freshness Extension* -- GP name: *PKINITFreshness* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_kdc/RequestCompoundId** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PKINITFreshness | +| Friendly Name | KDC support for PKInit Freshness Extension | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RequestCompoundId -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/RequestCompoundId +``` + - - + + This policy setting allows you to configure a domain controller to request compound authentication. -> [!NOTE] -> For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. +**Note**: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. -If you disable or don't configure this policy setting, domain controllers will return service tickets that contain compound authentication anytime the client sends a compound authentication request regardless of the account configuration. +If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Request compound authentication* -- GP name: *RequestCompoundId* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_kdc/TicketSizeThreshold** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RequestCompoundId | +| Friendly Name | Request compound authentication | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | RequestCompoundId | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TicketSizeThreshold -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_kdc/TicketSizeThreshold +``` + - - + + This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. -If you enable this policy setting, you can set the threshold limit for Kerberos ticket, which triggers the warning events. If set too high, then authentication failures might be occurring even though warning events aren't being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you aren't configuring using Group Policy. +If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. -If you disable or don't configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. +If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Warning for large Kerberos tickets* -- GP name: *TicketSizeThreshold* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_kdc/emitlili** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TicketSizeThreshold | +| Friendly Name | Warning for large Kerberos tickets | +| Location | Computer Configuration | +| Path | System > KDC | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters | +| Registry Value Name | EnableTicketSizeThreshold | +| ADMX File Name | kdc.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting controls whether the domain controller provides information about previous logons to client computers. - -If you enable this policy setting, the domain controller provides the information message about previous logons. - -For Windows Logon to use this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled. - -If you disable or don't configure this policy setting, the domain controller doesn't provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled. - -> [!NOTE] -> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting doesn't affect anything. - - - - - -ADMX Info: -- GP Friendly name: *Provide information about previous logons to client computers* -- GP name: *emitlili* -- GP path: *System/KDC* -- GP ADMX file name: *kdc.admx* - - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From a892ffe5be00e16680619ee0c6e4d3dc98dcb598 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Tue, 3 Jan 2023 17:34:51 -0500 Subject: [PATCH 102/152] terminalserver thumbnails touchinput --- .../mdm/policy-csp-admx-terminalserver.md | 8688 +++++++++-------- .../mdm/policy-csp-admx-thumbnails.md | 286 +- .../mdm/policy-csp-admx-touchinput.md | 441 +- 3 files changed, 5153 insertions(+), 4262 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 458bfb9ffe..ac9e54106c 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,967 +1,681 @@ --- -title: Policy CSP - ADMX_TerminalServer -description: Learn about Policy CSP - ADMX_TerminalServer. +title: ADMX_TerminalServer Policy CSP +description: Learn more about the ADMX_TerminalServer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/21/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TerminalServer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_TerminalServer policies + +## TS_AUTO_RECONNECT -
    -
    - ADMX_TerminalServer/TS_AUTO_RECONNECT -
    -
    - ADMX_TerminalServer/TS_CAMERA_REDIRECTION -
    -
    - ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE -
    -
    - ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY -
    -
    - ADMX_TerminalServer/TS_CLIENT_CLIPBOARD -
    -
    - ADMX_TerminalServer/TS_CLIENT_COM -
    -
    - ADMX_TerminalServer/TS_CLIENT_DEFAULT_M -
    -
    - ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE -
    -
    - ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_LPT -
    -
    - ADMX_TerminalServer/TS_CLIENT_PNP -
    -
    - ADMX_TerminalServer/TS_CLIENT_PRINTER -
    -
    - ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 -
    -
    - ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -
    -
    - ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP -
    -
    - ADMX_TerminalServer/TS_COLORDEPTH -
    -
    - ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES -
    -
    - ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER -
    -
    - ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU -
    -
    - ADMX_TerminalServer/TS_EASY_PRINT -
    -
    - ADMX_TerminalServer/TS_EASY_PRINT_User -
    -
    - ADMX_TerminalServer/TS_EnableVirtualGraphics -
    -
    - ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE -
    -
    - ADMX_TerminalServer/TS_FORCIBLE_LOGOFF -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD -
    -
    - ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -
    -
    - ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
    -
    - ADMX_TerminalServer/TS_KEEP_ALIVE -
    -
    - ADMX_TerminalServer/TS_LICENSE_SECGROUP -
    -
    - ADMX_TerminalServer/TS_LICENSE_SERVERS -
    -
    - ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
    -
    - ADMX_TerminalServer/TS_LICENSING_MODE -
    -
    - ADMX_TerminalServer/TS_MAX_CON_POLICY -
    -
    - ADMX_TerminalServer/TS_MAXDISPLAYRES -
    -
    - ADMX_TerminalServer/TS_MAXMONITOR -
    -
    - ADMX_TerminalServer/TS_NoDisconnectMenu -
    -
    - ADMX_TerminalServer/TS_NoSecurityMenu -
    -
    - ADMX_TerminalServer/TS_PreventLicenseUpgrade -
    -
    - ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP -
    -
    - ADMX_TerminalServer/TS_RADC_DefaultConnection -
    -
    - ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration -
    -
    - ADMX_TerminalServer/TS_RemoteControl_1 -
    -
    - ADMX_TerminalServer/TS_RemoteControl_2 -
    -
    - ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics -
    -
    - ADMX_TerminalServer/TS_SD_ClustName -
    -
    - ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS -
    -
    - ADMX_TerminalServer/TS_SD_Loc -
    -
    - ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY -
    -
    - ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT -
    -
    - ADMX_TerminalServer/TS_SELECT_TRANSPORT -
    -
    - ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -
    -
    - ADMX_TerminalServer/TS_SERVER_AUTH -
    -
    - ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED -
    -
    - ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED -
    -
    - ADMX_TerminalServer/TS_SERVER_COMPRESSOR -
    -
    - ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY -
    -
    - ADMX_TerminalServer/TS_SERVER_LEGACY_RFX -
    -
    - ADMX_TerminalServer/TS_SERVER_PROFILE -
    -
    - ADMX_TerminalServer/TS_SERVER_VISEXP -
    -
    - ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER -
    -
    - ADMX_TerminalServer/TS_Session_End_On_Limit_1 -
    -
    - ADMX_TerminalServer/TS_Session_End_On_Limit_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Limits_1 -
    -
    - ADMX_TerminalServer/TS_SESSIONS_Limits_2 -
    -
    - ADMX_TerminalServer/TS_SINGLE_SESSION -
    -
    - ADMX_TerminalServer/TS_SMART_CARD -
    -
    - ADMX_TerminalServer/TS_START_PROGRAM_1 -
    -
    - ADMX_TerminalServer/TS_START_PROGRAM_2 -
    -
    - ADMX_TerminalServer/TS_TEMP_DELETE -
    -
    - ADMX_TerminalServer/TS_TEMP_PER_SESSION -
    -
    - ADMX_TerminalServer/TS_TIME_ZONE -
    -
    - ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY -
    -
    - ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP -
    -
    - ADMX_TerminalServer/TS_UIA -
    -
    - ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE -
    -
    - ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY -
    -
    - ADMX_TerminalServer/TS_USER_HOME -
    -
    - ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES -
    -
    - ADMX_TerminalServer/TS_USER_PROFILES -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_AUTO_RECONNECT +``` + - -**ADMX_TerminalServer/TS_AUTO_RECONNECT** + + +Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. By default, a maximum of twenty reconnection attempts are made at five second intervals. - +If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If the status is set to Disabled, automatic reconnection of clients is prohibited. - -
    +If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -By default, a maximum of 20 reconnection attempts are made at five-second intervals. If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. +**ADMX mapping**: -If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to Not Configured, automatic reconnection isn't specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. +| Name | Value | +|:--|:--| +| Name | TS_AUTO_RECONNECT | +| Friendly Name | Automatic reconnection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableAutoReconnect | +| ADMX File Name | TerminalServer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Automatic reconnection* -- GP name: *TS_AUTO_RECONNECT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + - - + +## TS_CAMERA_REDIRECTION + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CAMERA_REDIRECTION +``` + - -**ADMX_TerminalServer/TS_CAMERA_REDIRECTION** + + +This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session. - +By default, Remote Desktop Services allows redirection of video capture devices. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable this policy setting, users cannot redirect their video capture devices to the remote computer. - -
    +If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of video capture devices. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you enable this policy setting, users can't redirect their video capture devices to the remote computer. +**ADMX mapping**: -If you disable or don't configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. +| Name | Value | +|:--|:--| +| Name | TS_CAMERA_REDIRECTION | +| Friendly Name | Do not allow video capture redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCameraRedir | +| ADMX File Name | TerminalServer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow video capture redirection* -- GP name: *TS_CAMERA_REDIRECTION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + - - + +## TS_CERTIFICATE_TEMPLATE_POLICY + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY +``` + - -**ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. -If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate hasn't been selected. +If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. -If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or don't configure this policy, the certificate template name isn't specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. +If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. ->[!NOTE] ->If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. +If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. - +Note: If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. + - -ADMX Info: -- GP Friendly name: *Server authentication certificate template* -- GP name: *TS_CERTIFICATE_TEMPLATE_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CERTIFICATE_TEMPLATE_POLICY | +| Friendly Name | Server authentication certificate template | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_ALLOW_SIGNED_FILES_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 +``` + + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. +**ADMX mapping**: -This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying a .rdp file). +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_SIGNED_FILES | +| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowSignedFiles | +| ADMX File Name | TerminalServer.admx | + -If you enable or don't configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + + + -If you disable this policy setting, users can't run .rdp files that are signed with a valid certificate. Additionally, users can't start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + +## TS_CLIENT_ALLOW_UNSIGNED_FILES_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 +``` + - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. - -This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection (RDC) client without specifying a .rdp file). - -If you enable or don't configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - -If you disable this policy setting, users can't run .rdp files that are signed with a valid certificate. Additionally, users can't start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. - - - - -ADMX Info: -- GP Friendly name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or don't configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users can't run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + - + + + - -ADMX Info: -- GP Friendly name: *Allow .rdp files from unknown publishers* -- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES | +| Friendly Name | Allow .rdp files from unknown publishers | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowUnsignedFiles | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_AUDIO - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_AUDIO +``` + -
    - - - -This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. - -If you enable or don't configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. - -If you disable this policy setting, users can't run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. - - - - -ADMX Info: -- GP Friendly name: *Allow .rdp files from unknown publishers* -- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_AUDIO** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. +Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. -Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the video playback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. - -By default, audio and video playback redirection isn't allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. +By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. If you enable this policy setting, audio and video playback redirection is allowed. -If you disable this policy setting, audio and video playback redirection isn't allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you don't configure this policy setting, audio and video playback redirection isn't specified at the Group Policy level. +If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. - +If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. + - -ADMX Info: -- GP Friendly name: *Allow audio and video playback redirection* -- GP name: *TS_CLIENT_AUDIO* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_AUDIO | +| Friendly Name | Allow audio and video playback redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCam | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_AUDIO_CAPTURE -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE +``` + - - -This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). + + +This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. +Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an audio input device on the local computer, such as a built-in microphone. -Users can record audio by using an audio input device on the local computer, such as a built-in microphone. By default, audio recording redirection isn't allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. +By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. If you enable this policy setting, audio recording redirection is allowed. -If you disable this policy setting, audio recording redirection isn't allowed, even if audio recording redirection is specified in RDC. If you don't configure this policy setting, Audio recording redirection isn't specified at the Group Policy level. +If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. - +If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. + - -ADMX Info: -- GP Friendly name: *Allow audio recording redirection* -- GP name: *TS_CLIENT_AUDIO_CAPTURE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_AUDIO_CAPTURE | +| Friendly Name | Allow audio recording redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableAudioCapture | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_AUDIO_QUALITY -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY +``` + - - -This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of the following values: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This audio transmission requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. + + +This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. -If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. +If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. -For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. +The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. -If you disable or don't configure this policy setting, audio playback quality will be set to Dynamic. +If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. + - + + + - -ADMX Info: -- GP Friendly name: *Limit audio playback quality* -- GP name: *TS_CLIENT_AUDIO_QUALITY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_CLIPBOARD** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_AUDIO_QUALITY | +| Friendly Name | Limit audio playback quality | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_CLIPBOARD - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_CLIPBOARD +``` + -
    - - - + + This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. -If you enable this policy setting, users can't redirect Clipboard data. +If you enable this policy setting, users cannot redirect Clipboard data. If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. -If you don't configure this policy setting, Clipboard redirection isn't specified at the Group Policy level. +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Clipboard redirection* -- GP name: *TS_CLIENT_CLIPBOARD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_COM** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_CLIPBOARD | +| Friendly Name | Do not allow Clipboard redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableClip | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_COM - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_COM +``` + -
    - - - + + This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. -You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they're logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. +You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. -If you enable this policy setting, users can't redirect server data to the local COM port. +If you enable this policy setting, users cannot redirect server data to the local COM port. If you disable this policy setting, Remote Desktop Services always allows COM port redirection. -If you don't configure this policy setting, COM port redirection isn't specified at the Group Policy level. +If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow COM port redirection* -- GP name: *TS_CLIENT_COM* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_DEFAULT_M** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_COM | +| Friendly Name | Do not allow COM port redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCcm | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_DEFAULT_M - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DEFAULT_M +``` + -
    - - - + + This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior. @@ -970,3967 +684,5063 @@ If you enable this policy setting, the default printer is the printer specified If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. -If you don't configure this policy setting, the default printer isn't specified at the Group Policy level. +If you do not configure this policy setting, the default printer is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not set default client printer to be default printer in a session* -- GP name: *TS_CLIENT_DEFAULT_M* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DEFAULT_M | +| Friendly Name | Do not set default client printer to be default printer in a session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fForceClientLptDef | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_DISABLE_HARDWARE_MODE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE +``` + -
    + + +This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. + - - -This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. + + + -If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you've a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you'll know that there are more issues to investigate. + +**Description framework properties**: -If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Do not allow hardware accelerated decoding* -- GP name: *TS_CLIENT_DISABLE_HARDWARE_MODE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_HARDWARE_MODE | +| Friendly Name | Do not allow hardware accelerated decoding | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client | +| Registry Value Name | EnableHardwareMode | +| ADMX File Name | TerminalServer.admx | + + + + -
    + - -**ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1** + +## TS_CLIENT_LPT - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_LPT +``` + - -
    + + +This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. -> [!div class = "checklist"] -> * User +If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. -
    +If you disable this policy setting, LPT port redirection is always allowed. - - -This policy specifies whether to allow Remote Desktop Connection Controls whether a user can save passwords using Remote Desktop Connection. +If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. + -If you enable this setting, the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When users open an RDP file using Remote Desktop Connection and save their settings, any password that previously existed in the RDP file will be deleted. + + + -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Do not allow passwords to be saved* -- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_LPT | +| Friendly Name | Do not allow LPT port redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableLPT | +| ADMX File Name | TerminalServer.admx | + -
    + + + - -**ADMX_TerminalServer/TS_CLIENT_LPT** + - + +## TS_CLIENT_PNP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_PNP +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. - -If you enable this policy setting, users in a Remote Desktop Services session can't redirect server data to the local LPT port. - -If you disable this policy setting, LPT port redirection is always allowed. If you don't configure this policy setting, LPT port redirection isn't specified at the Group Policy level. - - - - -ADMX Info: -- GP Friendly name: *Do not allow LPT port redirection* -- GP name: *TS_CLIENT_LPT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_PNP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services doesn't allow redirection of supported Plug and Play and RemoteFX USB devices. +By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. -If you enable this policy setting, users can't redirect their supported Plug and Play devices to the remote computer. If you don't configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it's running Windows Server 2012 R2 and earlier versions. +If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. ->[!NOTE] ->You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. +Note: You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow supported Plug and Play device redirection* -- GP name: *TS_CLIENT_PNP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_PRINTER** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_PNP | +| Friendly Name | Do not allow supported Plug and Play device redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisablePNPRedir | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_PRINTER - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_PRINTER +``` + -
    + + +This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. - - -This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. +You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. -If you enable this policy setting, users can't redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. +If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. If you disable this policy setting, users can redirect print jobs with client printer mapping. -If you don't configure this policy setting, client printer mapping isn't specified at the Group Policy level. +If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow client printer redirection* -- GP name: *TS_CLIENT_PRINTER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_PRINTER | +| Friendly Name | Do not allow client printer redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableCpm | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 +``` + -
    - - - + + This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user doesn't receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. +If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. +Notes: -If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. +You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that isn't a certificate thumbprint, it's ignored. +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. - +If the list contains a string that is not a certificate thumbprint, it is ignored. + - -ADMX Info: -- GP Friendly name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* -- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS | +| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_CLIENT_TURN_OFF_UDP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP +``` + - - -This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. - -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user doesn't receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. - -If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. - ->[!NOTE] ->You can define this policy setting in the Computer Configuration node or in the User Configuration node. - -If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. - -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that isn't a certificate thumbprint, it's ignored. - - - - -ADMX Info: -- GP Friendly name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* -- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. -If you disable or don't configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. +If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. + - + + + - -ADMX Info: -- GP Friendly name: *Turn Off UDP On Client* -- GP name: *TS_CLIENT_TURN_OFF_UDP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_COLORDEPTH** +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TURN_OFF_UDP | +| Friendly Name | Turn Off UDP On Client | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client | +| Registry Value Name | fClientDisableUDP | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_COLORDEPTH - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_COLORDEPTH +``` + -
    + + +This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. - - -This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. +You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. -If you disable or don't configure this policy setting, the color depth for connections isn't specified at the Group Policy level. +If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. ->[!NOTE] -> 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. ->2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. ->3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: -> - a. Value specified by this policy setting -> - b. Maximum color depth supported by the client -> - c. Value requested by the client If the client doesn't support at least 16 bits, the connection is terminated. +Note: +1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. +2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. +3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: +a. Value specified by this policy setting +b. Maximum color depth supported by the client +c. Value requested by the client - +If the client does not support at least 16 bits, the connection is terminated. + - -ADMX Info: -- GP Friendly name: *Limit maximum color depth* -- GP name: *TS_COLORDEPTH* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_COLORDEPTH | +| Friendly Name | Limit maximum color depth | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_DELETE_ROAMING_USER_PROFILES -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES +``` + - - -This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. + + +This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. ->[!NOTE] ->If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. +Note: If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. -If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. +If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. -When the size of the entire roaming user profile cache exceeds the maximum size that you've specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. +If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. -If you disable or don't configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. +Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. + - + + + - -ADMX Info: -- GP Friendly name: *Limit the size of the entire roaming user profile cache* -- GP name: *TS_DELETE_ROAMING_USER_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER** +| Name | Value | +|:--|:--| +| Name | TS_DELETE_ROAMING_USER_PROFILES | +| Friendly Name | Limit the size of the entire roaming user profile cache | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DeleteRoamingUserProfile | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_DISABLE_REMOTE_DESKTOP_WALLPAPER - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER +``` + -
    + + +Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. - - -This policy specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. - -You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 don't display wallpaper by default to Remote Desktop Services sessions. +You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessions. If the status is set to Enabled, wallpaper never appears in a Remote Desktop Services session. -If the status is set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client configuration. If the status is set to Not Configured, the default behavior applies. +If the status is set to Disabled, wallpaper might appear in a Remote Desktop Services session, depending on the client configuration. - +If the status is set to Not Configured, the default behavior applies. + - -ADMX Info: -- GP Friendly name: *Enforce Removal of Remote Desktop Wallpaper* -- GP name: *TS_DISABLE_REMOTE_DESKTOP_WALLPAPER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_DISABLE_REMOTE_DESKTOP_WALLPAPER | +| Friendly Name | Enforce Removal of Remote Desktop Wallpaper | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fNoRemoteDesktopWallpaper | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_DX_USE_FULL_HWGPU -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU +``` + + + + +This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. + +If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. -If you don't configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. +If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. ->[!NOTE] ->The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session isn't affected by this policy setting. +NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Use hardware graphics adapters for all Remote Desktop Services sessions* -- GP name: *TS_DX_USE_FULL_HWGPU* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_EASY_PRINT** +| Name | Value | +|:--|:--| +| Name | TS_DX_USE_FULL_HWGPU | +| Friendly Name | Use hardware graphics adapters for all Remote Desktop Services sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | bEnumerateHWBeforeSW | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_EASY_PRINT - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT +``` + -
    - - - + + This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or don't configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver can't be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server doesn't have a printer driver that matches the client printer, the client printer isn't available for the Remote Desktop session. +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doesn't have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver can't be used, the client printer isn't available for the Remote Desktop Services session. +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. ->[!NOTE] ->If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. +Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + - + + + - -ADMX Info: -- GP Friendly name: *Use Remote Desktop Easy Print printer driver first* -- GP name: *TS_EASY_PRINT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_EASY_PRINT_User** +| Name | Value | +|:--|:--| +| Name | TS_EASY_PRINT | +| Friendly Name | Use Remote Desktop Easy Print printer driver first | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseUniversalPrinterDriverFirst | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_EnableVirtualGraphics - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EnableVirtualGraphics +``` + -
    + + +This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. - - -This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. +When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. -If you enable or don't configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver can't be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server doesn't have a printer driver that matches the client printer, the client printer isn't available for the Remote Desktop session. - -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doesn't have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver can't be used, the client printer isn't available for the Remote Desktop Services session. - ->[!NOTE] ->If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. - - - - -ADMX Info: -- GP Friendly name: *Use Remote Desktop Easy Print printer driver first* -- GP name: *TS_EASY_PRINT_User* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - - -
    - - -**ADMX_TerminalServer/TS_EnableVirtualGraphics** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). - -By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. +When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. If you disable this policy setting, RemoteFX will be disabled. -If you don't configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. +If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + - + + + - -ADMX Info: -- GP Friendly name: *Configure RemoteFX* -- GP name: *TS_EnableVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE** +| Name | Value | +|:--|:--| +| Name | TS_EnableVirtualGraphics | +| Friendly Name | Configure RemoteFX | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > RemoteFX for Windows Server 2008 R2 | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableVirtualizedGraphics | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_FALLBACKPRINTDRIVERTYPE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE +``` + -
    + + +This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. - - -This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server doesn't have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. +By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. -If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one isn't found, the client's printer isn't available. You can choose to change this default behavior. The available options are: +If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: -- **Do nothing if one is not found** - If there's a printer driver mismatch, the server will attempt to find a suitable driver. If one isn't found, the client's printer isn't available. This behavior is the default behavior. -- **Default to PCL if one is not found** - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. -- **Default to PS if one is not found**- If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. -- **Show both PCL and PS if one is not found**- If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. +"Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. -If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server won't attempt to use the fallback printer driver. If you don't configure this policy setting, the fallback printer driver behavior is off by default. +"Default to PCL if one is not found" - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. ->[!NOTE] ->If the **Do not allow client printer redirection** setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. +"Default to PS if one is not found" - If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. - +"Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. - -ADMX Info: -- GP Friendly name: *Specify RD Session Host server fallback printer driver behavior* -- GP name: *TS_FALLBACKPRINTDRIVERTYPE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* +If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. - - +If you do not configure this policy setting, the fallback printer driver behavior is off by default. +Note: If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. + -
    + + + - -**ADMX_TerminalServer/TS_FORCIBLE_LOGOFF** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | TS_FALLBACKPRINTDRIVERTYPE | +| Friendly Name | Specify RD Session Host server fallback printer driver behavior | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fPolicyFallbackPrintDriver | +| ADMX File Name | TerminalServer.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting determines whether an administrator attempting to connect remotely to the console of a server can sign out an administrator currently signed in to the console. This policy is useful when the currently connected administrator doesn't want to be signed out by another administrator. If the connected administrator is signed out, any data not previously saved is lost. + +## TS_FORCIBLE_LOGOFF -If you enable this policy setting, signing out the connected administrator isn't allowed. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable or don't configure this policy setting, signing out the connected administrator is allowed. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_FORCIBLE_LOGOFF +``` + ->[!NOTE] ->The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. + + +This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. - +This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. - -ADMX Info: -- GP Friendly name: *Deny logoff of an administrator logged in to the console session* -- GP name: *TS_FORCIBLE_LOGOFF* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* +If you enable this policy setting, logging off the connected administrator is not allowed. - - +If you disable or do not configure this policy setting, logging off the connected administrator is allowed. -
    +Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. + - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy setting, when Remote Desktop Connection can't connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. - -In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. - -By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client can't connect directly to the remote computer. - -To enhance security, it's also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you don't specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. - -When you enable this setting, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify a connection method, the connection method that you specify in this policy setting is used by default. - -If you disable or don't configure this policy setting, clients won't use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - - - -ADMX Info: -- GP Friendly name: *Enable connection through RD Gateway* -- GP name: *TS_GATEWAY_POLICY_ENABLE* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. - -By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you enable this setting, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. - -If you disable or don't configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method isn't specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. - - - - - - -ADMX Info: -- GP Friendly name: *Set RD Gateway authentication method* -- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. - -By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - ->[!NOTE] ->It's highly recommended that you also specify the authentication method by using the **Set RD Gateway authentication method** policy setting. If you don't specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. - -To allow users to overwrite the **Set RD Gateway server address** policy setting and connect to another RD Gateway server, you must select the **Allow users to change this setting** check box and users will be allowed to specify an alternate RD Gateway server. - -Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. - ->[!NOTE] ->If you disable or don't configure this policy setting, but enable the **Enable connections through RD Gateway** policy setting, client connection attempts to any remote computer will fail, if the client can't connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - - - -ADMX Info: -- GP Friendly name: *Set RD Gateway server address* -- GP name: *TS_GATEWAY_POLICY_SERVER* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - -**ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +| Name | Value | +|:--|:--| +| Name | TS_FORCIBLE_LOGOFF | +| Friendly Name | Deny logoff of an administrator logged in to the console session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fDisableForcibleLogoff | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_JOIN_SESSION_DIRECTORY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY +``` + + + + This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server. If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. -If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. +If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. -If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level. +If the policy setting is not configured, the policy setting is not specified at the Group Policy level. ->[!NOTE] ->1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. ->2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +Notes: - +1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. - -ADMX Info: -- GP Friendly name: *Join RD Connection Broker* -- GP name: *TS_JOIN_SESSION_DIRECTORY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* +2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + - - + + + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_KEEP_ALIVE** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_JOIN_SESSION_DIRECTORY | +| Friendly Name | Join RD Connection Broker | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | SessionDirectoryActive | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_KEEP_ALIVE -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_KEEP_ALIVE +``` + + + + This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. -After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client signs in to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. +After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. -If you disable or don't configure this policy setting, a keep-alive interval isn't set and the server won't check the session state. +If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. + - + + + - -ADMX Info: -- GP Friendly name: *Configure keep-alive connection interval* -- GP name: *TS_KEEP_ALIVE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_LICENSE_SECGROUP** +| Name | Value | +|:--|:--| +| Name | TS_KEEP_ALIVE | +| Friendly Name | Configure keep-alive connection interval | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | KeepAliveEnable | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_LICENSE_SECGROUP - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSE_SECGROUP +``` + -
    - - - + + This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one. -If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. +If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. -If you disable or don't configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group isn't deleted or changed in any way by disabling or not configuring this policy setting. +By default, the RDS Endpoint Servers group is empty. ->[!NOTE] ->You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. +If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. - +Note: You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. + - -ADMX Info: -- GP Friendly name: *License server security group* -- GP name: *TS_LICENSE_SECGROUP* -- GP path: *Windows Components\Remote Desktop Services\RD Licensing* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_LICENSE_SERVERS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_LICENSE_SECGROUP | +| Friendly Name | License server security group | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > RD Licensing | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fSecureLicensing | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_LICENSE_SERVERS -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSE_SERVERS +``` + - - + + This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. -If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers can't be located, the RD Session Host server will attempt automatic license server discovery. +If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: -In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Desktop license servers that are published in Active Directory Domain Services. + 2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. -1If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level. +If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Use the specified Remote Desktop license servers* -- GP name: *TS_LICENSE_SERVERS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_LICENSE_TOOLTIP** +| Name | Value | +|:--|:--| +| Name | TS_LICENSE_SERVERS | +| Friendly Name | Use the specified Remote Desktop license servers | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_LICENSE_TOOLTIP - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSE_TOOLTIP +``` + -
    - - - + + This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. -By default, notifications are displayed on an RD Session Host server after you sign in as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. +By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. -If you enable this policy setting, these notifications won't be displayed on the RD Session Host server. +If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. -If you disable or don't configure this policy setting, these notifications will be displayed on the RD Session Host server after you sign in as a local administrator. +If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. + - + + + - -ADMX Info: -- GP Friendly name: *Hide notifications about RD Licensing problems that affect the RD Session Host server* -- GP name: *TS_LICENSE_TOOLTIP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_LICENSING_MODE** +| Name | Value | +|:--|:--| +| Name | TS_LICENSE_TOOLTIP | +| Friendly Name | Hide notifications about RD Licensing problems that affect the RD Session Host server | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_LICENSING_MODE - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_LICENSING_MODE +``` + -
    - - - + + This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. -You can use this policy setting to select one of three licensing modes: Per User, Per Device, and Azure Active Directory Per User. -- Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. -- Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. -- Azure AD Per User licensing mode requires that each user account connecting to this RD Session Host server have a service plan that supports RDS licenses assigned in Azure AD. +You can use this policy setting to select one of two licensing modes: Per User or Per Device. + +Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. + +Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. -If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level. +If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Set the Remote Desktop licensing mode* -- GP name: *TS_LICENSING_MODE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_MAX_CON_POLICY** +| Name | Value | +|:--|:--| +| Name | TS_LICENSING_MODE | +| Friendly Name | Set the Remote Desktop licensing mode | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_MAX_CON_POLICY - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_MAX_CON_POLICY +``` + -
    + + +Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. - - -This policy specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, other users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. - -By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. +You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999. If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remote Desktop Services running on the server. -If the status is set to Disabled or Not Configured, limits to the number of connections aren't enforced at the Group Policy level. +If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. ->[!NOTE] ->This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). +Note: This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). + - + + + - -ADMX Info: -- GP Friendly name: *Limit number of connections* -- GP name: *TS_MAX_CON_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_MAXDISPLAYRES** +| Name | Value | +|:--|:--| +| Name | TS_MAX_CON_POLICY | +| Friendly Name | Limit number of connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_MAXDISPLAYRES - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_MAXDISPLAYRES +``` + -
    - - - + + This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load. If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. -If you disable or don't configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. +If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. + - + + + - -ADMX Info: -- GP Friendly name: *Limit maximum display resolution* -- GP name: *TS_MAXDISPLAYRES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_MAXMONITOR** +| Name | Value | +|:--|:--| +| Name | TS_MAXDISPLAYRES | +| Friendly Name | Limit maximum display resolution | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_MAXMONITOR - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_MAXMONITOR +``` + -
    - - - + + This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load. If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. -If you disable or don't configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session isn't specified at the Group Policy level. +If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Limit number of monitors* -- GP name: *TS_MAXMONITOR* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_NoDisconnectMenu** +| Name | Value | +|:--|:--| +| Name | TS_MAXMONITOR | +| Friendly Name | Limit number of monitors | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_NoDisconnectMenu - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_NoDisconnectMenu +``` + -
    + + +This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. - - -This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. +You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. -If you enable this policy setting, "Disconnect" doesn't appear as an option in the drop-down list in the Shut Down Windows dialog box. +If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. -If you disable or don't configure this policy setting, "Disconnect" isn't removed from the list in the Shut Down Windows dialog box. +If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. ->[!NOTE] ->This policy setting affects only the Shut Down Windows dialog box. It doesn't prevent users from using other methods to disconnect from a Remote Desktop Services session. +Note: This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. + -This policy setting also doesn't prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the **Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions** policy setting. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Disconnect" option from Shut Down dialog* -- GP name: *TS_NoDisconnectMenu* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | TS_NoDisconnectMenu | +| Friendly Name | Remove "Disconnect" option from Shut Down dialog | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDisconnect | +| ADMX File Name | TerminalServer.admx | + - -**ADMX_TerminalServer/TS_NoSecurityMenu** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_NoSecurityMenu - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_NoSecurityMenu +``` + -> [!div class = "checklist"] -> * Device + + +Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. -
    - - - -This policy specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. - -If the status is set to Enabled, Windows Security doesn't appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. +If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Windows Security item from Start menu* -- GP name: *TS_NoSecurityMenu* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_TerminalServer/TS_PreventLicenseUpgrade** +| Name | Value | +|:--|:--| +| Name | TS_NoSecurityMenu | +| Friendly Name | Remove Windows Security item from Start menu | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNTSecurity | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_PreventLicenseUpgrade - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_PreventLicenseUpgrade +``` + -
    - - - + + This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. A license server attempts to provide the most appropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003. -By default, if the most appropriate RDS CAL isn't available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following types of clients: -- A client connecting to a Windows Server 2003 terminal server -- A client connecting to a Windows 2000 terminal server +By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: -If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server isn't available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client won't be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server hasn't expired. +* A client connecting to a Windows Server 2003 terminal server +* A client connecting to a Windows 2000 terminal server -If you disable or don't configure this policy setting, the license server will exhibit the default behavior noted earlier. +If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. - +If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. + - -ADMX Info: -- GP Friendly name: *Prevent license upgrade* -- GP name: *TS_PreventLicenseUpgrade* -- GP path: *Windows Components\Remote Desktop Services\RD Licensing* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_PreventLicenseUpgrade | +| Friendly Name | Prevent license upgrade | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > RD Licensing | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fPreventLicenseUpgrade | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_PROMT_CREDS_CLIENT_COMP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP +``` + - - + + This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. -If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user won't be prompted to provide credentials. +If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. + +Note: If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. + +If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. + ->[!NOTE] ->If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. + + + -If you disable or don't configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. + +**Description framework properties**: -For Windows Server 2003 and Windows 2000 Server, a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_PROMT_CREDS_CLIENT_COMP | +| Friendly Name | Prompt for credentials on the client computer | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | PromptForCredsOnClient | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_RDSAppX_WaitForRegistration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration +``` + + + + +This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. + +By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. + +If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. + +If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RDSAppX_WaitForRegistration | +| Friendly Name | Suspend user sign-in to complete app registration | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllUserInstallAgent | +| Registry Value Name | LogonWaitForPackageRegistration | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_RemoteControl_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_2 +``` + + + + +If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. + +If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RemoteControl | +| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Prompt for credentials on the client computer* -- GP name: *TS_PROMT_CREDS_CLIENT_COMP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* + - - + +## TS_RemoteDesktopVirtualGraphics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics +``` + + + + +This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. + +Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). + +If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. + +By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). + + + + + + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RemoteDesktopVirtualGraphics | +| Friendly Name | Optimize visual experience when using RemoteFX | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > RemoteFX for Windows Server 2008 R2 | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Terminal Services\ | +| ADMX File Name | TerminalServer.admx | + - -**ADMX_TerminalServer/TS_RADC_DefaultConnection** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_SD_ClustName - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SD_ClustName +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. -> [!div class = "checklist"] -> * User +If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. -
    +If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. - - +If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. + +Notes: -This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of [http://contoso.com/rdweb/Feed/webfeed.aspx](http://contoso.com/rdweb/Feed/webfeed.aspx). +1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. -- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user can't change the default connection URL. The user's default sign-in credentials are used when setting up the default connection URL. +2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + -- If you disable or don't configure this policy setting, the user has no default connection URL. + + + -RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Specify default connection URL* -- GP name: *TS_RADC_DefaultConnection* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* +| Name | Value | +|:--|:--| +| Name | TS_SD_ClustName | +| Friendly Name | Configure RD Connection Broker farm name | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - - -
    + + + - -**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** + - + +## TS_SD_EXPOSE_ADDRESS -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - -This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. - -- If you enable this policy setting, user sign in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. - -- If you disable or don't configure this policy setting, the Start screen is shown and apps are registered in the background. - - - - - - -ADMX Info: -- GP Friendly name: *Suspend user sign-in to complete app registration* -- GP name: *TS_RDSAppX_WaitForRegistration* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_RemoteControl_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. - -To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. - - - - - - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* -- GP name: *TS_RemoteControl_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_RemoteControl_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. - -To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service. - - - - - - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers* -- GP name: *TS_RemoteControl_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. - -You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). -If you've a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. - -By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. - -If you disable or don't configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). - - - - -ADMX Info: -- GP Friendly name: *Optimize visual experience when using RemoteFX* -- GP name: *TS_RemoteDesktopVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - -**ADMX_TerminalServer/TS_SD_ClustName** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. - -Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name doesn't have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. - -- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. - -- If you disable or don't configure this policy setting, the farm name isn't specified at the Group Policy level. - -> [!NOTE] -> This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. - -For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - - - - -ADMX Info: -- GP Friendly name: *Configure RD Connection Broker farm name* -- GP name: *TS_SD_ClustName* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - - -
    - - -**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. -- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. +If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. -- If you disable this policy setting, the IP address of the RD Session Host server isn't sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you don't want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. +If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. -If you don't configure this policy setting, the Use IP address redirection policy setting isn't enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. +If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. -> [!NOTE] -> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +Notes: - +1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + - -ADMX Info: -- GP Friendly name: *Use IP Address Redirection* -- GP name: *TS_SD_EXPOSE_ADDRESS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_TerminalServer/TS_SD_Loc** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TS_SD_EXPOSE_ADDRESS | +| Friendly Name | Use IP Address Redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | SessionDirectoryExposeServerIP | +| ADMX File Name | TerminalServer.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TS_SD_Loc - - -This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. -The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -- If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SD_Loc +``` + -- If you disable or don't configure this policy setting, the policy setting isn't specified at the Group Policy level. + + +This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. +If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. -> [!NOTE] -> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. -> This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled. -> To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. +If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. +Notes: - +1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - -ADMX Info: -- GP Friendly name: *Configure RD Connection Broker server name* -- GP name: *TS_SD_Loc* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* +2. This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. - - +3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + -
    + + + - -**ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | TS_SD_Loc | +| Friendly Name | Configure RD Connection Broker server name | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > RD Connection Broker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## TS_SECURITY_LAYER_POLICY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY +``` + + + + This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. -- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. +If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available: -The following security methods are available: +* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -- **Negotiate**: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it's used to authenticate the RD Session Host server. If TLS isn't supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server isn't authenticated. Native RDP encryption (as opposed to SSL encryption) isn't recommended. -- **RDP**: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server isn't authenticated. Native RDP encryption (as opposed to SSL encryption) isn't recommended. -- **SSL (TLS 1.0)**: The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS isn't supported, the connection fails. This enablement is the recommended setting for this policy. +* RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -If you disable or don't configure this policy setting, the security method to be used for remote connections to RD Session Host servers isn't specified at the Group Policy level. +* SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. - +If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. + - -ADMX Info: -- GP Friendly name: *Require use of specific security layer for remote (RDP) connections* -- GP name: *TS_SECURITY_LAYER_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_SECURITY_LAYER_POLICY | +| Friendly Name | Require use of specific security layer for remote (RDP) connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_SELECT_NETWORK_DETECT -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT +``` + + + + This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). + You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. -- If you disable Connect Time Detect, Remote Desktop Protocol won't determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. +If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. -- If you disable Continuous Network Detect, Remote Desktop Protocol won't try to adapt the remote user experience to varying network quality. +If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. -- If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol won't try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it won't try to adapt the user experience to varying network quality. +If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. -- If you disable or don't configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. +If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. + - + + + - -ADMX Info: -- GP Friendly name: *Select network detection on the server* -- GP name: *TS_SELECT_NETWORK_DETECT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SELECT_TRANSPORT** +| Name | Value | +|:--|:--| +| Name | TS_SELECT_NETWORK_DETECT | +| Friendly Name | Select network detection on the server | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SELECT_TRANSPORT - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SELECT_TRANSPORT +``` + -
    - - - + + This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. -- If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" +If you enable this policy setting, you must specify if you would like RDP to use UDP. -If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. If the UDP connection isn't successful or if you select "Use only TCP," all of the RDP traffic will use TCP. +You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" -- If you disable or don't configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. +If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. - +If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. - -ADMX Info: -- GP Friendly name: *Select RDP transport protocols* -- GP name: *TS_SELECT_TRANSPORT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* +If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SELECT_TRANSPORT | +| Friendly Name | Select RDP transport protocols | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP +``` + - - -This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. -This policy setting applies only to RemoteApp programs and doesn't apply to remote desktop sessions. + + +This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. -- If you enable or don't configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. +If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. -- If you disable this policy setting, RemoteApp programs published from this RD Session Host server won't use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs don't support these advanced graphics. +If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. + - + + + - -ADMX Info: -- GP Friendly name: *Use advanced RemoteFX graphics for RemoteApp* -- GP name: *TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SERVER_AUTH** +| Name | Value | +|:--|:--| +| Name | TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP | +| Friendly Name | Use advanced RemoteFX graphics for RemoteApp | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableRemoteFXAdvancedRemoteApp | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client can't authenticate the RD Session Host server. - -- If you enable this policy setting, you must specify one of the following settings: - - - Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client can't authenticate the RD Session Host server. - - Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server can't be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. - - don't connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. - -- If you disable or don't configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client can't authenticate the RD Session Host server. - - - - -ADMX Info: -- GP Friendly name: *Configure server authentication for client* -- GP name: *TS_SERVER_AUTH* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. - -- When you enable hardware encoding, if an error occurs, we'll attempt to use software encoding. - -- If you disable or don't configure this policy, we'll always use software encoding. - - - - -ADMX Info: -- GP Friendly name: *Configure H.264/AVC hardware encoding for Remote Desktop Connections* -- GP name: *TS_SERVER_AVC_HW_ENCODE_PREFERRED* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. - -When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. - - - - -ADMX Info: -- GP Friendly name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* -- GP name: *TS_SERVER_AVC444_MODE_PREFERRED* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SERVER_COMPRESSOR** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. - -- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. - -If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. - -In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you're using a hardware device that is designed to optimize network traffic. - -Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. - -- If you disable or don't configure this policy setting, the default RDP compression algorithm will be used. - - - - -ADMX Info: -- GP Friendly name: *Configure compression for RemoteFX data* -- GP name: *TS_SERVER_COMPRESSOR* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - + + + +## TS_SERVER_AUTH + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_AUTH +``` + + + + +This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + +If you enable this policy setting, you must specify one of the following settings: + +Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. + +Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. + +Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. + +If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SERVER_AUTH | +| Friendly Name | Configure server authentication for client | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SERVER_AVC_HW_ENCODE_PREFERRED + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED +``` + + + + +This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SERVER_AVC_HW_ENCODE_PREFERRED | +| Friendly Name | Configure H.264/AVC hardware encoding for Remote Desktop Connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AVCHardwareEncodePreferred | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SERVER_AVC444_MODE_PREFERRED + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED +``` + + + + +This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SERVER_AVC444_MODE_PREFERRED | +| Friendly Name | Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AVC444ModePreferred | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SERVER_COMPRESSOR + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_COMPRESSOR +``` + + + + +This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. + +By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. + +If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. + +You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. + +If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SERVER_COMPRESSOR | +| Friendly Name | Configure compression for RemoteFX data | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SERVER_IMAGE_QUALITY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY +``` + + + + This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. +If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. +If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. +If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. +If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. +If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. + -- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. + + + -- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. + +**Description framework properties**: -- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data isn't impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you enable this setting for specific cases only. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -- If you disable or don't configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_IMAGE_QUALITY | +| Friendly Name | Configure image quality for RemoteFX Adaptive Graphics | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -ADMX Info: -- GP Friendly name: *Configure image quality for RemoteFX Adaptive Graphics* -- GP name: *TS_SERVER_IMAGE_QUALITY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + -
    + +## TS_SERVER_LEGACY_RFX - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -**ADMX_TerminalServer/TS_SERVER_LEGACY_RFX** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_LEGACY_RFX +``` + - + + +This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    - - -This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. +**ADMX mapping**: -When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. +| Name | Value | +|:--|:--| +| Name | TS_SERVER_LEGACY_RFX | +| Friendly Name | Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1 | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableVirtualizedGraphics | +| ADMX File Name | TerminalServer.admx | + -- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. + + + -- If you disable this policy setting, RemoteFX will be disabled. If you don't configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + - + +## TS_SERVER_PROFILE - -ADMX Info: -- GP Friendly name: *Configure RemoteFX* -- GP name: *TS_SERVER_LEGACY_RFX* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_PROFILE +``` + -
    - - - -**ADMX_TerminalServer/TS_SERVER_PROFILE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available network bandwidth. + + +This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. If you enable this policy setting, the RemoteFX experience could be set to one of the following options: 1. Let the system choose the experience for the network condition 2. Optimize for server scalability -3. Optimize for minimum bandwidth usage. If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." +3. Optimize for minimum bandwidth usage - +If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." + - -ADMX Info: -- GP Friendly name: *Configure RemoteFX Adaptive Graphics* -- GP name: *TS_SERVER_PROFILE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_SERVER_VISEXP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_PROFILE | +| Friendly Name | Configure RemoteFX Adaptive Graphics | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_SERVER_VISEXP -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_VISEXP +``` + -This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. + + +This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. -- If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. +By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. -- If you disable or don't configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. +If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. - +If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. + - -ADMX Info: -- GP Friendly name: *Optimize visual experience for Remote Desktop Service Sessions* -- GP name: *TS_SERVER_VISEXP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_VISEXP | +| Friendly Name | Optimize visual experience for Remote Desktop Service Sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > RemoteFX for Windows Server 2008 R2 | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_SERVER_WDDM_GRAPHICS_DRIVER -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER +``` + + + This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections. -- If you enable or don't configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. +If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. -- If you disable this policy setting, Remote Desktop Connections won't use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. For this change to take effect, you must restart Windows. +If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. - +For this change to take effect, you must restart Windows. + - -ADMX Info: -- GP Friendly name: *Use WDDM graphics display driver for Remote Desktop Connections* -- GP name: *TS_SERVER_WDDM_GRAPHICS_DRIVER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_Session_End_On_Limit_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SERVER_WDDM_GRAPHICS_DRIVER | +| Friendly Name | Use WDDM graphics display driver for Remote Desktop Connections | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableWddmDriver | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_Session_End_On_Limit_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_2 +``` + -This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time limits are set locally by the server administrator or by using Group Policy. + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. -See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. -- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. -- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you don't configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -This policy setting only applies to time-out limits that are explicitly set by the administrator. +If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. -This policy setting doesn't apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. +If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. - +Note: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + - -ADMX Info: -- GP Friendly name: *End session when time limits are reached* -- GP name: *TS_Session_End_On_Limit_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_Session_End_On_Limit_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_Session_End_On_Limit | +| Friendly Name | End session when time limits are reached | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fResetBroken | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_SESSIONS_Disconnected_Timeout_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 +``` + -This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. Time limits are set locally by the server administrator or by using Group Policy. + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. -See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. -- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. - -- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you don't configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. - -This policy setting only applies to time-out limits that are explicitly set by the administrator. - -This policy setting doesn't apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. - - - - -ADMX Info: -- GP Friendly name: *End session when time limits are reached* -- GP name: *TS_Session_End_On_Limit_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you've a console session, disconnected session time limits don't apply. +If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. ->[!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. - +Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + - -ADMX Info: -- GP Friendly name: *Set time limit for disconnected sessions* -- GP name: *TS_SESSIONS_Disconnected_Timeout_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Disconnected_Timeout | +| Friendly Name | Set time limit for disconnected sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_SESSIONS_Idle_Limit_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 +``` + -This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. -When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. -- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you've a console session, disconnected session time limits don't apply. +If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. - ->[!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - -ADMX Info: -- GP Friendly name: *Set time limit for disconnected sessions* -- GP name: *TS_SESSIONS_Disconnected_Timeout_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it's automatically disconnected. - -- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you've a console session, idle session time limits don't apply. - -- If you disable or don't configure this policy setting, the time limit isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. ->[!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. +Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + - + + + - -ADMX Info: -- GP Friendly name: *Set time limit for active but idle Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Idle_Limit_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2** +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Idle_Limit | +| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SESSIONS_Limits_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_2 +``` + -
    - - + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it's automatically disconnected. +If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. -- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you've a console session, idle session time limits don't apply. - -- If you disable or don't configure this policy setting, the time limit isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. ->[!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - -ADMX Info: -- GP Friendly name: *Set time limit for active but idle Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Idle_Limit_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SESSIONS_Limits_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it's automatically disconnected. - -- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you've a console session, active session time limits don't apply. - -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - ->[!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - - -ADMX Info: -- GP Friendly name: *Set time limit for active Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Limits_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SESSIONS_Limits_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it's automatically disconnected. - -- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you've a console session, active session time limits don't apply. - -- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - ->[!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - - -ADMX Info: -- GP Friendly name: *Set time limit for active Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Limits_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SINGLE_SESSION** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to restrict users to a single Remote Desktop Services session. If you enable this policy setting, users who sign in remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. - -If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next sign in. - -If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. If you don't configure this policy setting, this policy setting isn't specified at the Group Policy level. - - - - - -ADMX Info: -- GP Friendly name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* -- GP name: *TS_SINGLE_SESSION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_SMART_CARD** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. - -- If you enable this policy setting, Remote Desktop Services users can't use a smart card to sign in to a Remote Desktop Services session. - -- If you disable or don't configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. - ->[!NOTE] -> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. - - - - -ADMX Info: -- GP Friendly name: *Do not allow smart card device redirection* -- GP name: *TS_SMART_CARD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_START_PROGRAM_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user signs in to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. - -The Start menu and Windows Desktop aren't displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. - -If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory isn't the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) - ->[!NOTE] -> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. - - - - -ADMX Info: -- GP Friendly name: *Start a program on connection* -- GP name: *TS_START_PROGRAM_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_START_PROGRAM_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user signs in to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. - -The Start menu and Windows Desktop aren't displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. - -If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory isn't the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) - ->[!NOTE] -> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. - - - - -ADMX Info: -- GP Friendly name: *Start a program on connection* -- GP name: *TS_START_PROGRAM_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_TEMP_DELETE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at sign out. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user signs out from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user signs out. - -If you enable this policy setting, a user's per-session temporary folders are retained when the user signs out from a session. - -If you disable this policy setting, temporary folders are deleted when a user signs out, even if the server administrator specifies otherwise. If you don't configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at sign out, unless specified otherwise by the server administrator. - ->[!NOTE] -> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the don't use temporary folders per session policy setting, this policy setting has no effect. - - - - -ADMX Info: -- GP Friendly name: *Do not delete temp folders upon exit* -- GP name: *TS_TEMP_DELETE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_TEMP_PER_SESSION** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. - -You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the session ID. - -- If you enable this policy setting, per-session temporary folders aren't created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. - -- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. If you don't configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. - - - - -ADMX Info: -- GP Friendly name: *Do not use temporary folders per session* -- GP name: *TS_TEMP_PER_SESSION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_TIME_ZONE** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. - -- If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). - -- If you disable or don't configure this policy setting, the client computer doesn't redirect its time zone information and the session time zone is the same as the server time zone. - ->[!NOTE] -> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. - - - - -ADMX Info: -- GP Friendly name: *Allow time zone redirection* -- GP name: *TS_TIME_ZONE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. - -- If you enable this policy setting, the default security descriptors for existing groups on the RD Session Host server can't be changed. All the security descriptors are read-only. - -- If you disable or don't configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. - ->[!NOTE] -> The preferred method of managing user access is by adding a user to the Remote Desktop Users group. - - - - -ADMX Info: -- GP Friendly name: *Do not allow local administrators to customize permissions* -- GP name: *TS_TSCC_PERMISSIONS_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. - -- If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. - -- If you disable or don't configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program isn't specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. - ->[!NOTE] -> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. - - - - -ADMX Info: -- GP Friendly name: *Always show desktop on connection* -- GP name: *TS_TURNOFF_SINGLEAPP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - - -
    - - - -**ADMX_TerminalServer/TS_UIA** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Limits | +| Friendly Name | Set time limit for active Remote Desktop Services sessions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SINGLE_SESSION + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SINGLE_SESSION +``` + + + + This policy setting allows you to restrict users to a single Remote Desktop Services session. -If you enable this policy setting, users who sign in remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next sign in. +If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. -- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. +If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. -- If you don't configure this policy setting, this policy setting isn't specified at the Group Policy level. +If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. + - + + + - -ADMX Info: -- GP Friendly name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* -- GP name: *TS_UIA* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** +| Name | Value | +|:--|:--| +| Name | TS_SINGLE_SESSION | +| Friendly Name | Restrict Remote Desktop Services users to a single Remote Desktop Services session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fSingleSessionPerUser | +| ADMX File Name | TerminalServer.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TS_SMART_CARD - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SMART_CARD +``` + -
    - - + + +This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. -This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices won't be available for local usage on this computer. +If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. + +If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. + +Note: The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SMART_CARD | +| Friendly Name | Do not allow smart card device redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableSmartCard | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_START_PROGRAM_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_2 +``` + + + + +Configures Remote Desktop Services to run a specified program automatically upon connection. + +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. + +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. + +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. + +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_START_PROGRAM | +| Friendly Name | Start a program on connection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_TEMP_DELETE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TEMP_DELETE +``` + + + + +This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. + +You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. + +If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. + +If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. + +If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. + +Note: This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_TEMP_DELETE | +| Friendly Name | Do not delete temp folders upon exit | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary folders | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DeleteTempDirsOnExit | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_TEMP_PER_SESSION + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TEMP_PER_SESSION +``` + + + + +This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. + +You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. + +If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. + +If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. + +If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_TEMP_PER_SESSION | +| Friendly Name | Do not use temporary folders per session | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary folders | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | PerSessionTempDir | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_TIME_ZONE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TIME_ZONE +``` + + + + +This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +Note: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_TIME_ZONE | +| Friendly Name | Allow time zone redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fEnableTimeZoneRedirection | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_TSCC_PERMISSIONS_POLICY + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY +``` + + + + +This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. + +You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. + +If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. + +If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. + +Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_TSCC_PERMISSIONS_POLICY | +| Friendly Name | Do not allow local administrators to customize permissions | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fWritableTSCCPermTab | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_TURNOFF_SINGLEAPP + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP +``` + + + + +This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. + +If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. + +If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. + +Note: If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_TURNOFF_SINGLEAPP | +| Friendly Name | Always show desktop on connection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fTurnOffSingleAppMode | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_UIA + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_UIA +``` + + + + +This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. + +UI Automation gives programs access to most UI elements, which lets you use assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. + +Remote Desktop sessions don't currently support UI Automation redirection. + +If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session. + +If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_UIA | +| Friendly Name | Allow UI Automation redirection | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | EnableUiaRedirection | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_USB_REDIRECTION_DISABLE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE +``` + + + + +This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. -If you disable or don't configure this policy setting, other supported RemoteFX USB devices aren't available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. +If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. - +For this change to take effect, you must restart Windows. + - -ADMX Info: -- GP Friendly name: *Allow RDP redirection of other supported RemoteFX USB devices from this computer* -- GP name: *TS_USB_REDIRECTION_DISABLE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection* -- GP ADMX file name: *TerminalServer.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -**ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_USB_REDIRECTION_DISABLE | +| Friendly Name | Allow RDP redirection of other supported RemoteFX USB devices from this computer | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client > RemoteFX USB Device Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client | +| ADMX File Name | TerminalServer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TS_USER_AUTHENTICATION_POLICY -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY +``` + -This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. + + +This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. -- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. +If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. -- If you disable this policy setting, Network Level Authentication isn't required for user authentication before allowing remote connections to the RD Session Host server. If you don't configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. +To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. -Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. +If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. - +If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. - -ADMX Info: -- GP Friendly name: *Require user authentication for remote connections by using Network Level Authentication* -- GP name: *TS_USER_AUTHENTICATION_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* +Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**ADMX_TerminalServer/TS_USER_HOME** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_USER_AUTHENTICATION_POLICY | +| Friendly Name | Require user authentication for remote connections by using Network Level Authentication | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UserAuthentication | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_USER_HOME -
    - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_HOME +``` + -- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate hasn't been selected. + + +Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's home directory for a Remote Desktop Services session. -If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. +To use this setting, select the location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and then select the drive letter to which you want the network share to be mapped. -- If you disable or don't configure this policy, the certificate template name isn't specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. +If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends this at logon. -If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. +Note: The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location. - +If the status is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias. - -ADMX Info: -- GP Friendly name: *Server authentication certificate template* -- GP name: *TS_USER_HOME* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* +If the status is set to Disabled or Not Configured, the user's home directory is as specified at the server. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -**ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TS_USER_HOME | +| Friendly Name | Set Remote Desktop Services User Home Directory | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## TS_USER_MANDATORY_PROFILES -
    - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES +``` + + + + This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. -- If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. +If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. -- If you disable or don't configure this policy setting, mandatory user profiles aren't used by users connecting remotely to the RD Session Host server. +If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. + +Note: For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use mandatory profiles on the RD Session Host server* -- GP name: *TS_USER_MANDATORY_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TS_USER_MANDATORY_PROFILES | +| Friendly Name | Use mandatory profiles on the RD Session Host server | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | WFDontAppendUserNameToProfile | +| ADMX File Name | TerminalServer.admx | + -**ADMX_TerminalServer/TS_USER_PROFILES** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## TS_USER_PROFILES - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_USER_PROFILES +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. -
    - - +By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. -This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. +If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. -To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Don't specify a placeholder for the user account name, because Remote Desktop Services automatically adds this location when the user signs in and the profile is created. +To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. -If the specified network share doesn't exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. - -If you disable or don't configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. +If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. +Notes: 1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. 2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. + - + + + - -ADMX Info: -- GP Friendly name: *Set path for Remote Desktop Services Roaming User Profile* -- GP name: *TS_USER_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | TS_USER_PROFILES | +| Friendly Name | Set path for Remote Desktop Services Roaming User Profile | +| Location | Computer Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + +## TS_CLIENT_ALLOW_SIGNED_FILES_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 +``` + + + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). + +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_SIGNED_FILES | +| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowSignedFiles | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_ALLOW_UNSIGNED_FILES_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 +``` + + + + +This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. + +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES | +| Friendly Name | Allow .rdp files from unknown publishers | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowUnsignedFiles | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_DISABLE_PASSWORD_SAVING_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 +``` + + + + +Controls whether a user can save passwords using Remote Desktop Connection. + +If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING | +| Friendly Name | Do not allow passwords to be saved | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DisablePasswordSaving | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 +``` + + + + +This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. + +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. + +If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. + +Note: + +You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. + +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. + +If the list contains a string that is not a certificate thumbprint, it is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS | +| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_EASY_PRINT_User + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT_User +``` + + + + +This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. + +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. + +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. + +Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_EASY_PRINT | +| Friendly Name | Use Remote Desktop Easy Print printer driver first | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseUniversalPrinterDriverFirst | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_AUTH_METHOD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +``` + + + + +Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_AUTH_METHOD | +| Friendly Name | Set RD Gateway authentication method | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_ENABLE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +``` + + + + +If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. + +You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_ENABLE | +| Friendly Name | Enable connection through RD Gateway | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseProxy | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_SERVER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER +``` + + + + +Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. + +Note: If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_SERVER | +| Friendly Name | Set RD Gateway server address | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_RADC_DefaultConnection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RADC_DefaultConnection +``` + + + + +This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. + +The default connection URL must be configured in the form of . + +If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. + +If you disable or do not configure this policy setting, the user has no default connection URL. + +Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RADC_DefaultDesktop | +| Friendly Name | Specify default connection URL | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Workspaces | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_RemoteControl_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_1 +``` + + + + +If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. + +If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RemoteControl | +| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_Session_End_On_Limit_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_1 +``` + + + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. + +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. + +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. + +If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. + +If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. + +If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. + +Note: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_Session_End_On_Limit | +| Friendly Name | End session when time limits are reached | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fResetBroken | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SESSIONS_Disconnected_Timeout_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 +``` + + + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. + +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. + +When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + +If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. + + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. + +Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Disconnected_Timeout | +| Friendly Name | Set time limit for disconnected sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SESSIONS_Idle_Limit_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 +``` + + + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. + +If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Idle_Limit | +| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_SESSIONS_Limits_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_1 +``` + + + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Limits | +| Friendly Name | Set time limit for active Remote Desktop Services sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_START_PROGRAM_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_1 +``` + + + + +Configures Remote Desktop Services to run a specified program automatically upon connection. + +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. + +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. + +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. + +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_START_PROGRAM | +| Friendly Name | Start a program on connection | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fInheritInitialProgram | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 89ee3b1b5c..c4d4ef836d 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,72 +1,49 @@ --- -title: Policy CSP - ADMX_Thumbnails -description: Learn about Policy CSP - ADMX_Thumbnails. +title: ADMX_Thumbnails Policy CSP +description: Learn more about the ADMX_Thumbnails Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/25/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Thumbnails -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_Thumbnails policies + + + -
    -
    - ADMX_Thumbnails/DisableThumbnails -
    -
    - ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders -
    -
    - ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders -
    -
    + +## DisableThumbnails -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_Thumbnails/DisableThumbnails** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Thumbnails/DisableThumbnails +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. @@ -74,47 +51,61 @@ File Explorer displays thumbnail images by default. If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images. If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display of thumbnails and only display icons.* -- GP name: *DisableThumbnails* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Thumbnails.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableThumbnails | +| Friendly Name | Turn off the display of thumbnails and only display icons. | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableThumbnails | +| ADMX File Name | Thumbnails.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableThumbnailsOnNetworkFolders -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders +``` + + + + This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. @@ -122,71 +113,112 @@ File Explorer displays thumbnail images on network folders by default. If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders. If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off the display of thumbnails and only display icons on network folders* -- GP name: *DisableThumbnailsOnNetworkFolders* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Thumbnails.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableThumbnailsOnNetworkFolders | +| Friendly Name | Turn off the display of thumbnails and only display icons on network folders | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableThumbnailsOnNetworkFolders | +| ADMX File Name | Thumbnails.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## DisableThumbsDBOnNetworkFolders -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting turns off the caching of thumbnails in hidden thumbs.db files. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders +``` + + + + +Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. If you enable this policy setting, File Explorer does not create, read from, or write to thumbs.db files. If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. + - -> - -ADMX Info: -- GP Friendly name: *Turn off the caching of thumbnails in hidden thumbs.db files* -- GP name: *DisableThumbsDBOnNetworkFolders* -- GP path: *Windows Components\File Explorer* -- GP ADMX file name: *Thumbnails.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | DisableThumbsDBOnNetworkFolders | +| Friendly Name | Turn off the caching of thumbnails in hidden thumbs.db files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableThumbsDBOnNetworkFolders | +| ADMX File Name | Thumbnails.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 4ca4f12b6f..bf55bebadf 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,251 +1,300 @@ --- -title: Policy CSP - ADMX_TouchInput -description: Learn about Policy CSP - ADMX_TouchInput. +title: ADMX_TouchInput Policy CSP +description: Learn more about the ADMX_TouchInput Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TouchInput -
    - - -## ADMX_TouchInput policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_TouchInput/TouchInputOff_1 -
    -
    - ADMX_TouchInput/TouchInputOff_2 -
    -
    - ADMX_TouchInput/PanningEverywhereOff_1 -
    -
    - ADMX_TouchInput/PanningEverywhereOff_2 -
    -
    + + + + +## PanningEverywhereOff_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_TouchInput/TouchInputOff_1** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/PanningEverywhereOff_2 +``` + - + + +Turn off Panning +Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable this setting, the user will not be able to pan windows by touch. - -
    +If you disable this setting, the user can pan windows by touch. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you do not configure this setting, Touch Panning is on by default. -> [!div class = "checklist"] -> * User +Note: Changes to this setting will not take effect until the user logs off. + -
    + + + - - -This setting turns off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +**Description framework properties**: -If you enable this setting, the user won't be able to produce input with touch. They won't be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SingleFingerPanningOff | +| Friendly Name | Turn off Touch Panning | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPanning | +| ADMX File Name | TouchInput.admx | + + + + + + + + + +## TouchInputOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/TouchInputOff_2 +``` + + + + +Turn off Tablet PC touch input + +Turns off touch input, which allows the user to interact with their computer using their finger. + +If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. -If you don't configure this setting, touch input is on by default. +If you do not configure this setting, touch input is on by default. ->[!NOTE] -> Changes to this setting won't take effect until the user signs out. +Note: Changes to this setting will not take effect until the user logs off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC touch input* -- GP name: *TouchInputOff_1* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* + +**Description framework properties**: - - - -**ADMX_TouchInput/TouchInputOff_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TouchInputOff | +| Friendly Name | Turn off Tablet PC touch input | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffTouchInput | +| ADMX File Name | TouchInput.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## PanningEverywhereOff_1 - - -This setting turns off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this setting, the user won't be able to produce input with touch. They won't be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TouchInput/PanningEverywhereOff_1 +``` + + + + +Turn off Panning +Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +If you enable this setting, the user will not be able to pan windows by touch. + +If you disable this setting, the user can pan windows by touch. + +If you do not configure this setting, Touch Panning is on by default. + +Note: Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SingleFingerPanningOff | +| Friendly Name | Turn off Touch Panning | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPanning | +| ADMX File Name | TouchInput.admx | + + + + + + + + + +## TouchInputOff_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TouchInput/TouchInputOff_1 +``` + + + + +Turn off Tablet PC touch input + +Turns off touch input, which allows the user to interact with their computer using their finger. + +If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. -If you don't configure this setting, touch input is on by default. +If you do not configure this setting, touch input is on by default. ->[!NOTE] ->Changes to this setting won't take effect until the user signs out. +Note: Changes to this setting will not take effect until the user logs off. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC touch input* -- GP name: *TouchInputOff_2* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_TouchInput/PanningEverywhereOff_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TouchInputOff | +| Friendly Name | Turn off Tablet PC touch input | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffTouchInput | +| ADMX File Name | TouchInput.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    +## Related articles - - -This setting turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. - -If you enable this setting, the user won't be able to pan windows by touch. - -If you disable this setting, the user can pan windows by touch. If you don't configure this setting, Touch Panning is on by default. - -> [!NOTE] -> Changes to this setting won't take effect until the user logs off. - - - - -ADMX Info: -- GP Friendly name: *Turn off Touch Panning* -- GP name: *PanningEverywhereOff_1* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* - - - -
    - -**ADMX_TouchInput/PanningEverywhereOff_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. - -If you enable this setting, the user won't be able to pan windows by touch. - -If you disable this setting, the user can pan windows by touch. If you don't configure this setting, Touch Panning is on by default. - -> [!NOTE] -> Changes to this setting won't take effect until the user logs off. - - - - -ADMX Info: -- GP Friendly name: *Turn off Touch Panning* -- GP name: *PanningEverywhereOff_2* -- GP path: *Windows Components\Tablet PC\Touch Input* -- GP ADMX file name: *TouchInput.admx* - - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) From 69a1040a861956714396598888694bb284f740ee Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Wed, 4 Jan 2023 13:21:35 -0500 Subject: [PATCH 103/152] tcpip taskbar tabletshell --- .../mdm/policy-csp-admx-tabletshell.md | 1429 ++++++++++++- .../mdm/policy-csp-admx-taskbar.md | 1866 +++++++++-------- .../mdm/policy-csp-admx-tcpip.md | 1111 +++++----- 3 files changed, 3010 insertions(+), 1396 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 82eee23e73..732206ca69 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,143 +1,1390 @@ --- -title: Policy CSP - ADMX_TabletShell -description: Learn about Policy CSP - ADMX_TabletShell. +title: ADMX_TabletShell Policy CSP +description: Learn more about the ADMX_TabletShell Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_TabletShell > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_TabletShell policies + +## DisableInkball_2 -
    -
    - ADMX_TabletShell/DisableInkball_1 -
    -
    - ADMX_TabletShell/DisableNoteWriterPrinting_1 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableInkball_2 +``` + -
    + + +Prevents start of InkBall game. - -**ADMX_TabletShell/DisableInkball_1** +If you enable this policy, the InkBall game will not run. - +If you disable this policy, the InkBall game will run. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy, the InkBall game will run. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting prevents start of InkBall game. +**ADMX mapping**: -If you enable this policy, the InkBall game won't run. +| Name | Value | +|:--|:--| +| Name | DisableInkball | +| Friendly Name | Do not allow Inkball to run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableInkball | +| ADMX File Name | TabletShell.admx | + -If you disable this policy, the InkBall game will run. If you don't configure this policy, the InkBall game will run. + + + - + + +## DisableJournal_2 - -ADMX Info: -- GP Friendly name: *Do not allow Inkball to run* -- GP name: *DisableInkball_1* -- GP path: *Windows Components\Tablet PC\Accessories* -- GP ADMX file name: *TabletShell.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableJournal_2 +``` + -
    + + +Prevents start of Windows Journal. - -**ADMX_TabletShell/DisableNoteWriterPrinting_1** +If you enable this policy, the Windows Journal accessory will not run. - +If you disable this policy, the Windows Journal accessory will run. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy, the Windows Journal accessory will run. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting prevents printing to Journal Note Writer. +**ADMX mapping**: -If you enable this policy, the Journal Note Writer printer driver won't allow printing to it. It will remain displayed in the list of available printers, but attempts to print it will fail. +| Name | Value | +|:--|:--| +| Name | DisableJournal | +| Friendly Name | Do not allow Windows Journal to be run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableJournal | +| ADMX File Name | TabletShell.admx | + -If you disable this policy, you'll be able to use this feature to print to a Journal Note. If you don't configure this policy, users will be able to use this feature to print to a Journal Note. + + + + - + +## DisableNoteWriterPrinting_2 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Do not allow printing to Journal Note Writer* -- GP name: *DisableNoteWriterPrinting_1* -- GP path: *Windows Components\Tablet PC\Accessories* -- GP ADMX file name: *TabletShell.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableNoteWriterPrinting_2 +``` + - - -
    + + +Prevents printing to Journal Note Writer. +If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. +If you disable this policy, you will be able to use this feature to print to a Journal Note. - +If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableNoteWriterPrinting | +| Friendly Name | Do not allow printing to Journal Note Writer | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableNoteWriterPrinting | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableSnippingTool_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableSnippingTool_2 +``` + + + + +Prevents the snipping tool from running. + +If you enable this policy setting, the Snipping Tool will not run. + +If you disable this policy setting, the Snipping Tool will run. + +If you do not configure this policy setting, the Snipping Tool will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSnippingTool | +| Friendly Name | Do not allow Snipping Tool to run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableSnippingTool | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventBackEscMapping_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventBackEscMapping_2 +``` + + + + +Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. + +If you enable this policy, a button assigned to Back will not map to ESC. + +If you disable this policy, Back->ESC mapping will occur. + +If you do not configure this policy, Back->ESC mapping will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventBackEscMapping | +| Friendly Name | Prevent Back-ESC mapping | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonBackEscapeMapping | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicks_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicks_2 +``` + + + + +Makes pen flicks and all related features unavailable. + +If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. + +If you disable or do not configure this policy, pen flicks and related features are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicks | +| Friendly Name | Prevent flicks | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Pen UX Behaviors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicks | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicksLearningMode_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicksLearningMode_2 +``` + + + + +Makes pen flicks learning mode unavailable. + +If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. + +If you disable or do not configure this policy, all the features described above will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicksLearningMode | +| Friendly Name | Prevent Flicks Learning Mode | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Pen Flicks Learning | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicksLearningMode | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventLaunchApp_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventLaunchApp_2 +``` + + + + +Prevents the user from launching an application from a Tablet PC hardware button. + +If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). + +If you disable this policy, applications can be launched from a hardware button. + +If you do not configure this policy, applications can be launched from a hardware button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLaunchApp | +| Friendly Name | Prevent launch an application | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonApplicationLaunch | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventPressAndHold_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventPressAndHold_2 +``` + + + + +Prevents press and hold actions on hardware buttons, so that only one action is available per button. + +If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." + +If you disable this policy, press and hold actions for buttons will be available. + +If you do not configure this policy, press and hold actions will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventPressAndHold | +| Friendly Name | Prevent press and hold | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonPressAndHold | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffButtons_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffButtons_2 +``` + + + + +Turns off Tablet PC hardware buttons. + +If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. + +If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. + +If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffButtons | +| Friendly Name | Turn off hardware buttons | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffButtons | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffFeedback_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffFeedback_2 +``` + + + + +Disables visual pen action feedback, except for press and hold feedback. + +If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. + +If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffFeedback | +| Friendly Name | Turn off pen feedback | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Cursors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPenFeedback | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableInkball_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableInkball_1 +``` + + + + +Prevents start of InkBall game. + +If you enable this policy, the InkBall game will not run. + +If you disable this policy, the InkBall game will run. + +If you do not configure this policy, the InkBall game will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableInkball | +| Friendly Name | Do not allow Inkball to run | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableInkball | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableJournal_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableJournal_1 +``` + + + + +Prevents start of Windows Journal. + +If you enable this policy, the Windows Journal accessory will not run. + +If you disable this policy, the Windows Journal accessory will run. + +If you do not configure this policy, the Windows Journal accessory will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableJournal | +| Friendly Name | Do not allow Windows Journal to be run | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableJournal | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableNoteWriterPrinting_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableNoteWriterPrinting_1 +``` + + + + +Prevents printing to Journal Note Writer. + +If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +If you disable this policy, you will be able to use this feature to print to a Journal Note. + +If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableNoteWriterPrinting | +| Friendly Name | Do not allow printing to Journal Note Writer | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableNoteWriterPrinting | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## DisableSnippingTool_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableSnippingTool_1 +``` + + + + +Prevents the snipping tool from running. + +If you enable this policy setting, the Snipping Tool will not run. + +If you disable this policy setting, the Snipping Tool will run. + +If you do not configure this policy setting, the Snipping Tool will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSnippingTool | +| Friendly Name | Do not allow Snipping Tool to run | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableSnippingTool | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventBackEscMapping_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventBackEscMapping_1 +``` + + + + +Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. + +If you enable this policy, a button assigned to Back will not map to ESC. + +If you disable this policy, Back->ESC mapping will occur. + +If you do not configure this policy, Back->ESC mapping will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventBackEscMapping | +| Friendly Name | Prevent Back-ESC mapping | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonBackEscapeMapping | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicks_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicks_1 +``` + + + + +Makes pen flicks and all related features unavailable. + +If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. + +If you disable or do not configure this policy, pen flicks and related features are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicks | +| Friendly Name | Prevent flicks | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Pen UX Behaviors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicks | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventFlicksLearningMode_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicksLearningMode_1 +``` + + + + +Makes pen flicks learning mode unavailable. + +If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. + +If you disable or do not configure this policy, all the features described above will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicksLearningMode | +| Friendly Name | Prevent Flicks Learning Mode | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Pen Flicks Learning | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicksLearningMode | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventLaunchApp_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventLaunchApp_1 +``` + + + + +Prevents the user from launching an application from a Tablet PC hardware button. + +If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). + +If you disable this policy, applications can be launched from a hardware button. + +If you do not configure this policy, applications can be launched from a hardware button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLaunchApp | +| Friendly Name | Prevent launch an application | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonApplicationLaunch | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## PreventPressAndHold_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventPressAndHold_1 +``` + + + + +Prevents press and hold actions on hardware buttons, so that only one action is available per button. + +If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." + +If you disable this policy, press and hold actions for buttons will be available. + +If you do not configure this policy, press and hold actions will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventPressAndHold | +| Friendly Name | Prevent press and hold | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonPressAndHold | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffButtons_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffButtons_1 +``` + + + + +Turns off Tablet PC hardware buttons. + +If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. + +If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. + +If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffButtons | +| Friendly Name | Turn off hardware buttons | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffButtons | +| ADMX File Name | TabletShell.admx | + + + + + + + + + +## TurnOffFeedback_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffFeedback_1 +``` + + + + +Disables visual pen action feedback, except for press and hold feedback. + +If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. + +If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffFeedback | +| Friendly Name | Turn off pen feedback | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Cursors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPenFeedback | +| ADMX File Name | TabletShell.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 107ce3f16c..37964f5ea5 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,181 +1,181 @@ --- -title: Policy CSP - ADMX_Taskbar -description: Learn about Policy CSP - ADMX_Taskbar. +title: ADMX_Taskbar Policy CSP +description: Learn more about the ADMX_Taskbar Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Taskbar -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_Taskbar policies + + + -
    -
    - ADMX_Taskbar/DisableNotificationCenter -
    -
    - ADMX_Taskbar/EnableLegacyBalloonNotifications -
    -
    - ADMX_Taskbar/HideSCAHealth -
    -
    - ADMX_Taskbar/HideSCANetwork -
    -
    - ADMX_Taskbar/HideSCAPower -
    -
    - ADMX_Taskbar/HideSCAVolume -
    -
    - ADMX_Taskbar/NoBalloonFeatureAdvertisements -
    -
    - ADMX_Taskbar/NoPinningStoreToTaskbar -
    -
    - ADMX_Taskbar/NoPinningToDestinations -
    -
    - ADMX_Taskbar/NoPinningToTaskbar -
    -
    - ADMX_Taskbar/NoRemoteDestinations -
    -
    - ADMX_Taskbar/NoSystraySystemPromotion -
    -
    - ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar -
    -
    - ADMX_Taskbar/TaskbarLockAll -
    -
    - ADMX_Taskbar/TaskbarNoAddRemoveToolbar -
    -
    - ADMX_Taskbar/TaskbarNoDragToolbar -
    -
    - ADMX_Taskbar/TaskbarNoMultimon -
    -
    - ADMX_Taskbar/TaskbarNoNotification -
    -
    - ADMX_Taskbar/TaskbarNoPinnedList -
    -
    - ADMX_Taskbar/TaskbarNoRedock -
    -
    - ADMX_Taskbar/TaskbarNoResize -
    -
    - ADMX_Taskbar/TaskbarNoThumbnail -
    -
    + +## DisableNotificationCenter + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/DisableNotificationCenter +``` - -**ADMX_Taskbar/DisableNotificationCenter** +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/DisableNotificationCenter +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting removes Notifications and Action Center from the notification area on the taskbar. The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. -If this setting is enabled, Notifications and Action Center isn't displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss. +If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss. -If you disable or don't configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. +If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. ->[!NOTE] -> A reboot is required for this policy setting to take effect. +A reboot is required for this policy setting to take effect. + - + + + - -ADMX Info: -- GP Friendly name: *Remove Notifications and Action Center* -- GP name: *DisableNotificationCenter* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/EnableLegacyBalloonNotifications** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableNotificationCenter | +| Friendly Name | Remove Notifications and Action Center | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableNotificationCenter | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoPinnedList -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList +``` + + + + +This policy setting allows you to remove pinned programs from the taskbar. + +If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. + +If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TaskbarNoPinnedList | +| Friendly Name | Remove pinned programs from the Taskbar | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TaskbarNoPinnedList | +| ADMX File Name | Taskbar.admx | + + + + + + + + + +## EnableLegacyBalloonNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/EnableLegacyBalloonNotifications +``` + + + + This policy disables the functionality that converts balloons to toast notifications. If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. @@ -184,518 +184,666 @@ Enable this policy setting if a specific app or system component that uses ballo If you disable or don’t configure this policy setting, all notifications will appear as toast notifications. ->[!NOTE] -> A reboot is required for this policy setting to take effect. +A reboot is required for this policy setting to take effect. + - + + + - -ADMX Info: -- GP Friendly name: *Disable showing balloon notifications as toasts.* -- GP name: *EnableLegacyBalloonNotifications* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCAHealth** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableLegacyBalloonNotifications | +| Friendly Name | Disable showing balloon notifications as toasts. | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | EnableLegacyBalloonNotifications | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCAHealth -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCAHealth +``` + + + + This policy setting allows you to remove Security and Maintenance from the system control area. -If you enable this policy setting, the Security and Maintenance icon isn't displayed in the system notification area. +If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. -If you disable or don't configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. +If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the Security and Maintenance icon* -- GP name: *HideSCAHealth* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCANetwork** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCAHealth | +| Friendly Name | Remove the Security and Maintenance icon | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCAHealth | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCANetwork -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCANetwork +``` + + + + This policy setting allows you to remove the networking icon from the system control area. -If you enable this policy setting, the networking icon isn't displayed in the system notification area. +If you enable this policy setting, the networking icon is not displayed in the system notification area. -If you disable or don't configure this policy setting, the networking icon is displayed in the system notification area. +If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the networking icon* -- GP name: *HideSCANetwork* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCAPower** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCANetwork | +| Friendly Name | Remove the networking icon | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCANetwork | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCAPower -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCAPower +``` + + + + This policy setting allows you to remove the battery meter from the system control area. -If you enable this policy setting, the battery meter isn't displayed in the system notification area. +If you enable this policy setting, the battery meter is not displayed in the system notification area. -If you disable or don't configure this policy setting, the battery meter is displayed in the system notification area. +If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the battery meter* -- GP name: *HideSCAPower* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/HideSCAVolume** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCABattery | +| Friendly Name | Remove the battery meter | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCAPower | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## HideSCAVolume -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/HideSCAVolume +``` + + + + This policy setting allows you to remove the volume control icon from the system control area. -If you enable this policy setting, the volume control icon isn't displayed in the system notification area. +If you enable this policy setting, the volume control icon is not displayed in the system notification area. -If you disable or don't configure this policy setting, the volume control icon is displayed in the system notification area. +If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. + - + + + - -ADMX Info: -- GP Friendly name: *Remove the volume control icon* -- GP name: *HideSCAVolume* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoBalloonFeatureAdvertisements** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | HideSCAVolume | +| Friendly Name | Remove the volume control icon | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideSCAVolume | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoBalloonFeatureAdvertisements -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoBalloonFeatureAdvertisements +``` + + + + This policy setting allows you to turn off feature advertisement balloon notifications. -If you enable this policy setting, certain notification balloons that are marked as feature advertisements aren't shown. +If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. -If you disable don't configure this policy setting, feature advertisement balloons are shown. +If you disable do not configure this policy setting, feature advertisement balloons are shown. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off feature advertisement balloon notifications* -- GP name: *NoBalloonFeatureAdvertisements* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoPinningStoreToTaskbar** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoBalloonFeatureAdvertisements | +| Friendly Name | Turn off feature advertisement balloon notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoBalloonFeatureAdvertisements | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoPinningStoreToTaskbar -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningStoreToTaskbar +``` + + + + This policy setting allows you to control pinning the Store app to the Taskbar. -If you enable this policy setting, users can't pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next sign in. +If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. -If you disable or don't configure this policy setting, users can pin the Store app to the Taskbar. +If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow pinning Store app to the Taskbar* -- GP name: *NoPinningStoreToTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoPinningToDestinations** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoPinningStoreToTaskbar | +| Friendly Name | Do not allow pinning Store app to the Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoPinningStoreToTaskbar | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoPinningToDestinations -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningToDestinations +``` + + + + This policy setting allows you to control pinning items in Jump Lists. -If you enable this policy setting, users can't pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also can't unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. +If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. -If you disable or don't configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items are always present in this menu. +If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow pinning items in Jump Lists* -- GP name: *NoPinningToDestinations* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/NoPinningToTaskbar** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoPinningToDestinations | +| Friendly Name | Do not allow pinning items in Jump Lists | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoPinningToDestinations | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoPinningToTaskbar -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoPinningToTaskbar +``` + + + + This policy setting allows you to control pinning programs to the Taskbar. -If you enable this policy setting, users can't change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users can't unpin these programs already pinned to the Taskbar, and they can't pin new programs to the Taskbar. +If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. -If you disable or don't configure this policy setting, users can change the programs currently pinned to the Taskbar. +If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow pinning programs to the Taskbar* -- GP name: *NoPinningToTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Taskbar/NoRemoteDestinations** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoPinningToTaskbar | +| Friendly Name | Do not allow pinning programs to the Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoPinningToTaskbar | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoRemoteDestinations -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoRemoteDestinations +``` + - - + + This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. -The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites, and other relevant items for that program. This customization helps users more easily reopen their most important documents and other tasks. +The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. -If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers aren't tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. +If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. -If you disable or don't configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. +If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. -> [!NOTE] -> This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting. +Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump Lists"" policy setting. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display or track items in Jump Lists from remote locations* -- GP name: *NoRemoteDestinations* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Taskbar/NoSystraySystemPromotion** +| Name | Value | +|:--|:--| +| Name | NoRemoteDestinations | +| Friendly Name | Do not display or track items in Jump Lists from remote locations | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoRemoteDestinations | +| ADMX File Name | Taskbar.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NoSystraySystemPromotion - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/NoSystraySystemPromotion +``` + -
    - - - + + This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. -If you enable this policy setting, newly added notification icons aren't temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. +If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. -If you disable or don't configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. +If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off automatic promotion of notification icons to the taskbar* -- GP name: *NoSystraySystemPromotion* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSystraySystemPromotion | +| Friendly Name | Turn off automatic promotion of notification icons to the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoSystraySystemPromotion | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowWindowsStoreAppsOnTaskbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar +``` + - - + + This policy setting allows users to see Windows Store apps on the taskbar. If you enable this policy setting, users will see Windows Store apps on the taskbar. @@ -703,448 +851,530 @@ If you enable this policy setting, users will see Windows Store apps on the task If you disable this policy setting, users won’t see Windows Store apps on the taskbar. If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. + - + + + - -ADMX Info: -- GP Friendly name: *Show Windows Store apps on the taskbar* -- GP name: *ShowWindowsStoreAppsOnTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Taskbar/TaskbarLockAll** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowWindowsStoreAppsOnTaskbar | +| Friendly Name | Show Windows Store apps on the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowWindowsStoreAppsOnTaskbar | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarLockAll -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarLockAll +``` + - - + + This policy setting allows you to lock all taskbar settings. -If you enable this policy setting, the user can't access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. +If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. -If you disable or don't configure this policy setting, the user will be able to set any taskbar setting that isn't prevented by another policy setting. +If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. + - + + + - -ADMX Info: -- GP Friendly name: *Lock all taskbar settings* -- GP name: *TaskbarLockAll* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Taskbar/TaskbarNoAddRemoveToolbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarLockAll | +| Friendly Name | Lock all taskbar settings | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarLockAll | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoAddRemoveToolbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoAddRemoveToolbar +``` + - - + + This policy setting allows you to prevent users from adding or removing toolbars. -If you enable this policy setting, the user isn't allowed to add or remove any toolbars to the taskbar. Applications aren't able to add toolbars either. +If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. -If you disable or don't configure this policy setting, the users and applications are able to add toolbars to the taskbar. +If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. + - - -ADMX Info: -- GP Friendly name: *Prevent users from adding or removing toolbars* -- GP name: *TaskbarNoAddRemoveToolbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + + + - - -> + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/TaskbarNoDragToolbar** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TaskbarNoAddRemoveToolbar | +| Friendly Name | Prevent users from adding or removing toolbars | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoAddRemoveToolbar | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoDragToolbar -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoDragToolbar +``` + + + + This policy setting allows you to prevent users from rearranging toolbars. -If you enable this policy setting, users aren't able to drag or drop toolbars to the taskbar. +If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. -If you disable or don't configure this policy setting, users are able to rearrange the toolbars on the taskbar. +If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. + - - -ADMX Info: -- GP Friendly name: *Prevent users from rearranging toolbars* -- GP name: *TaskbarNoDragToolbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + + + - - + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/TaskbarNoMultimon** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TaskbarNoDragToolbar | +| Friendly Name | Prevent users from rearranging toolbars | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoDragToolbar | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoMultimon -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoMultimon +``` + + + + This policy setting allows you to prevent taskbars from being displayed on more than one monitor. -If you enable this policy setting, users aren't able to show taskbars on more than one display. The multiple display section isn't enabled in the taskbar properties dialog. +If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. -If you disable or don't configure this policy setting, users can show taskbars on more than one display. +If you disable or do not configure this policy setting, users can show taskbars on more than one display. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow taskbars on more than one display* -- GP name: *TaskbarNoMultimon* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Taskbar/TaskbarNoNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarNoMultimon | +| Friendly Name | Do not allow taskbars on more than one display | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TaskbarNoMultimon | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoNotification -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoNotification +``` + - - + + This policy setting allows you to turn off all notification balloons. If you enable this policy setting, no notification balloons are shown to the user. -If you disable or don't configure this policy setting, notification balloons are shown to the user. +If you disable or do not configure this policy setting, notification balloons are shown to the user. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off all balloon notifications* -- GP name: *TaskbarNoNotification* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Taskbar/TaskbarNoPinnedList** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TaskbarNoNotification | +| Friendly Name | Turn off all balloon notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoNotification | +| ADMX File Name | Taskbar.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TaskbarNoRedock -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting allows you to remove pinned programs from the taskbar. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoRedock +``` + -If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users can't pin programs to the Taskbar. - -If you disable or don't configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. - - - - -ADMX Info: -- GP Friendly name: *Remove pinned programs from the Taskbar* -- GP name: *TaskbarNoPinnedList* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* - - - - -
    - - -**ADMX_Taskbar/TaskbarNoRedock** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to prevent users from moving taskbar to another screen dock location. -If you enable this policy setting, users aren't able to drag their taskbar to another area of the monitor(s). +If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). -If you disable or don't configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. +If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from moving taskbar to another screen dock location* -- GP name: *TaskbarNoRedock* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - -**ADMX_Taskbar/TaskbarNoResize** +| Name | Value | +|:--|:--| +| Name | TaskbarNoRedock | +| Friendly Name | Prevent users from moving taskbar to another screen dock location | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoRedock | +| ADMX File Name | Taskbar.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TaskbarNoResize - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoResize +``` + -
    - - - + + This policy setting allows you to prevent users from resizing the taskbar. -If you enable this policy setting, users aren't be able to resize their taskbar. +If you enable this policy setting, users are not be able to resize their taskbar. -If you disable or don't configure this policy setting, users are able to resize their taskbar unless prevented by another setting. +If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. + - + + + - -ADMX Info: -- GP Friendly name: *Prevent users from resizing the taskbar* -- GP name: *TaskbarNoResize* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Taskbar/TaskbarNoThumbnail** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | TaskbarNoResize | +| Friendly Name | Prevent users from resizing the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoResize | +| ADMX File Name | Taskbar.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TaskbarNoThumbnail -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoThumbnail +``` + - - + + This policy setting allows you to turn off taskbar thumbnails. -If you enable this policy setting, the taskbar thumbnails aren't displayed and the system uses standard text for the tooltips. +If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. -If you disable or don't configure this policy setting, the taskbar thumbnails are displayed. +If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off taskbar thumbnails* -- GP name: *TaskbarNoThumbnail* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *Taskbar.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | TaskbarNoThumbnail | +| Friendly Name | Turn off taskbar thumbnails | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | TaskbarNoThumbnail | +| ADMX File Name | Taskbar.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 16255c4155..7800785cd6 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,483 +1,540 @@ --- -title: Policy CSP - ADMX_tcpip -description: Learn about Policy CSP - ADMX_tcpip. +title: ADMX_tcpip Policy CSP +description: Learn more about the ADMX_tcpip Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_tcpip -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_tcpip policies + + + -
    -
    - ADMX_tcpip/6to4_Router_Name -
    -
    - ADMX_tcpip/6to4_Router_Name_Resolution_Interval -
    -
    - ADMX_tcpip/6to4_State -
    -
    - ADMX_tcpip/IPHTTPS_ClientState -
    -
    - ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State -
    -
    - ADMX_tcpip/ISATAP_Router_Name -
    -
    - ADMX_tcpip/ISATAP_State -
    -
    - ADMX_tcpip/Teredo_Client_Port -
    -
    - ADMX_tcpip/Teredo_Default_Qualified -
    -
    - ADMX_tcpip/Teredo_Refresh_Rate -
    -
    - ADMX_tcpip/Teredo_Server_Name -
    -
    - ADMX_tcpip/Teredo_State -
    -
    - ADMX_tcpip/Windows_Scaling_Heuristics_State -
    -
    + +## 6to4_Router_Name + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/6to4_Router_Name +``` + - -**ADMX_tcpip/6to4_Router_Name** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify a relay name for a 6to4 host. If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. + - + + + - -ADMX Info: -- GP Friendly name: *Set 6to4 Relay Name* -- GP name: *6to4_Router_Name* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/6to4_Router_Name_Resolution_Interval** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | 6to4_Router_Name | +| Friendly Name | Set 6to4 Relay Name | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## 6to4_Router_Name_Resolution_Interval -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/6to4_Router_Name_Resolution_Interval +``` + + + + This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. If you disable or do not configure this policy setting, the local host setting is used. + - + + + - -ADMX Info: -- GP Friendly name: *Set 6to4 Relay Name Resolution Interval* -- GP name: *6to4_Router_Name_Resolution_Interval* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/6to4_State** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | 6to4_Router_Name_Resolution_Interval | +| Friendly Name | Set 6to4 Relay Name Resolution Interval | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## 6to4_State -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/6to4_State +``` + + + + This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. If you disable or do not configure this policy setting, the local host setting is used. If you enable this policy setting, you can configure 6to4 with one of the following settings: -- Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available. -- Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface. -- Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available. +Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available. - +Policy Enabled State: If a global IPv4 address is present, the host will have a 6to4 interface. If no global IPv4 address is present, the host will not have a 6to4 interface. - -ADMX Info: -- GP Friendly name: *Set 6to4 State* -- GP name: *6to4_State* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available. + - - -
    + + + - -**ADMX_tcpip/IPHTTPS_ClientState** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | 6to4_State | +| Friendly Name | Set 6to4 State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## IP_Stateless_Autoconfiguration_Limits_State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State +``` + + + + +This policy setting allows you to configure IP Stateless Autoconfiguration Limits. + +If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. + +If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IP_Stateless_Autoconfiguration_Limits_State | +| Friendly Name | Set IP Stateless Autoconfiguration Limits State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > Parameters | +| Registry Key Name | System\CurrentControlSet\Services\Tcpip\Parameters | +| Registry Value Name | EnableIPAutoConfigurationLimits | +| ADMX File Name | tcpip.admx | + + + + + + + + + +## IPHTTPS_ClientState + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/IPHTTPS_ClientState +``` + + + + This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. If you disable or do not configure this policy setting, the local host settings are used. If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: -- Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. -- Policy Enabled State: The IP-HTTPS interface is always present, even if the host has other connectiv-ity options. -- Policy Disabled State: No IP-HTTPS interfaces are present on the host. +Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. - +Policy Enabled State: The IP-HTTPS interface is always present, even if the host has other connectivity options. - -ADMX Info: -- GP Friendly name: *Set IP-HTTPS State* -- GP name: *IPHTTPS_ClientState* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Policy Disabled State: No IP-HTTPS interfaces are present on the host. + - - -
    + + + - -**ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | IPHTTPS_ClientState | +| Friendly Name | Set IP-HTTPS State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface | +| ADMX File Name | tcpip.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - -This policy setting allows you to configure IP Stateless Autoconfiguration Limits. + +## ISATAP_Router_Name -If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/ISATAP_Router_Name +``` + - - - -ADMX Info: -- GP Friendly name: *Set IP Stateless Autoconfiguration Limits State* -- GP name: *IP_Stateless_Autoconfiguration_Limits_State* -- GP path: *Network\TCPIP Settings\Parameters* -- GP ADMX file name: *tcpip.admx* - - - -
    - - -**ADMX_tcpip/ISATAP_Router_Name** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. If you disable or do not configure this policy setting, the local host setting is used. + - + + + - -ADMX Info: -- GP Friendly name: *Set ISATAP Router Name* -- GP name: *ISATAP_Router_Name* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/ISATAP_State** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ISATAP_Router_Name | +| Friendly Name | Set ISATAP Router Name | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ISATAP_State -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/ISATAP_State +``` + + + + This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. If you disable or do not configure this policy setting, the local host setting is used. If you enable this policy setting, you can configure ISATAP with one of the following settings: -- Policy Default State: No ISATAP interfaces are present on the host. -- Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local address. -- Policy Disabled State: No ISATAP interfaces are present on the host. +Policy Default State: No ISATAP interfaces are present on the host. - +Policy Enabled State: If the ISATAP name is resolved successfully, the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISATAP name is not resolved successfully, the host will have an ISATAP interface configured with a link-local address. - -ADMX Info: -- GP Friendly name: *Set ISATAP State* -- GP name: *ISATAP_State* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Policy Disabled State: No ISATAP interfaces are present on the host. + - - -
    + + + - -**ADMX_tcpip/Teredo_Client_Port** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | ISATAP_State | +| Friendly Name | Set ISATAP State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## Teredo_Client_Port + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Client_Port +``` + + + + This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. If you enable this policy setting, you can customize a UDP port for the Teredo client. If you disable or do not configure this policy setting, the local host setting is used. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Client Port* -- GP name: *Teredo_Client_Port* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_Default_Qualified** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Client_Port | +| Friendly Name | Set Teredo Client Port | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_Default_Qualified -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Default_Qualified +``` + + + + This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. If you disable or do not configure this policy setting, the local host setting is used. @@ -485,218 +542,298 @@ If you disable or do not configure this policy setting, the local host setting i This policy setting contains only one state: Policy Enabled State: If Default Qualified is enabled, Teredo will attempt qualification immediately and remain qualified if the qualification process succeeds. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Default Qualified* -- GP name: *Teredo_Default_Qualified* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_Refresh_Rate** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Default_Qualified | +| Friendly Name | Set Teredo Default Qualified | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_Refresh_Rate -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Refresh_Rate +``` + + + + This policy setting allows you to configure the Teredo refresh rate. -> [!NOTE] -> On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. +Note: On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. -If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. +If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Refresh Rate* -- GP name: *Teredo_Refresh_Rate* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_Server_Name** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Refresh_Rate | +| Friendly Name | Set Teredo Refresh Rate | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_Server_Name -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_Server_Name +``` + + + + This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. + - + + + - -ADMX Info: -- GP Friendly name: *Set Teredo Server Name* -- GP name: *Teredo_Server_Name* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_tcpip/Teredo_State** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Teredo_Server_Name | +| Friendly Name | Set Teredo Server Name | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Teredo_State -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Teredo_State +``` + + + + This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. If you disable or do not configure this policy setting, the local host settings are used. If you enable this policy setting, you can configure Teredo with one of the following settings: -- Default: The default state is "Client." -- Disabled: No Teredo interfaces are present on the host. -- Client: The Teredo interface is present only when the host is not on a network that includes a domain controller. -- Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller. +Default: The default state is "Client." - +Disabled: No Teredo interfaces are present on the host. - -ADMX Info: -- GP Friendly name: *Set Teredo State* -- GP name: *Teredo_State* -- GP path: *Network\TCPIP Settings\IPv6 Transition Technologies* -- GP ADMX file name: *tcpip.admx* +Client: The Teredo interface is present only when the host is not on a network that includes a domain controller. - - -
    +Enterprise Client: The Teredo interface is always present, even if the host is on a network that includes a domain controller. + - -**ADMX_tcpip/Windows_Scaling_Heuristics_State** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | Teredo_State | +| Friendly Name | Set Teredo State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > IPv6 Transition Technologies | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | tcpip.admx | + -
    + + + - - + + + +## Windows_Scaling_Heuristics_State + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_tcpip/Windows_Scaling_Heuristics_State +``` + + + + This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. If you do not configure this policy setting, the local host settings are used. If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectivity and throughput problems and take appropriate measures. -If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems caused by Firewalls or other middle boxes. +If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued by Firewalls or other middle boxes. + - + + + - -ADMX Info: -- GP Friendly name: *Set Window Scaling Heuristics State* -- GP name: *Windows_Scaling_Heuristics_State* -- GP path: *Network\TCPIP Settings\Parameters* -- GP ADMX file name: *tcpip.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | Windows_Scaling_Heuristics_State | +| Friendly Name | Set Window Scaling Heuristics State | +| Location | Computer Configuration | +| Path | Network > TCPIP Settings > Parameters | +| Registry Key Name | System\CurrentControlSet\Services\Tcpip\Parameters | +| Registry Value Name | EnableWsd | +| ADMX File Name | tcpip.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From f7233e4ab0cdeb77bc9e29de6178ca87c2785762 Mon Sep 17 00:00:00 2001 From: Nick White <104782157+nicholasswhite@users.noreply.github.com> Date: Wed, 4 Jan 2023 16:50:15 -0500 Subject: [PATCH 104/152] ADMX_Logon policy review --- .../mdm/policy-csp-admx-logon.md | 1484 +++++++++-------- 1 file changed, 817 insertions(+), 667 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 636ace2a3b..02114530b3 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,867 +1,1017 @@ --- -title: Policy CSP - ADMX_Logon -description: Learn about Policy CSP - ADMX_Logon. +title: ADMX_Logon Policy CSP +description: Learn more about the ADMX_Logon Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/03/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Logon ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Logon policies + +## BlockUserFromShowingAccountDetailsOnSignin -
    -
    - ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin -
    -
    - ADMX_Logon/DisableAcrylicBackgroundOnLogon -
    -
    - ADMX_Logon/DisableExplorerRunLegacy_1 -
    -
    - ADMX_Logon/DisableExplorerRunLegacy_2 -
    -
    - ADMX_Logon/DisableExplorerRunOnceLegacy_1 -
    -
    - ADMX_Logon/DisableExplorerRunOnceLegacy_2 -
    -
    - ADMX_Logon/DisableStatusMessages -
    -
    - ADMX_Logon/DontEnumerateConnectedUsers -
    -
    - ADMX_Logon/NoWelcomeTips_1 -
    -
    - ADMX_Logon/NoWelcomeTips_2 -
    -
    - ADMX_Logon/Run_1 -
    -
    - ADMX_Logon/Run_2 -
    -
    - ADMX_Logon/SyncForegroundPolicy -
    -
    - ADMX_Logon/UseOEMBackground -
    -
    - ADMX_Logon/VerboseStatus -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin +``` + -
    - - -**ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy prevents the user from showing account details (email address or user name) on the sign-in screen. -If you enable this policy setting, the user can't choose to show account details on the sign-in screen. +If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. -If you disable or don't configure this policy setting, the user may choose to show account details on the sign-in screen. +If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. + - + + + - -ADMX Info: -- GP Friendly name: *Block user from showing account details on sign-in* -- GP name: *BlockUserFromShowingAccountDetailsOnSignin* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableAcrylicBackgroundOnLogon** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | BlockUserFromShowingAccountDetailsOnSignin | +| Friendly Name | Block user from showing account details on sign-in | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | BlockUserFromShowingAccountDetailsOnSignin | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableAcrylicBackgroundOnLogon -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableAcrylicBackgroundOnLogon +``` + + + + This policy setting disables the acrylic blur effect on logon background image. If you enable this policy, the logon background image shows without blur. +If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. + -If you disable or don't configure this policy, the logon background image adopts the acrylic blur effect. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Show clear logon background* -- GP name: *DisableAcrylicBackgroundOnLogon* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Logon/DisableExplorerRunLegacy_1** +| Name | Value | +|:--|:--| +| Name | DisableAcrylicBackgroundOnLogon | +| Friendly Name | Show clear logon background | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DisableAcrylicBackgroundOnLogon | +| ADMX File Name | Logon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableExplorerRunLegacy_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunLegacy_2 +``` + -
    - - - + + This policy setting ignores the customized run list. -These programs are added to the standard run list of programs and services that the system starts. +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. -> [!NOTE] -> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. +Note: To create a customized run list by using a policy setting, use the ""Run these applications at startup"" policy setting. - +Also, see the ""Do not process the run once list"" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Do not process the legacy run list* -- GP name: *DisableExplorerRunLegacy_1* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableExplorerRunLegacy_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunLegacy | +| Friendly Name | Do not process the legacy run list | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableLocalMachineRun | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableExplorerRunOnceLegacy_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting ignores the customized run list. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunOnceLegacy_2 +``` + -These programs are added to the standard run list of programs and services that the system starts. - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - -> [!NOTE] -> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting. - - - - - -ADMX Info: -- GP Friendly name: *Do not process the legacy run list* -- GP name: *DisableExplorerRunLegacy_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* - - - -
    - - -**ADMX_Logon/DisableExplorerRunOnceLegacy_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting ignores customized run-once lists. -You can create a customized list of other programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. If you enable this policy setting, the system ignores the run-once list. -If you disable or don't configure this policy setting, the system runs the programs in the run-once list. +If you disable or do not configure this policy setting, the system runs the programs in the run-once list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. -> [!NOTE] -> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. +Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. - +Also, see the ""Do not process the legacy run list"" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Do not process the run once list* -- GP name: *DisableExplorerRunOnceLegacy_1* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/DisableExplorerRunOnceLegacy_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunOnceLegacy | +| Friendly Name | Do not process the run once list | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableLocalMachineRunOnce | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableStatusMessages -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting ignores customized run-once lists. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableStatusMessages +``` + -You can create a customized list of other programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. - -If you enable this policy setting, the system ignores the run-once list. - -If you disable or don't configure this policy setting, the system runs the programs in the run-once list. - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - -> [!NOTE] -> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting. - - - - - -ADMX Info: -- GP Friendly name: *Do not process the run once list* -- GP name: *DisableExplorerRunOnceLegacy_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* - - - -
    - - -**ADMX_Logon/DisableStatusMessages** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting suppresses system status messages. -If you enable this setting, the system doesn't display a message reminding users to wait while their system starts or shuts down, or while users sign in or sign out. +If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. -If you disable or don't configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users sign in or sign out. +If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Boot / Shutdown / Logon / Logoff status messages* -- GP name: *DisableStatusMessages* -- GP path: *System* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Logon/DontEnumerateConnectedUsers** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableStatusMessages | +| Friendly Name | Remove Boot / Shutdown / Logon / Logoff status messages | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DisableStatusMessages | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DontEnumerateConnectedUsers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/DontEnumerateConnectedUsers +``` + - - + + This policy setting prevents connected users from being enumerated on domain-joined computers. -If you enable this policy setting, the Logon UI won't enumerate any connected users on domain-joined computers. +If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. -If you disable or don't configure this policy setting, connected users will be enumerated on domain-joined computers. +If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not enumerate connected users on domain-joined computers* -- GP name: *DontEnumerateConnectedUsers* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Logon/NoWelcomeTips_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DontEnumerateConnectedUsers | +| Friendly Name | Do not enumerate connected users on domain-joined computers | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DontEnumerateConnectedUsers | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWelcomeTips_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/NoWelcomeTips_2 +``` + - - -This policy setting hides the welcome screen that is displayed on Windows each time the user logs on. + + +This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. -Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. +Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welcome"" in the Run dialog box. -If you disable or don't configure this policy, the welcome screen is displayed each time a user signs in to the computer. +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. -This setting applies only to Windows. It doesn't affect the "Configure Your Server on a Windows Server" screen on Windows Server. +This setting applies only to Windows 2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server. -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click ""Getting Started."" To suppress the welcome screen without specifying a setting, clear the ""Show this screen at startup"" check box on the welcome screen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NoWelcomeTips | +| Friendly Name | Do not display the Getting Started welcome screen at logon | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWelcomeScreen | +| ADMX File Name | Logon.admx | + - -ADMX Info: -- GP Friendly name: *Do not display the Getting Started welcome screen at logon* -- GP name: *NoWelcomeTips_1* -- GP path: *System* -- GP ADMX file name: *Logon.admx* + + + - - + -
    + +## Run_2 - -**ADMX_Logon/NoWelcomeTips_2** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/Run_2 +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting hides the welcome screen that is displayed on Windows each time the user logs on. - -If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. - -Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. - -If you disable or don't configure this policy, the welcome screen is displayed each time a user signs in to the computer. This setting applies only to Windows. It doesn't affect the "Configure Your Server on a Windows Server" screen on Windows Server. - -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -> [!TIP] -> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. - - - - - -ADMX Info: -- GP Friendly name: *Do not display the Getting Started welcome screen at logon* -- GP name: *NoWelcomeTips_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* - - - -
    - - -**ADMX_Logon/Run_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting specifies other programs or documents that Windows starts automatically when a user signs in to the system. - -If you enable this policy setting, you can specify which programs can run at the time the user signs in to this computer that has this policy applied. +If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. -If you disable or don't configure this policy setting, the user will have to start the appropriate programs after signing in. +If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. +Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. -Also, see the "Do not process the legacy run list" and the "don't process the run once list" settings. +Also, see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run these programs at user logon* -- GP name: *Run_1* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Logon/Run_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run | +| Friendly Name | Run these programs at user logon | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | Logon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SyncForegroundPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/SyncForegroundPolicy +``` + - - -This policy setting specifies other programs or documents that Windows starts automatically when a user signs in to the system. + + +This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. -If you enable this policy setting, you can specify which programs can run at the time the user signs in to this computer that has this policy applied. +Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. -To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. +If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized. -If you disable or don't configure this policy setting, the user will have to start the appropriate programs after signing in. - -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. - -Also, see the "Do not process the legacy run list" and the "don't process the run once list" settings. - - - - - - -ADMX Info: -- GP Friendly name: *Run these programs at user logon* -- GP name: *Run_2* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* - - - -
    - - -**ADMX_Logon/SyncForegroundPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in). By default, on client computers, Group Policy processing isn't synchronous; client computers typically don't wait for the network to be fully initialized at startup and sign in. Existing users are signed in using cached credentials, which results in shorter sign-in times. Group Policy is applied in the background after the network becomes available. - -Because this process (of applying Group Policy) is a background refresh, extensions such as Software Installation and Folder Redirection take two sign-ins to apply changes. To be able to operate safely, these extensions require that no users be signed in. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script may take up to two sign-ins to be detected. - -If a user with a roaming profile, home directory, or user object logon script signs in to a computer, computers always wait for the network to be initialized before signing in the user. If a user has never signed in to this computer before, computers always wait for the network to be initialized. - -If you enable this policy setting, computers wait for the network to be fully initialized before users are signed in. Group Policy is applied in the foreground, synchronously. +If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). -If the server is configured as follows, this policy setting takes effect during Group Policy processing at user sign in: +If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon: +• The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and +• The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. -- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and -- The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\\. +If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). -If this configuration isn't implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user sign in is synchronous (these servers wait for the network to be initialized during user sign in). +If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. -If you disable or don't configure this policy setting and users sign in to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically doesn't wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. +Notes: +-If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. +-If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. + -> [!NOTE] -> -> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one sign in, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. -> - If Folder Redirection policy will apply during the next sign in, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Always wait for the network at computer startup and logon* -- GP name: *SyncForegroundPolicy* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Logon/UseOEMBackground** +| Name | Value | +|:--|:--| +| Name | SyncForegroundPolicy | +| Friendly Name | Always wait for the network at computer startup and logon | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon | +| Registry Value Name | SyncForegroundPolicy | +| ADMX File Name | Logon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UseOEMBackground - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/UseOEMBackground +``` + -
    - - - + + This policy setting ignores Windows Logon Background. -This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the sign-in screen always attempts to load a custom background instead of the Windows-branded logon background. +This policy setting may be used to make Windows give preference to a custom logon background. -If you disable or don't configure this policy setting, Windows uses the default Windows logon background or custom background. +If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. - +If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. + + + + - -ADMX Info: -- GP Friendly name: *Always use custom logon background* -- GP name: *UseOEMBackground* -- GP path: *System\Logon* -- GP ADMX file name: *Logon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Logon/VerboseStatus** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | UseOEMBackground | +| Friendly Name | Always use custom logon background | +| Location | Computer Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | UseOEMBackground | +| ADMX File Name | Logon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## VerboseStatus -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Logon/VerboseStatus +``` + + + + This policy setting directs the system to display highly detailed status messages. This policy setting is designed for advanced users who require this information. If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. -If you disable or don't configure this policy setting, only the default status messages are displayed to the user during these processes. +If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes. -> [!NOTE] -> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled. +Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff status messages"" policy setting is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display highly detailed status messages* -- GP name: *VerboseStatus* -- GP path: *System* -- GP ADMX file name: *Logon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | VerboseStatus | +| Friendly Name | Display highly detailed status messages | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | VerboseStatus | +| ADMX File Name | Logon.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + +## DisableExplorerRunLegacy_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunLegacy_1 +``` + + + + +This policy setting ignores the customized run list. + +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +Note: To create a customized run list by using a policy setting, use the ""Run these applications at startup"" policy setting. + +Also, see the ""Do not process the run once list"" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunLegacy | +| Friendly Name | Do not process the legacy run list | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableCurrentUserRun | +| ADMX File Name | Logon.admx | + + + + + + + + + +## DisableExplorerRunOnceLegacy_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunOnceLegacy_1 +``` + + + + +This policy setting ignores customized run-once lists. + +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. + +If you enable this policy setting, the system ignores the run-once list. + +If you disable or do not configure this policy setting, the system runs the programs in the run-once list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. + +Also, see the ""Do not process the legacy run list"" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunOnceLegacy | +| Friendly Name | Do not process the run once list | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableCurrentUserRunOnce | +| ADMX File Name | Logon.admx | + + + + + + + + + +## NoWelcomeTips_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/NoWelcomeTips_1 +``` + + + + +This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. + +If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. + +Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welcome"" in the Run dialog box. + +If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. + +This setting applies only to Windows 2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server. + +Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click ""Getting Started."" To suppress the welcome screen without specifying a setting, clear the ""Show this screen at startup"" check box on the welcome screen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoWelcomeTips | +| Friendly Name | Do not display the Getting Started welcome screen at logon | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWelcomeScreen | +| ADMX File Name | Logon.admx | + + + + + + + + + +## Run_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/Run_1 +``` + + + + +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. + +If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. + +To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. + +If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. + +Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. + +Also, see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run | +| Friendly Name | Run these programs at user logon | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | Logon.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 81afc20b340d86d4521ba14029705cb7e9176e7d Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:08:17 -0500 Subject: [PATCH 105/152] startmenu systemrestore tabletpcinputpanel --- .../mdm/policy-csp-admx-startmenu.md | 6173 +++++++++-------- .../mdm/policy-csp-admx-systemrestore.md | 130 +- .../mdm/policy-csp-admx-tabletpcinputpanel.md | 66 +- 3 files changed, 3562 insertions(+), 2807 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index aff23491ae..dfce165594 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,613 +1,1016 @@ --- -title: Policy CSP - ADMX_StartMenu -description: Learn about Policy CSP - ADMX_StartMenu. +title: ADMX_StartMenu Policy CSP +description: Learn more about the ADMX_StartMenu Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/20/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_StartMenu + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_StartMenu policies + +## HidePowerOptions -
    -
    - ADMX_StartMenu/AddSearchInternetLinkInStartMenu -
    -
    - ADMX_StartMenu/ClearRecentDocsOnExit -
    -
    - ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu -
    -
    - ADMX_StartMenu/ClearTilesOnExit -
    -
    - ADMX_StartMenu/DesktopAppsFirstInAppsView -
    -
    - ADMX_StartMenu/DisableGlobalSearchOnAppsView -
    -
    - ADMX_StartMenu/ForceStartMenuLogOff -
    -
    - ADMX_StartMenu/GoToDesktopOnSignIn -
    -
    - ADMX_StartMenu/GreyMSIAds -
    -
    - ADMX_StartMenu/HidePowerOptions -
    -
    - ADMX_StartMenu/Intellimenus -
    -
    - ADMX_StartMenu/LockTaskbar -
    -
    - ADMX_StartMenu/MemCheckBoxInRunDlg -
    -
    - ADMX_StartMenu/NoAutoTrayNotify -
    -
    - ADMX_StartMenu/NoBalloonTip -
    -
    - ADMX_StartMenu/NoChangeStartMenu -
    -
    - ADMX_StartMenu/NoClose -
    -
    - ADMX_StartMenu/NoCommonGroups -
    -
    - ADMX_StartMenu/NoFavoritesMenu -
    -
    - ADMX_StartMenu/NoFind -
    -
    - ADMX_StartMenu/NoGamesFolderOnStartMenu -
    -
    - ADMX_StartMenu/NoHelp -
    -
    - ADMX_StartMenu/NoInstrumentation -
    -
    - ADMX_StartMenu/NoMoreProgramsList -
    -
    - ADMX_StartMenu/NoNetAndDialupConnect -
    -
    - ADMX_StartMenu/NoPinnedPrograms -
    -
    - ADMX_StartMenu/NoRecentDocsMenu -
    -
    - ADMX_StartMenu/NoResolveSearch -
    -
    - ADMX_StartMenu/NoResolveTrack -
    -
    - ADMX_StartMenu/NoRun -
    -
    - ADMX_StartMenu/NoSMConfigurePrograms -
    -
    - ADMX_StartMenu/NoSMMyDocuments -
    -
    - ADMX_StartMenu/NoSMMyMusic -
    -
    - ADMX_StartMenu/NoSMMyNetworkPlaces -
    -
    - ADMX_StartMenu/NoSMMyPictures -
    -
    - ADMX_StartMenu/NoSearchCommInStartMenu -
    -
    - ADMX_StartMenu/NoSearchComputerLinkInStartMenu -
    -
    - ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu -
    -
    - ADMX_StartMenu/NoSearchFilesInStartMenu -
    -
    - ADMX_StartMenu/NoSearchInternetInStartMenu -
    -
    - ADMX_StartMenu/NoSearchProgramsInStartMenu -
    -
    - ADMX_StartMenu/NoSetFolders -
    -
    - ADMX_StartMenu/NoSetTaskbar -
    -
    - ADMX_StartMenu/NoStartMenuDownload -
    -
    - ADMX_StartMenu/NoStartMenuHomegroup -
    -
    - ADMX_StartMenu/NoStartMenuRecordedTV -
    -
    - ADMX_StartMenu/NoStartMenuSubFolders -
    -
    - ADMX_StartMenu/NoStartMenuVideos -
    -
    - ADMX_StartMenu/NoStartPage -
    -
    - ADMX_StartMenu/NoTaskBarClock -
    -
    - ADMX_StartMenu/NoTaskGrouping -
    -
    - ADMX_StartMenu/NoToolbarsOnTaskbar -
    -
    - ADMX_StartMenu/NoTrayContextMenu -
    -
    - ADMX_StartMenu/NoTrayItemsDisplay -
    -
    - ADMX_StartMenu/NoUninstallFromStart -
    -
    - ADMX_StartMenu/NoUserFolderOnStartMenu -
    -
    - ADMX_StartMenu/NoUserNameOnStartMenu -
    -
    - ADMX_StartMenu/NoWindowsUpdate -
    -
    - ADMX_StartMenu/PowerButtonAction -
    -
    - ADMX_StartMenu/QuickLaunchEnabled -
    -
    - ADMX_StartMenu/RemoveUnDockPCButton -
    -
    - ADMX_StartMenu/ShowAppsViewOnStart -
    -
    - ADMX_StartMenu/ShowRunAsDifferentUserInStart -
    -
    - ADMX_StartMenu/ShowRunInStartMenu -
    -
    - ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey -
    -
    - ADMX_StartMenu/StartMenuLogOff -
    -
    - ADMX_StartMenu/StartPinAppsWhenInstalled -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/HidePowerOptions +``` + + + + +This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. + +If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. + +If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HidePowerOptions | +| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HidePowerOptions | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoChangeStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu +``` + + + + +This policy setting allows you to prevent users from changing their Start screen layout. + +If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. + +If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoChangeStartMenu | +| Friendly Name | Prevent users from customizing their Start Screen | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoMoreProgramsList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList +``` + + + + +If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. + +Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. + +Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. + +Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows. + +If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoMoreProgramsList | +| Friendly Name | Remove All Programs list from the Start menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoRun + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun +``` + + + + +Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. + +If you enable this setting, the following changes occur: + +(1) The Run command is removed from the Start menu. + +(2) The New Task (Run) command is removed from Task Manager. + +(3) The user will be blocked from entering the following into the Internet Explorer Address Bar: + +--- A UNC path: \\``\\`` + +---Accessing local drives: e.g., C: + +--- Accessing local folders: e.g., \temp> + +Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. + +If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. -
    - -**ADMX_StartMenu/AddSearchInternetLinkInStartMenu** +Note:This setting affects the specified interface only. It does not prevent users from using other methods to run programs. - +Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * User + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | NoRun | +| Friendly Name | Remove Run menu from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRun | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSetTaskbar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar +``` + + + + +This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. + +If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. + +If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. + +If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSetTaskbar | +| Friendly Name | Prevent changes to Taskbar and Start Menu Settings | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSetTaskbar | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoTrayContextMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu +``` + + + + +This policy setting allows you to remove access to the context menus for the taskbar. + +If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. + +If you disable or do not configure this policy setting, the context menus for the taskbar are available. + +This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoTrayContextMenu | +| Friendly Name | Remove access to the context menus for the taskbar | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTrayContextMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoUninstallFromStart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart +``` + + + + +If you enable this setting, users cannot uninstall apps from Start. + +If you disable this setting or do not configure it, users can access the uninstall command from Start + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoUninstallFromStart | +| Friendly Name | Prevent users from uninstalling applications from Start | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUninstallFromStart | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## StartPinAppsWhenInstalled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled +``` + + + + +This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | StartPinAppsWhenInstalled | +| Friendly Name | Pin Apps to Start when installed | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | StartPinAppsWhenInstalled | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## AddSearchInternetLinkInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/AddSearchInternetLinkInStartMenu +``` + + + + If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. -If you disable this policy, there won't be a "Search the Internet" link when the user performs a search in the start menu search box. +If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. -If you don't configure this policy (default), there won't be a "Search the Internet" link on the start menu. +If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add Search Internet link to Start Menu* -- GP name: *AddSearchInternetLinkInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/ClearRecentDocsOnExit** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AddSearchInternetLinkInStartMenu | +| Friendly Name | Add Search Internet link to Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | AddSearchInternetLinkInStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClearRecentDocsOnExit -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ClearRecentDocsOnExit +``` + - - -This policy setting clears history of recently opened documents on exit. + + +Clear history of recently opened documents on exit. -If you enable this setting, the system deletes shortcuts to recently used document files when the user signs out. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user signs out. +If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. -If you disable or don't configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. +If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. -> [!NOTE] -> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. +Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected. -This setting doesn't clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting. +This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting. -This policy setting also doesn't hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. +This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. -This policy also doesn't clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. +This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Clear history of recently opened documents on exit* -- GP name: *ClearRecentDocsOnExit* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClearRecentDocsOnExit | +| Friendly Name | Clear history of recently opened documents on exit | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClearRecentDocsOnExit | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClearRecentProgForNewUserInStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu +``` + - - + + If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. -If you disable or don't configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. +If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Clear the recent programs list for new users* -- GP name: *ClearRecentProgForNewUserInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/ClearTilesOnExit** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClearRecentProgForNewUserInStartMenu | +| Friendly Name | Clear the recent programs list for new users | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClearRecentProgForNewUserInStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ClearTilesOnExit -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ClearTilesOnExit +``` + - - + + If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. -If you disable or don't configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. +If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. -This setting doesn't prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. +This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Clear tile notifications during log on* -- GP name: *ClearTilesOnExit* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/DesktopAppsFirstInAppsView** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ClearTilesOnExit | +| Friendly Name | Clear tile notifications during log on | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ClearTilesOnExit | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DesktopAppsFirstInAppsView -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/DesktopAppsFirstInAppsView +``` + - - + + This policy setting allows desktop apps to be listed first in the Apps view in Start. If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *List desktop apps first in the Apps view* -- GP name: *DesktopAppsFirstInAppsView* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/DisableGlobalSearchOnAppsView** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DesktopAppsFirstInAppsView | +| Friendly Name | List desktop apps first in the Apps view | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DesktopAppsFirstInAppsView | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableGlobalSearchOnAppsView -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/DisableGlobalSearchOnAppsView +``` + - - -This policy setting prevents the user from searching apps, files and settings (and the web if enabled) when the user searches from the Apps view. + + +This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. This policy setting is only applied when the Apps view is set as the default view for Start. If you enable this policy setting, searching from the Apps view will only search the list of installed apps. If you disable or don’t configure this policy setting, the user can configure this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Search just apps from the Apps view* -- GP name: *DisableGlobalSearchOnAppsView* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/ForceStartMenuLogOff** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableGlobalSearchOnAppsView | +| Friendly Name | Search just apps from the Apps view | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableGlobalSearchOnAppsView | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ForceStartMenuLogOff -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ForceStartMenuLogOff +``` + - - -This policy only applies to the classic version of the start menu and doesn't affect the new style start menu. + + +This policy only applies to the classic version of the start menu and does not affect the new style start menu. Adds the "Log Off ``" item to the Start menu and prevents users from removing it. -If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users can't remove the Log Off `` item from the Start Menu. +If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu. -If you disable this setting or don't configure it, users can use the Display Logoff item to add and remove the Log Off item. +If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. -This setting affects the Start menu only. It doesn't affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. +This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. -> [!NOTE] -> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. +Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add Logoff to the Start Menu* -- GP name: *ForceStartMenuLogOff* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/GoToDesktopOnSignIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForceStartMenuLogOff | +| Friendly Name | Add Logoff to the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceStartMenuLogOff | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GoToDesktopOnSignIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/GoToDesktopOnSignIn +``` + - - + + This policy setting allows users to go to the desktop instead of the Start screen when they sign in. If you enable this policy setting, users will always go to the desktop when they sign in. @@ -615,298 +1018,313 @@ If you enable this policy setting, users will always go to the desktop when they If you disable this policy setting, users will always go to the Start screen when they sign in. If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Go to the desktop instead of Start when signing in* -- GP name: *GoToDesktopOnSignIn* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/GreyMSIAds** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | GoToDesktopOnSignIn | +| Friendly Name | Go to the desktop instead of Start when signing in | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | GoToDesktopOnSignIn | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## GreyMSIAds -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/GreyMSIAds +``` + - - + + Displays Start menu shortcuts to partially installed programs in gray text. -This setting makes it easier for users to distinguish between programs that are fully installed and those programs that are only partially installed. +This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed. -Partially installed programs include those programs that a system administrator assigns using Windows Installer and those programs that users have configured for full installation upon first use. +Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use. -If you disable this setting or don't configure it, all Start menu shortcuts appear as black text. +If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. -> [!NOTE] -> Enabling this setting can make the Start menu slow to open. +Note: Enabling this setting can make the Start menu slow to open. + - -> + + + - -ADMX Info: -- GP Friendly name: *Gray unavailable Windows Installer programs Start Menu shortcuts* -- GP name: *GreyMSIAds* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/HidePowerOptions** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | GreyMSIAds | +| Friendly Name | Gray unavailable Windows Installer programs Start Menu shortcuts | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | GreyMSIAds | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Intellimenus -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents users from performing the following commands from the Windows security screen, the sign-in screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting doesn't prevent users from running Windows-based programs that perform these functions. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/Intellimenus +``` + -If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the sign in screen. + + +Disables personalized menus. -If you disable or don't configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and sign-in screens is also available. +Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. - +If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. +Note: Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. - -ADMX Info: -- GP Friendly name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* -- GP name: *HidePowerOptions* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +Tip: To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. + - - -
    + + + - -**ADMX_StartMenu/Intellimenus** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | Intellimenus | +| Friendly Name | Turn off personalized menus | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | Intellimenus | +| ADMX File Name | StartMenu.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - -This policy seting disables personalized menus. + +## LockTaskbar -Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that haven't been used recently. Users can display the hidden items by clicking an arrow to extend the menu. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this setting, the system doesn't personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users don't try to change the setting while a setting is in effect. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/LockTaskbar +``` + -> [!NOTE] -> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. - -To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. - - - - - -ADMX Info: -- GP Friendly name: *Turn off personalized menus* -- GP name: *Intellimenus* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/LockTaskbar** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This setting affects the taskbar, which is used to switch between running applications. -The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it's locked, it can't be moved or resized. +The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. -If you disable this setting or don't configure it, the user can configure the taskbar position. +If you disable this setting or do not configure it, the user can configure the taskbar position. -> [!NOTE] -> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user can't show and hide various toolbars using the taskbar context menu. +Note: Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Lock the Taskbar* -- GP name: *LockTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/MemCheckBoxInRunDlg** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LockTaskbar | +| Friendly Name | Lock the Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | LockTaskbar | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MemCheckBoxInRunDlg -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/MemCheckBoxInRunDlg +``` + - - -This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. + + +Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. -All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and can't run simultaneously. +All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously. -Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The extra check box is enabled only when a user enters a 16-bit program in the Run dialog box. +Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add "Run in Separate Memory Space" check box to Run dialog box* -- GP name: *MemCheckBoxInRunDlg* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoAutoTrayNotify** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MemCheckBoxInRunDlg | +| Friendly Name | Add "Run in Separate Memory Space" check box to Run dialog box | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | MemCheckBoxInRunDlg | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoAutoTrayNotify -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoAutoTrayNotify +``` + - - + + This setting affects the notification area, also called the "system tray." The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." @@ -915,547 +1333,564 @@ If you enable this setting, the system notification area expands to show all of If you disable this setting, the system notification area will always collapse notifications. -If you don't configure it, the user can choose if they want notifications collapsed. +If you do not configure it, the user can choose if they want notifications collapsed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off notification area cleanup* -- GP name: *NoAutoTrayNotify* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoBalloonTip** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoAutoTrayNotify | +| Friendly Name | Turn off notification area cleanup | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoAutoTrayNotify | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoBalloonTip -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoBalloonTip +``` + - - -This policy setting hides pop-up text on the Start menu and in the notification area. + + +Hides pop-up text on the Start menu and in the notification area. When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. -If you enable this setting, some of this pop-up text isn't displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. +If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. -If you disable this setting or don't configure it, all pop-up text is displayed on the Start menu and in the notification area. +If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Balloon Tips on Start Menu items* -- GP name: *NoBalloonTip* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoChangeStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoBalloonTip | +| Friendly Name | Remove Balloon Tips on Start Menu items | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMBalloonTip | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoClose -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoClose +``` + - - -This policy setting allows you to prevent users from changing their Start screen layout. - -If you enable this setting, you'll prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. - -If you disable or don't configure this setting, you'll allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. - - - - - -ADMX Info: -- GP Friendly name: *Prevent users from customizing their Start Screen* -- GP name: *NoChangeStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoClose** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting doesn't prevent users from running Windows-based programs that perform these functions. + + +This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. -If you disable or don't configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. +If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. -> [!NOTE] -> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. +Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* -- GP name: *NoClose* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoCommonGroups** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoClose | +| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoClose | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoCommonGroups -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoCommonGroups +``` + - - -This policy setting removes items in the All Users profile from the Programs menu on the Start menu. + + +Removes items in the All Users profile from the Programs menu on the Start menu. By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. -To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. +Tip: To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove common program groups from Start Menu* -- GP name: *NoCommonGroups* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoFavoritesMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoCommonGroups | +| Friendly Name | Remove common program groups from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoCommonGroups | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoFavoritesMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoFavoritesMenu +``` + - - -This policy setting prevents users from adding the Favorites menu to the Start menu or classic Start menu. + + +Prevents users from adding the Favorites menu to the Start menu or classic Start menu. -If you enable this setting, the Display Favorites item doesn't appear in the Advanced Start menu options box. +If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. -If you disable or don't configure this setting, the Display Favorite item is available. +If you disable or do not configure this setting, the Display Favorite item is available. -> [!NOTE] -> The Favorites menu doesn't appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. -> -> The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. -> -> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. +Note:The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. - +Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. +Note:This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. + - -ADMX Info: -- GP Friendly name: *Remove Favorites menu from Start Menu* -- GP name: *NoFavoritesMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_StartMenu/NoFind** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoFavoritesMenu | +| Friendly Name | Remove Favorites menu from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFavoritesMenu | +| ADMX File Name | StartMenu.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoFind - - -This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. This policy setting doesn't remove the search box from the new style Start menu. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system doesn't respond when users press the Application key (the key with the Windows logo)+ F. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoFind +``` + -> [!NOTE] -> Enabling this policy setting also prevents the user from using the F3 key. + + +This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. -In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system doesn't respond when the user presses Ctrl+F. Also, Search doesn't appear in the context menu when you right-click an icon representing a drive or a folder. +**Note** that this does not remove the search box from the new style Start menu. -This policy setting affects the specified user interface elements only. It doesn't affect Internet Explorer and doesn't prevent the user from using other methods to search. +If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. -If you disable or don't configure this policy setting, the Search link is available from the Start menu. +Note: Enabling this policy setting also prevents the user from using the F3 key. - +In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder. +This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search. - -ADMX Info: -- GP Friendly name: *Remove Search link from Start Menu* -- GP name: *NoFind* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +If you disable or do not configure this policy setting, the Search link is available from the Start menu. + - - -
    + + + - -**ADMX_StartMenu/NoGamesFolderOnStartMenu** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoFind | +| Friendly Name | Remove Search link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoFind | +| ADMX File Name | StartMenu.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - -If you enable this policy, the start menu won't show a link to the Games folder. + +## NoGamesFolderOnStartMenu -If you disable or don't configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoGamesFolderOnStartMenu +``` + + + +If you enable this policy the start menu will not show a link to the Games folder. - -ADMX Info: -- GP Friendly name: *Remove Games link from Start Menu* -- GP name: *NoGamesFolderOnStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. + - - -
    + + + - -**ADMX_StartMenu/NoHelp** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NoGamesFolderOnStartMenu | +| Friendly Name | Remove Games link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuMyGames | +| ADMX File Name | StartMenu.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## NoHelp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoHelp +``` + + + + This policy setting allows you to remove the Help command from the Start menu. If you enable this policy setting, the Help command is removed from the Start menu. -If you disable or don't configure this policy setting, the Help command is available from the Start menu. +If you disable or do not configure this policy setting, the Help command is available from the Start menu. -This policy setting only affects the Start menu. It doesn't remove the Help menu from File Explorer and doesn't prevent users from running Help. +This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Help menu from Start Menu* -- GP name: *NoHelp* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoInstrumentation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoHelp | +| Friendly Name | Remove Help menu from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMHelp | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoInstrumentation -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoInstrumentation +``` + - - + + This policy setting allows you to turn off user tracking. -If you enable this policy setting, the system doesn't track the programs that the user runs, and doesn't display frequently used programs in the Start Menu. +If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. -If you disable or don't configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. +If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. -Also, see these related policy settings: "Remove frequent programs list from the Start Menu" and "Turn off personalized menus". +Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus". -This policy setting doesn't prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. +This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off user tracking* -- GP name: *NoInstrumentation* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoMoreProgramsList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInstrumentation | +| Friendly Name | Turn off user tracking | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInstrumentation | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoNetAndDialupConnect -> [!div class = "checklist"] -> * User -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoNetAndDialupConnect +``` + - - -If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. - -Selecting "Collapse" won't display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This selection of collapse is equivalent to setting the "Show app list in Start" in Settings to Off. - -Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users can't turn it to On. - -Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users can't turn it to On. Select this option for compatibility with earlier versions of Windows. - -If you disable or don't configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. - - - - - -ADMX Info: -- GP Friendly name: *Remove All Programs list from the Start menu* -- GP name: *NoMoreProgramsList* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoNetAndDialupConnect** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to remove Network Connections from the Start Menu. If you enable this policy setting, users are prevented from running Network Connections. @@ -1464,2070 +1899,2316 @@ Enabling this policy setting prevents the Network Connections folder from openin Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action. -If you disable or don't configure this policy setting, Network Connections is available from the Start Menu. +If you disable or do not configure this policy setting, Network Connections is available from the Start Menu. Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Network Connections from Start Menu* -- GP name: *NoNetAndDialupConnect* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoPinnedPrograms** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoNetAndDialupConnect | +| Friendly Name | Remove Network Connections from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoNetworkConnections | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoPinnedPrograms -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoPinnedPrograms +``` + - - -If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users can't pin programs to the Start menu. + + +If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. -If you disable this setting or don't configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. +If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove pinned programs list from the Start Menu* -- GP name: *NoPinnedPrograms* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoRecentDocsMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoPinnedPrograms | +| Friendly Name | Remove pinned programs list from the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuPinnedList | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoRecentDocsMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRecentDocsMenu +``` + - - -This policy setting removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. + + +Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. -If you enable this setting, the system saves document shortcuts but doesn't display the Recent Items menu in the Start Menu, and users can't turn on the menu. +If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. -When the setting is disabled, the Recent Items menu appears in the Start Menu, and users can't remove it. +When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it. -If the setting isn't configured, users can turn the Recent Items menu on and off. +If the setting is not configured, users can turn the Recent Items menu on and off. -> [!NOTE] -> This setting doesn't prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. +Note: This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. -This setting also doesn't hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. +This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Recent Items menu from Start Menu* -- GP name: *NoRecentDocsMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoResolveSearch** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoRecentDocsMenu | +| Friendly Name | Remove Recent Items menu from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRecentDocsMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoResolveSearch -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoResolveSearch +``` + - - + + This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. -If you enable this policy setting, the system doesn't conduct the final drive search. It just displays a message explaining that the file isn't found. +If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. -If you disable or don't configure this policy setting, by default, when the system can't find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path isn't correct, it conducts a comprehensive search of the target drive in an attempt to find the file. +If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. -> [!NOTE] -> This policy setting only applies to target files on NTFS partitions. FAT partitions don't have this ID tracking and search capability. +Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not use the search-based method when resolving shell shortcuts* -- GP name: *NoResolveSearch* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoResolveTrack** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoResolveSearch | +| Friendly Name | Do not use the search-based method when resolving shell shortcuts | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoResolveSearch | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoResolveTrack -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoResolveTrack +``` + - - + + This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. -If you enable this policy setting, the system doesn't try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. +If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. -If you disable or don't configure this policy setting, by default, when the system can't find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path isn't correct, it conducts a comprehensive search of the target drive in an attempt to find the file. +If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. -> [!NOTE] -> This policy setting only applies to target files on NTFS partitions. FAT partitions don't have this ID tracking and search capability. +Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings. - - - - -ADMX Info: -- GP Friendly name: *Do not use the tracking-based method when resolving shell shortcuts* -- GP name: *NoResolveTrack* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoRun** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. - -If you enable this setting, the following changes occur: - -1. The Run command is removed from the Start menu. - -2. The New Task (Run) command is removed from Task Manager. - -3. The user will be blocked from entering the following into the Internet Explorer Address Bar: - - - A UNC path: `\\\` - - - Accessing local drives: for example, C: - - - Accessing local folders: for example, `\` - -Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. - -If you disable or don't configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. - -> [!NOTE] -> This setting affects the specified interface only. It doesn't prevent users from using other methods to run programs. -> -> It's a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. - - - - - -ADMX Info: -- GP Friendly name: *Remove Run menu from Start Menu* -- GP name: *NoRun* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSMConfigurePrograms** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove the Default Programs link from the Start menu. - -If you enable this policy setting, the Default Programs link is removed from the Start menu. - -Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. - -If you disable or don't configure this policy setting, the Default Programs link is available from the Start menu. - -> [!NOTE] -> This policy setting doesn't prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. - - - - - -ADMX Info: -- GP Friendly name: *Remove Default Programs link from the Start menu.* -- GP name: *NoSMConfigurePrograms* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSMMyDocuments** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove the Documents icon from the Start menu and its submenus. - -If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It doesn't prevent the user from using other methods to gain access to the contents of the Documents folder. - -> [!NOTE] -> To make changes to this policy setting effective, you must log off and then log on. - -If you disable or don't configure this policy setting, the Documents icon is available from the Start menu. - -Also, see the "Remove Documents icon on the desktop" policy setting. - - - - - -ADMX Info: -- GP Friendly name: *Remove Documents icon from Start Menu* -- GP name: *NoSMMyDocuments* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSMMyMusic** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove the Music icon from Start Menu. - -If you enable this policy setting, the Music icon is no longer available from Start Menu. - -If you disable or don't configure this policy setting, the Music icon is available from Start Menu. - - - - - -ADMX Info: -- GP Friendly name: *Remove Music icon from Start Menu* -- GP name: *NoSMMyMusic* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSMMyNetworkPlaces** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove the Network icon from Start Menu. - -If you enable this policy setting, the Network icon is no longer available from Start Menu. - -If you disable or don't configure this policy setting, the Network icon is available from Start Menu. - - - - - -ADMX Info: -- GP Friendly name: *Remove Network icon from Start Menu* -- GP name: *NoSMMyNetworkPlaces* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSMMyPictures** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove the Pictures icon from Start Menu. - -If you enable this policy setting, the Pictures icon is no longer available from Start Menu. - -If you disable or don't configure this policy setting, the Pictures icon is available from Start Menu. - - - - - -ADMX Info: -- GP Friendly name: *Remove Pictures icon from Start Menu* -- GP name: *NoSMMyPictures* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchCommInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, the start menu search box won't search for communications. - -If you disable or don't configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. - - - - - -ADMX Info: -- GP Friendly name: *Do not search communications* -- GP name: *NoSearchCommInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchComputerLinkInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, the "See all results" link won't be shown when the user performs a search in the start menu search box. - -If you disable or don't configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. - - - - - -ADMX Info: -- GP Friendly name: *Remove Search Computer link* -- GP name: *NoSearchComputerLinkInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, a "See more results" / "Search Everywhere" link won't be shown when the user performs a search in the start menu search box. - -If you disable or don't configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a third-party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. - - - - - -ADMX Info: -- GP Friendly name: *Remove See More Results / Search Everywhere link* -- GP name: *NoSearchEverywhereLinkInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchFilesInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy setting, the Start menu search box won't search for files. - -If you disable or don't configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link won't be shown when the user performs a search in the start menu search box. - - - - - -ADMX Info: -- GP Friendly name: *Do not search for files* -- GP name: *NoSearchFilesInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchInternetInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy, the start menu search box won't search for internet history or favorites. - -If you disable or don't configure this policy, the start menu will search for internet history or favorites, unless the user chooses not to in the start menu control panel. - - - - - -ADMX Info: -- GP Friendly name: *Do not search Internet* -- GP name: *NoSearchInternetInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSearchProgramsInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this policy setting, the Start menu search box won't search for programs or Control Panel items. - -If you disable or don't configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. - - - - - -ADMX Info: -- GP Friendly name: *Do not search programs and Control Panel items* -- GP name: *NoSearchProgramsInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoSetFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoResolveTrack | +| Friendly Name | Do not use the tracking-based method when resolving shell shortcuts | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoResolveTrack | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchCommInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchCommInStartMenu +``` + + + + +If you enable this policy the start menu search box will not search for communications. + +If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchCommInStartMenu | +| Friendly Name | Do not search communications | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchCommInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchComputerLinkInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchComputerLinkInStartMenu +``` + + + + +If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. + +If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchComputerLinkInStartMenu | +| Friendly Name | Remove Search Computer link | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchComputerLinkInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchEverywhereLinkInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu +``` + + + + +If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + +If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchEverywhereLinkInStartMenu | +| Friendly Name | Remove See More Results / Search Everywhere link | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoSearchEverywhereLinkInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchFilesInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchFilesInStartMenu +``` + + + + +If you enable this policy setting the Start menu search box will not search for files. + +If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchFilesInStartMenu | +| Friendly Name | Do not search for files | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchFilesInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchInternetInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchInternetInStartMenu +``` + + + + +If you enable this policy the start menu search box will not search for internet history or favorites. + +If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchInternetInStartMenu | +| Friendly Name | Do not search Internet | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchInternetInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSearchProgramsInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSearchProgramsInStartMenu +``` + + + + +If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. + +If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSearchProgramsInStartMenu | +| Friendly Name | Do not search programs and Control Panel items | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSearchProgramsInStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSetFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetFolders +``` + + + + This policy setting allows you to remove programs on Settings menu. If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. -If you disable or don't configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. +If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove programs on Settings menu* -- GP name: *NoSetFolders* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoSetTaskbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoSetFolders | +| Friendly Name | Remove programs on Settings menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSetFolders | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoSMConfigurePrograms -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMConfigurePrograms +``` + - - -This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. + + +This policy setting allows you to remove the Default Programs link from the Start menu. -If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. +If you enable this policy setting, the Default Programs link is removed from the Start menu. -If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. +Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. -If you disable or don't configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. +If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu. - +Note: This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. + + + + - -ADMX Info: -- GP Friendly name: *Prevent changes to Taskbar and Start Menu Settings* -- GP name: *NoSetTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_StartMenu/NoStartMenuDownload** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoSMConfigurePrograms | +| Friendly Name | Remove Default Programs link from the Start menu. | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMConfigurePrograms | +| ADMX File Name | StartMenu.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoSMMyDocuments -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyDocuments +``` + + + + +This policy setting allows you to remove the Documents icon from the Start menu and its submenus. + +If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. + +Note: To make changes to this policy setting effective, you must log off and then log on. + +If you disable or do not configure this policy setting, he Documents icon is available from the Start menu. + +Also, see the "Remove Documents icon on the desktop" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSMMyDocuments | +| Friendly Name | Remove Documents icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMMyDocs | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSMMyMusic + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyMusic +``` + + + + +This policy setting allows you to remove the Music icon from Start Menu. + +If you enable this policy setting, the Music icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Music icon is available from Start Menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSMMyMusic | +| Friendly Name | Remove Music icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuMyMusic | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSMMyNetworkPlaces + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyNetworkPlaces +``` + + + + +This policy setting allows you to remove the Network icon from Start Menu. + +If you enable this policy setting, the Network icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Network icon is available from Start Menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSMMyNetworkPlaces | +| Friendly Name | Remove Network icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuNetworkPlaces | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoSMMyPictures + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSMMyPictures +``` + + + + +This policy setting allows you to remove the Pictures icon from Start Menu. + +If you enable this policy setting, the Pictures icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSMMyPictures | +| Friendly Name | Remove Pictures icon from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSMMyPictures | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## NoStartMenuDownload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuDownload +``` + + + + This policy setting allows you to remove the Downloads link from the Start Menu. -If you enable this policy setting, the Start Menu doesn't show a link to the Downloads folder. +If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. -If you disable or don't configure this policy setting, the Downloads link is available from the Start Menu. +If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Downloads link from Start Menu* -- GP name: *NoStartMenuDownload* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoStartMenuHomegroup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuDownload | +| Friendly Name | Remove Downloads link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuDownloads | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuHomegroup -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuHomegroup +``` + - - -If you enable this policy, the Start menu won't show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users can't add the homegroup link to the Start Menu. + + +If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. -If you disable or don't configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. +If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Homegroup link from Start Menu* -- GP name: *NoStartMenuHomegroup* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoStartMenuRecordedTV** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuHomegroup | +| Friendly Name | Remove Homegroup link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuHomegroup | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuRecordedTV -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuRecordedTV +``` + - - + + This policy setting allows you to remove the Recorded TV link from the Start Menu. -If you enable this policy setting, the Start Menu doesn't show a link to the Recorded TV library. +If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. -If you disable or don't configure this policy setting, the Recorded TV link is available from the Start Menu. +If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Recorded TV link from Start Menu* -- GP name: *NoStartMenuRecordedTV* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoStartMenuSubFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuRecordedTV | +| Friendly Name | Remove Recorded TV link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuRecordedTV | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuSubFolders -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuSubFolders +``` + - - + + Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders. -This setting hides all user-specific folders, not just those folders associated with redirected folders. +Note that this setting hides all user-specific folders, not just those associated with redirected folders. If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. -If you disable this setting or don't configure it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. +If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove user's folders from the Start Menu* -- GP name: *NoStartMenuSubFolders* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoStartMenuVideos** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuSubFolders | +| Friendly Name | Remove user's folders from the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuSubFolders | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartMenuVideos -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartMenuVideos +``` + - - + + This policy setting allows you to remove the Videos link from the Start Menu. -If you enable this policy setting, the Start Menu doesn't show a link to the Videos library. +If you enable this policy setting, the Start Menu does not show a link to the Videos library. -If you disable or don't configure this policy setting, the Videos link is available from the Start Menu. +If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Videos link from Start Menu* -- GP name: *NoStartMenuVideos* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoStartPage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartMenuVideos | +| Friendly Name | Remove Videos link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoStartMenuVideos | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoStartPage -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoStartPage +``` + - - + + This setting affects the presentation of the Start menu. -The classic Start menu in Windows allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. +The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. -If you enable this setting, the Start menu displays the classic Start menu and displays the standard desktop icons. +If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. -If you don't configure this setting, the default is the new style, and the user can change the view. +If you do not configure this setting, the default is the new style, and the user can change the view. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force classic Start Menu* -- GP name: *NoStartPage* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoTaskBarClock** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoStartPage | +| Friendly Name | Force classic Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSimpleStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTaskBarClock -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTaskBarClock +``` + - - + + Prevents the clock in the system notification area from being displayed. -If you enable this setting, the clock won't be displayed in the system notification area. +If you enable this setting, the clock will not be displayed in the system notification area. -If you disable or don't configure this setting, the default behavior of the clock appearing in the notification area will occur. +If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Clock from the system notification area* -- GP name: *NoTaskBarClock* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoTaskGrouping** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTaskBarClock | +| Friendly Name | Remove Clock from the system notification area | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HideClock | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTaskGrouping -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTaskGrouping +``` + - - + + This setting affects the taskbar buttons used to switch between running programs. Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. -If you disable or don't configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping, if they choose. +If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent grouping of taskbar items* -- GP name: *NoTaskGrouping* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoToolbarsOnTaskbar** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTaskGrouping | +| Friendly Name | Prevent grouping of taskbar items | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTaskGrouping | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoToolbarsOnTaskbar -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoToolbarsOnTaskbar +``` + - - + + This setting affects the taskbar. The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application. -If this setting is enabled, the taskbar doesn't display any custom toolbars, and the user can't add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. +If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. -If this setting is disabled or isn't configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. +If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not display any custom toolbars in the taskbar* -- GP name: *NoToolbarsOnTaskbar* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoTrayContextMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoToolbarsOnTaskbar | +| Friendly Name | Do not display any custom toolbars in the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoToolbarsOnTaskbar | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoTrayItemsDisplay -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayItemsDisplay +``` + - - -This policy setting allows you to remove access to the context menus for the taskbar. - -If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. - -If you disable or don't configure this policy setting, the context menus for the taskbar are available. - -This policy setting doesn't prevent users from using other methods to issue the commands that appear on these menus. - - - - - -ADMX Info: -- GP Friendly name: *Remove access to the context menus for the taskbar* -- GP name: *NoTrayContextMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoTrayItemsDisplay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This setting affects the notification area (previously called the "system tray") on the taskbar. -The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. +Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. -If this setting is disabled or isn't configured, the notification area is shown in the user's taskbar. +If this setting is disabled or is not configured, the notification area is shown in the user's taskbar. -> [!NOTE] -> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. +Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the notification area* -- GP name: *NoTrayItemsDisplay* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoUninstallFromStart** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoTrayItemsDisplay | +| Friendly Name | Hide the notification area | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTrayItemsDisplay | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoUserFolderOnStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUserFolderOnStartMenu +``` + - - -If you enable this setting, users can't uninstall apps from Start. + + +If you enable this policy the start menu will not show a link to the user's storage folder. -If you disable this setting or don't configure it, users can access the uninstall command from Start. +If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from uninstalling applications from Start* -- GP name: *NoUninstallFromStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/NoUserFolderOnStartMenu** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoUserFolderOnStartMenu | +| Friendly Name | Remove user folder link from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoUserFolderInStartMenu | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoUserNameOnStartMenu -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUserNameOnStartMenu +``` + - - -If you enable this policy, the start menu won't show a link to the user's storage folder. + + +This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003. -If you disable or don't configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. +If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. - +To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting. +If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. + - -ADMX Info: -- GP Friendly name: *Remove user folder link from Start Menu* -- GP name: *NoUserFolderOnStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_StartMenu/NoUserNameOnStartMenu** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NoUserNameOnStartMenu | +| Friendly Name | Remove user name from Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoUserNameInStartMenu | +| ADMX File Name | StartMenu.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NoWindowsUpdate - - -This policy setting allows you to remove the user name label from the Start Menu. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, the user name label is removed from the Start Menu. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoWindowsUpdate +``` + -If you disable or don't configure this policy setting, the user name label appears on the Start Menu. - - - - - -ADMX Info: -- GP Friendly name: *Remove user name from Start Menu* -- GP name: *NoUserNameOnStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/NoWindowsUpdate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to remove links and access to Windows Update. If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. -Enabling this policy setting blocks user access to the Windows Update Web site at https://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. +Enabling this policy setting blocks user access to the Windows Update Web site at . Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. -Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need, newest versions of which are displayed for download. +Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. -If you disable or don't configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. +If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. Also, see the "Hide the "Add programs from Microsoft" option" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove links and access to Windows Update* -- GP name: *NoWindowsUpdate* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/PowerButtonAction** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWindowsUpdate | +| Friendly Name | Remove links and access to Windows Update | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWindowsUpdate | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PowerButtonAction -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/PowerButtonAction +``` + - - + + Set the default action of the power button on the Start menu. If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. -If you set the button to either Sleep or Hibernate, and that state isn't supported on a computer, then the button will fall back to Shut Down. +If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down. -If you disable or don't configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. +If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Change Start Menu power button* -- GP name: *PowerButtonAction* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/QuickLaunchEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PowerButtonAction_DisplayName | +| Friendly Name | Change Start Menu power button | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## QuickLaunchEnabled -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/QuickLaunchEnabled +``` + - - + + This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. -If you enable this policy setting, the QuickLaunch bar will be visible and can't be turned off. +If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. -If you disable this policy setting, the QuickLaunch bar will be hidden and can't be turned on. +If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. -If you don't configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. +If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show QuickLaunch on Taskbar* -- GP name: *QuickLaunchEnabled* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/RemoveUnDockPCButton** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | QuickLaunchEnabled | +| Friendly Name | Show QuickLaunch on Taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | QuickLaunchEnabled | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RemoveUnDockPCButton -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/RemoveUnDockPCButton +``` + - - -If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC can't be undocked. + + +If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. -If you disable this setting or don't configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. +If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove the "Undock PC" button from the Start Menu* -- GP name: *RemoveUnDockPCButton* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/ShowAppsViewOnStart** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RemoveUnDockPCButton | +| Friendly Name | Remove the "Undock PC" button from the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStartMenuEjectPC | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowAppsViewOnStart -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowAppsViewOnStart +``` + - - + + This policy setting allows the Apps view to be opened by default when the user goes to Start. If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show the Apps view automatically when the user goes to Start* -- GP name: *ShowAppsViewOnStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/ShowRunAsDifferentUserInStart** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ShowAppsViewOnStart | +| Friendly Name | Show the Apps view automatically when the user goes to Start | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowAppsViewOnStart | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ShowRunAsDifferentUserInStart -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowRunAsDifferentUserInStart +``` + - - + + This policy setting shows or hides the "Run as different user" command on the Start application bar. -If you enable this setting, users can access the "Run as different user" command from Start for applications that support this functionality. +If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. -If you disable this setting or don't configure it, users can't access the "Run as different user" command from Start for any applications. +If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications. -> [!NOTE] -> This setting doesn't prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. +Note: This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Show "Run as different user" command on Start* -- GP name: *ShowRunAsDifferentUserInStart* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/ShowRunInStartMenu** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -If you enable this setting, the Run command is added to the Start menu. - -If you disable or don't configure this setting, the Run command isn't visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. - -If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. - - - - - -ADMX Info: -- GP Friendly name: *Add the Run command to the Start Menu* -- GP name: *ShowRunInStartMenu* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - - - - - - - -ADMX Info: -- GP Friendly name: *Show Start on the display the user is using when they press the Windows logo key* -- GP name: *ShowStartOnDisplayWithForegroundOnWinKey* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - -**ADMX_StartMenu/StartMenuLogOff** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting allows you to remove the "Log Off ``" item from the Start menu and prevents users from restoring it. - -If you enable this policy setting, the Log Off `` item doesn't appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users can't restore the Log Off `` item to the Start Menu. - -If you disable or don't configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. - -This policy setting affects the Start menu only. It doesn't affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it doesn't prevent users from using other methods to sign out. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + > [!TIP] -> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowRunAsDifferentUserInStart | +| Friendly Name | Show "Run as different user" command on Start | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowRunAsDifferentUserInStart | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## ShowRunInStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowRunInStartMenu +``` + + + + +If you enable this setting, the Run command is added to the Start menu. If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowRunInStartMenu | +| Friendly Name | Add the Run command to the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ForceRunOnStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## ShowStartOnDisplayWithForegroundOnWinKey + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey +``` + + + + +This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. + +If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. + +If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowStartOnDisplayWithForegroundOnWinKey | +| Friendly Name | Show Start on the display the user is using when they press the Windows logo key | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowStartOnDisplayWithForegroundOnWinKey | +| ADMX File Name | StartMenu.admx | + + + + + + + + + +## StartMenuLogOff + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartMenuLogOff +``` + + + + +This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. + +If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. + +If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. + +This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off. + +Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove Logoff on the Start Menu* -- GP name: *StartMenuLogOff* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_StartMenu/StartPinAppsWhenInstalled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | StartMenuLogOff | +| Friendly Name | Remove Logoff on the Start Menu | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | StartMenuLogOff | +| ADMX File Name | StartMenu.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User -> * Device + -
    +## Related articles - - -This policy setting allows pinning apps to Start by default, when they're included by AppID on the list. - - - - - -ADMX Info: -- GP Friendly name: *Pin Apps to Start when installed* -- GP name: *StartPinAppsWhenInstalled* -- GP path: *Start Menu and Taskbar* -- GP ADMX file name: *StartMenu.admx* - - - -
    - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 7711aaec84..525c916e6c 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,67 +1,52 @@ --- -title: Policy CSP - ADMX_SystemRestore -description: Learn about Policy CSP - ADMX_SystemRestore. +title: ADMX_SystemRestore Policy CSP +description: Learn more about the ADMX_SystemRestore Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 11/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SystemRestore + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_SystemRestore policies + +## SR_DisableConfig -
    -
    - ADMX_SystemRestore/SR_DisableConfig -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SystemRestore/SR_DisableConfig +``` + -
    + + +Allows you to disable System Restore configuration through System Protection. - -**ADMX_SystemRestore/SR_DisableConfig** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to disable System Restore configuration through System Protection. +This policy setting allows you to turn off System Restore configuration through System Protection. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting. @@ -70,25 +55,50 @@ If you enable this policy setting, the option to configure System Restore throug If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Configuration* -- GP name: *SR_DisableConfig* -- GP path: *System\System Restore* -- GP ADMX file name: *SystemRestore.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SR_DisableConfig | +| Friendly Name | Turn off Configuration | +| Location | Computer Configuration | +| Path | System > System Restore | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SystemRestore | +| Registry Value Name | DisableConfig | +| ADMX File Name | SystemRestore.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md index b8297ea689..ed25251ac2 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/04/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,6 +43,7 @@ ms.topic: reference + Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -68,6 +69,9 @@ If you do not configure this policy, application auto complete lists will appear +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -103,6 +107,7 @@ If you do not configure this policy, application auto complete lists will appear + Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -130,6 +135,9 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -165,6 +173,7 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -192,6 +201,9 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -227,6 +239,7 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -252,6 +265,9 @@ If you do not configure this policy, Input Panel will appear next to text entry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -287,6 +303,7 @@ If you do not configure this policy, Input Panel will appear next to text entry + Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -322,6 +339,9 @@ Caution: If you lower password security settings, people who can see the user’ +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -357,6 +377,7 @@ Caution: If you lower password security settings, people who can see the user’ + Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -382,6 +403,9 @@ If you do not configure this policy, Input Panel will provide text prediction su +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -417,6 +441,7 @@ If you do not configure this policy, Input Panel will provide text prediction su + Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -442,6 +467,9 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -477,6 +505,7 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara + Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. @@ -508,6 +537,9 @@ If you do not configure this policy, users will be able to use both the tolerant +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -543,6 +575,7 @@ If you do not configure this policy, users will be able to use both the tolerant + Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -568,6 +601,9 @@ If you do not configure this policy, application auto complete lists will appear +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -603,6 +639,7 @@ If you do not configure this policy, application auto complete lists will appear + Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -630,6 +667,9 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -665,6 +705,7 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -692,6 +733,9 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -727,6 +771,7 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -752,6 +797,9 @@ If you do not configure this policy, Input Panel will appear next to text entry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -787,6 +835,7 @@ If you do not configure this policy, Input Panel will appear next to text entry + Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -822,6 +871,9 @@ Caution: If you lower password security settings, people who can see the user’ +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -857,6 +909,7 @@ Caution: If you lower password security settings, people who can see the user’ + Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -882,6 +935,9 @@ If you do not configure this policy, Input Panel will provide text prediction su +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -917,6 +973,7 @@ If you do not configure this policy, Input Panel will provide text prediction su + Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. @@ -942,6 +999,9 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -977,6 +1037,7 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara + Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. @@ -1008,6 +1069,9 @@ If you do not configure this policy, users will be able to use both the tolerant +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | From 683ae9bdf65ca2003ea80fdd772e9f7eca7d9178 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:22:19 -0500 Subject: [PATCH 106/152] smartcard snmp --- .../mdm/policy-csp-admx-smartcard.md | 1378 +++++++++-------- .../mdm/policy-csp-admx-snmp.md | 295 ++-- 2 files changed, 920 insertions(+), 753 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 859415fe2f..eee03d598e 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,880 +1,1024 @@ --- -title: Policy CSP - ADMX_Smartcard -description: Learn about Policy CSP - ADMX_Smartcard. +title: ADMX_Smartcard Policy CSP +description: Learn more about the ADMX_Smartcard Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/23/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Smartcard + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Smartcard policies + +## AllowCertificatesWithNoEKU -
    -
    - ADMX_Smartcard/AllowCertificatesWithNoEKU -
    -
    - ADMX_Smartcard/AllowIntegratedUnblock -
    -
    - ADMX_Smartcard/AllowSignatureOnlyKeys -
    -
    - ADMX_Smartcard/AllowTimeInvalidCertificates -
    -
    - ADMX_Smartcard/CertPropEnabledString -
    -
    - ADMX_Smartcard/CertPropRootCleanupString -
    -
    - ADMX_Smartcard/CertPropRootEnabledString -
    -
    - ADMX_Smartcard/DisallowPlaintextPin -
    -
    - ADMX_Smartcard/EnumerateECCCerts -
    -
    - ADMX_Smartcard/FilterDuplicateCerts -
    -
    - ADMX_Smartcard/ForceReadingAllCertificates -
    -
    - ADMX_Smartcard/IntegratedUnblockPromptString -
    -
    - ADMX_Smartcard/ReverseSubject -
    -
    - ADMX_Smartcard/SCPnPEnabled -
    -
    - ADMX_Smartcard/SCPnPNotification -
    -
    - ADMX_Smartcard/X509HintsNeeded -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowCertificatesWithNoEKU +``` + -
    + + +This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. - -**ADMX_Smartcard/AllowCertificatesWithNoEKU** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for signing in. - -In versions of Windows, prior to Windows Vista, smart card certificates that are used for a sign-in require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. - -If you enable this policy setting, certificates with the following attributes can also be used to sign in on with a smart card: +In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. +If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: - Certificates with no EKU - Certificates with an All Purpose EKU - Certificates with a Client Authentication EKU -If you disable or don't configure this policy setting, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card. +If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow certificates with no extended key usage certificate attribute* -- GP name: *AllowCertificatesWithNoEKU* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/AllowIntegratedUnblock** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowCertificatesWithNoEKU | +| Friendly Name | Allow certificates with no extended key usage certificate attribute | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowCertificatesWithNoEKU | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowIntegratedUnblock -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowIntegratedUnblock +``` + - - + + This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). -In order to use the integrated unblock feature, your smart card must support this feature. Check with your hardware manufacturer to see if your smart card supports this feature. +In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. If you enable this policy setting, the integrated unblock feature will be available. -If you disable or don't configure this policy setting then the integrated unblock feature won't be available. +If you disable or do not configure this policy setting then the integrated unblock feature will not be available. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Integrated Unblock screen to be displayed at the time of logon* -- GP name: *AllowIntegratedUnblock* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/AllowSignatureOnlyKeys** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowIntegratedUnblock | +| Friendly Name | Allow Integrated Unblock screen to be displayed at the time of logon | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowIntegratedUnblock | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSignatureOnlyKeys -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowSignatureOnlyKeys +``` + - - -This policy setting lets you allow signature key-based certificates to be enumerated and available for a sign in. + + +This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. -If you enable this policy setting, then any certificates available on the smart card with a signature only key will be listed on the sign-in screen. +If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. -If you disable or don't configure this policy setting, any available smart card signature key-based certificates won't be listed on the sign-in screen. +If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow signature keys valid for Logon* -- GP name: *AllowSignatureOnlyKeys* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/AllowTimeInvalidCertificates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSignatureOnlyKeys | +| Friendly Name | Allow signature keys valid for Logon | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowSignatureOnlyKeys | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowTimeInvalidCertificates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/AllowTimeInvalidCertificates +``` + - - -This policy setting permits those certificates to be displayed for a sign-in, which are either expired or not yet valid. + + +This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. -Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls displaying of the certificate on the client machine. +Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. -If you enable this policy setting, certificates will be listed on the sign-in screen regardless of whether they have an invalid time or their time validity has expired. +If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired. -If you disable or don't configure this policy setting, certificates that are expired or not yet valid won't be listed on the sign-in screen. +If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow time invalid certificates* -- GP name: *AllowTimeInvalidCertificates* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/CertPropEnabledString** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowTimeInvalidCertificates | +| Friendly Name | Allow time invalid certificates | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | AllowTimeInvalidCertificates | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CertPropEnabledString -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropEnabledString +``` + - - + + This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. -If you enable or don't configure this policy setting then certificate propagation will occur when you insert your smart card. +If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. -If you disable this policy setting, certificate propagation won't occur and the certificates won't be made available to applications such as Outlook. +If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on certificate propagation from smart card* -- GP name: *CertPropEnabledString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/CertPropRootCleanupString** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CertPropEnabledString | +| Friendly Name | Turn on certificate propagation from smart card | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp | +| Registry Value Name | CertPropEnabled | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CertPropRootCleanupString -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropRootCleanupString +``` + - - -This policy setting allows you to manage the cleanup behavior of root certificates. + + +This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate clean up will occur on log off. + -If you enable this policy setting, then root certificate cleanup will occur according to the option selected. + + + -If you disable or don't configure this setting then root certificate cleanup will occur on a sign out. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Configure root certificate clean up* -- GP name: *CertPropRootCleanupString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +**ADMX mapping**: - - -
    +| Name | Value | +|:--|:--| +| Name | CertPropRootCleanupString | +| Friendly Name | Configure root certificate clean up | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp | +| ADMX File Name | Smartcard.admx | + - -**ADMX_Smartcard/CertPropRootEnabledString** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## CertPropRootEnabledString - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/CertPropRootEnabledString +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. -If you enable or don't configure this policy setting then root certificate propagation will occur when you insert your smart card. +If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. -> [!NOTE] -> For this policy setting to work this policy setting must also be enabled: "Turn on certificate propagation from smart card". +**Note**: For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card. -If you disable this policy setting, then root certificates won't be propagated from the smart card. +If you disable this policy setting then root certificates will not be propagated from the smart card. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on root certificate propagation from smart card* -- GP name: *CertPropRootEnabledString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/DisallowPlaintextPin** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CertPropRootEnabledString | +| Friendly Name | Turn on root certificate propagation from smart card | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CertProp | +| Registry Value Name | EnableRootCertificatePropagation | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowPlaintextPin -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/DisallowPlaintextPin +``` + - - + + This policy setting prevents plaintext PINs from being returned by Credential Manager. -If you enable this policy setting, Credential Manager doesn't return a plaintext PIN. +If you enable this policy setting, Credential Manager does not return a plaintext PIN. -If you disable or don't configure this policy setting, plaintext PINs can be returned by Credential Manager. +If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager. -> [!NOTE] -> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. +Note: Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent plaintext PINs from being returned by Credential Manager* -- GP name: *DisallowPlaintextPin* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/EnumerateECCCerts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisallowPlaintextPin | +| Friendly Name | Prevent plaintext PINs from being returned by Credential Manager | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | DisallowPlaintextPin | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnumerateECCCerts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/EnumerateECCCerts +``` + - - -This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign-in to a domain. + + +This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. -If you enable this policy setting, ECC certificates on a smart card can be used to sign in to a domain. +If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. -If you disable or don't configure this policy setting, ECC certificates on a smart card can't be used to sign in to a domain. +If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain. -> [!NOTE] -> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. -> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. +Note: This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. +Note: If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow ECC certificates to be used for logon and authentication* -- GP name: *EnumerateECCCerts* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/FilterDuplicateCerts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnumerateECCCerts | +| Friendly Name | Allow ECC certificates to be used for logon and authentication | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | EnumerateECCCerts | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FilterDuplicateCerts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/FilterDuplicateCerts +``` + - - -This policy setting lets you configure if all your valid logon certificates are displayed. + + +This policy settings lets you configure if all your valid logon certificates are displayed. -During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This scenario can cause confusion as to which certificate to select for a sign in. The common case for this behavior is when a certificate is renewed and the old one hasn't yet expired. Two certificates are determined to be the same if they're issued from the same template with the same major version and they're for the same user (determined by their UPN). +During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). -If there are two or more of the "same" certificate on a smart card and this policy is enabled, then the certificate that is used for a sign in on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the certificate with the expiration time furthest in the future will be shown. +If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. -> [!NOTE] -> This setting will be applied after this policy: "Allow time invalid certificates" +**Note**: This setting will be applied after the following policy: "Allow time invalid certificates" -If you enable or don't configure this policy setting, filtering will take place. +If you enable or do not configure this policy setting, filtering will take place. If you disable this policy setting, no filtering will take place. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Filter duplicate logon certificates* -- GP name: *FilterDuplicateCerts* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/ForceReadingAllCertificates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | FilterDuplicateCerts | +| Friendly Name | Filter duplicate logon certificates | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | FilterDuplicateCerts | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ForceReadingAllCertificates -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/ForceReadingAllCertificates +``` + - - -This policy setting allows you to manage the reading of all certificates from the smart card for a sign-in. + + +This policy setting allows you to manage the reading of all certificates from the smart card for logon. -During a sign-in, Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This setting can introduce a significant performance decrease in certain situations. Contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. +During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. -If you disable or don't configure this setting, Windows will only attempt to read the default certificate from those cards that don't support retrieval of all certificates in a single call. Certificates other than the default won't be available for a sign in. +If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force the reading of all certificates from the smart card* -- GP name: *ForceReadingAllCertificates* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/IntegratedUnblockPromptString** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ForceReadingAllCertificates | +| Friendly Name | Force the reading of all certificates from the smart card | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | ForceReadingAllCertificates | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## IntegratedUnblockPromptString -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/IntegratedUnblockPromptString +``` + - - + + This policy setting allows you to manage the displayed message when a smart card is blocked. If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. -> [!NOTE] -> The following policy setting must be enabled: "Allow Integrated Unblock screen to be displayed at the time of logon". +**Note**: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon. -If you disable or don't configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. +If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display string when smart card is blocked* -- GP name: *IntegratedUnblockPromptString* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/ReverseSubject** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IntegratedUnblockPromptString | +| Friendly Name | Display string when smart card is blocked | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ReverseSubject -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/ReverseSubject +``` + - - -This policy setting lets you reverse the subject name from how it's stored in the certificate when displaying it during a sign in. + + +This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. -By default the User Principal Name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN isn't present, then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. +By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. -If you enable this policy setting or don't configure this setting, then the subject name will be reversed. +If you enable this policy setting or do not configure this setting, then the subject name will be reversed. -If you disable, the subject name will be displayed as it appears in the certificate. +If you disable , the subject name will be displayed as it appears in the certificate. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reverse the subject name stored in a certificate when displaying* -- GP name: *ReverseSubject* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/SCPnPEnabled** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ReverseSubject | +| Friendly Name | Reverse the subject name stored in a certificate when displaying | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | ReverseSubject | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SCPnPEnabled -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/SCPnPEnabled +``` + - - + + This policy setting allows you to control whether Smart Card Plug and Play is enabled. -If you enable or don't configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. +If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. -If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver won't be installed when a card is inserted in a Smart Card Reader. +If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader. -> [!NOTE] -> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. +Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Smart Card Plug and Play service* -- GP name: *SCPnPEnabled* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/SCPnPNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SCPnPEnabled | +| Friendly Name | Turn on Smart Card Plug and Play service | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScPnP | +| Registry Value Name | EnableScPnP | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SCPnPNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/SCPnPNotification +``` + - - + + This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. -If you enable or don't configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. +If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. -If you disable this policy setting, a confirmation message won't be displayed when a smart card device driver is installed. +If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed. -> [!NOTE] -> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. +Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Notify user of successful smart card driver installation* -- GP name: *SCPnPNotification* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Smartcard/X509HintsNeeded** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SCPnPNotification | +| Friendly Name | Notify user of successful smart card driver installation | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScPnP | +| Registry Value Name | ScPnPNotification | +| ADMX File Name | Smartcard.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## X509HintsNeeded -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Smartcard/X509HintsNeeded +``` + - - -This policy setting lets you determine whether an optional field will be displayed during a sign-in and elevation that allows users to enter their user name or user name and domain, thereby associating a certificate with the users. + + +This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. -If you enable this policy setting, then an optional field that allows a user to enter their user name or user name and domain will be displayed. +If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. -If you disable or don't configure this policy setting, an optional field that allows users to enter their user name or user name and domain won't be displayed. +If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow user name hint* -- GP name: *X509HintsNeeded* -- GP path: *Windows Components\Smart Card* -- GP ADMX file name: *Smartcard.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | X509HintsNeeded | +| Friendly Name | Allow user name hint | +| Location | Computer Configuration | +| Path | Windows Components > Smart Card | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider | +| Registry Value Name | X509HintsNeeded | +| ADMX File Name | Smartcard.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 7d3c267de8..55d1ca2653 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,72 +1,49 @@ --- -title: Policy CSP - ADMX_Snmp -description: Learn about Policy CSP - ADMX_Snmp. +title: ADMX_Snmp Policy CSP +description: Learn more about the ADMX_Snmp Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/04/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/24/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Snmp + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Snmp policies + +## SNMP_Communities -
    -
    - ADMX_Snmp/SNMP_Communities -
    -
    - ADMX_Snmp/SNMP_PermittedManagers -
    -
    - ADMX_Snmp/SNMP_Traps_Public -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_Communities +``` + -
    - - -**ADMX_Snmp/SNMP_Communities** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. @@ -75,57 +52,69 @@ A valid community is a community recognized by the SNMP service, while a communi If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community. -If you disable or don't configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. +If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control. -> [!NOTE] -> - It is good practice to use a cryptic community name. -> - This policy setting has no effect if the SNMP agent isn't installed on the client computer. +Note: It is good practice to use a cryptic community name. + +Note: This policy setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify communities* -- GP name: *SNMP_Communities* -- GP path: *Network\SNMP* -- GP ADMX file name: *Snmp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Snmp/SNMP_PermittedManagers** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SNMP_Communities | +| Friendly Name | Specify communities | +| Location | Computer Configuration | +| Path | Network > SNMP | +| Registry Key Name | Software\Policies\SNMP\Parameters | +| ADMX File Name | Snmp.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SNMP_PermittedManagers -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_PermittedManagers +``` + - - + + This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -134,56 +123,67 @@ The manager is located on the host computer on the network. The manager's role i If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting. -If you disable or don't configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. +If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control. -> [!NOTE] -> This policy setting has no effect if the SNMP agent isn't installed on the client computer. +Note: This policy setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify permitted managers* -- GP name: *SNMP_PermittedManagers* -- GP path: *Network\SNMP* -- GP ADMX file name: *Snmp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Snmp/SNMP_Traps_Public** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SNMP_PermittedManagers | +| Friendly Name | Specify permitted managers | +| Location | Computer Configuration | +| Path | Network > SNMP | +| Registry Key Name | Software\Policies\SNMP\Parameters | +| ADMX File Name | Snmp.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SNMP_Traps_Public -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Snmp/SNMP_Traps_Public +``` + - - + + This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -192,31 +192,54 @@ This policy setting allows you to configure the name of the hosts that receive t If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community. -If you disable or don't configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. +If you disable or do not configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. -> [!NOTE] -> This setting has no effect if the SNMP agent isn't installed on the client computer. +Note: This setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name". + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify traps for public community* -- GP name: *SNMP_Traps_Public* -- GP path: *Network\SNMP* -- GP ADMX file name: *Snmp.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SNMP_Traps_Public | +| Friendly Name | Specify traps for public community | +| Location | Computer Configuration | +| Path | Network > SNMP | +| Registry Key Name | Software\Policies\SNMP\Parameters | +| ADMX File Name | Snmp.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 7268626854daaf8b68408f9f97081b92a7047db2 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:23:57 -0500 Subject: [PATCH 107/152] settingsync sharedfolders sharing shellcommandpromptregedittools --- .../mdm/policy-csp-admx-settingsync.md | 939 ++++++++++-------- .../mdm/policy-csp-admx-sharedfolders.md | 216 ++-- .../mdm/policy-csp-admx-sharing.md | 182 +++- ...csp-admx-shellcommandpromptregedittools.md | 420 ++++---- 4 files changed, 983 insertions(+), 774 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 116e79b9a4..45c357c51b 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,505 +1,594 @@ --- -title: Policy CSP - ADMX_SettingSync -description: Learn about Policy CSP - ADMX_SettingSync. +title: ADMX_SettingSync Policy CSP +description: Learn more about the ADMX_SettingSync Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SettingSync + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    - - -## ADMX_SettingSync policies - -
    -
    - ADMX_SettingSync/DisableAppSyncSettingSync -
    -
    - ADMX_SettingSync/DisableApplicationSettingSync -
    -
    - ADMX_SettingSync/DisableCredentialsSettingSync -
    -
    - ADMX_SettingSync/DisableDesktopThemeSettingSync -
    -
    - ADMX_SettingSync/DisablePersonalizationSettingSync -
    -
    - ADMX_SettingSync/DisableSettingSync -
    -
    - ADMX_SettingSync/DisableStartLayoutSettingSync -
    -
    - ADMX_SettingSync/DisableSyncOnPaidNetwork -
    -
    - ADMX_SettingSync/DisableWindowsSettingSync -
    -
    +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    + +## DisableApplicationSettingSync - -**ADMX_SettingSync/DisableAppSyncSettingSync** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableApplicationSettingSync +``` + + + + +Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "app settings" group will not be synced. + +Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableApplicationSettingSync | +| Friendly Name | Do not sync app settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableApplicationSettingSync | +| ADMX File Name | SettingSync.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + + + +## DisableAppSyncSettingSync -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting prevents the "AppSync" group from syncing to and from this PC. This option turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableAppSyncSettingSync +``` + + + + +Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "AppSync" group will not be synced. + +Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAppSyncSettingSync | +| Friendly Name | Do not sync Apps | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableAppSyncSettingSync | +| ADMX File Name | SettingSync.admx | + -If you enable this policy setting, the "AppSync" group won't be synced. + + + + + + + +## DisableCredentialsSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableCredentialsSettingSync +``` + + + + +Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "passwords" group will not be synced. + +Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableCredentialsSettingSync | +| Friendly Name | Do not sync passwords | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableCredentialsSettingSync | +| ADMX File Name | SettingSync.admx | + -Use the option "Allow users to turn app syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync Apps* -- GP name: *DisableAppSyncSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableApplicationSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy seting prevents the "app settings" group from syncing to and from this PC. This option turns off and disables the "app settings" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "app settings" group won't be synced. - -Use the option "Allow users to turn app settings syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync app settings* -- GP name: *DisableApplicationSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableCredentialsSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy seting prevents the "passwords" group from syncing to and from this PC. This option turns off and disables the "passwords" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "passwords" group won't be synced. - -Use the option "Allow users to turn passwords syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync passwords* -- GP name: *DisableCredentialsSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableDesktopThemeSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents the "desktop personalization" group from syncing to and from this PC. This option turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "desktop personalization" group won't be synced. - -Use the option "Allow users to turn desktop personalization syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync desktop personalization* -- GP name: *DisableDesktopThemeSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisablePersonalizationSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents the "personalize" group from syncing to and from this PC. This option turns off and disables the "personalize" group on the "sync your settings" page in PC settings. - -If you enable this policy setting, the "personalize" group won't be synced. - -Use the option "Allow users to turn personalize syncing on" so that syncing it is turned off by default but not disabled. - -If you don't set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. - - - - - -ADMX Info: -- GP Friendly name: *Do not sync personalize* -- GP name: *DisablePersonalizationSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* - - - -
    - - -**ADMX_SettingSync/DisableSettingSync** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents syncing to and from this PC. This option turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. + + + + + + + +## DisableDesktopThemeSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableDesktopThemeSettingSync +``` + + + + +Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "desktop personalization" group will not be synced. + +Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableDesktopThemeSettingSync | +| Friendly Name | Do not sync desktop personalization | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableDesktopThemeSettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + + +## DisablePersonalizationSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisablePersonalizationSettingSync +``` + + + + +Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "personalize" group will not be synced. + +Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisablePersonalizationSettingSync | +| Friendly Name | Do not sync personalize | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisablePersonalizationSettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + + +## DisableSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableSettingSync +``` + + + + +Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. -Use the option "Allow users to turn syncing on" so that syncing it is turned off by default but not disabled. +Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. -If you don't set or disable this setting, "sync your settings" is on by default and configurable by the user. +If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not sync* -- GP name: *DisableSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_SettingSync/DisableStartLayoutSettingSync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSettingSync | +| Friendly Name | Do not sync | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableSettingSync | +| ADMX File Name | SettingSync.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableStartLayoutSettingSync -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableStartLayoutSettingSync +``` + - - -This policy setting prevents the "Start layout" group from syncing to and from this PC. This option turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. + + +Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "Start layout" group won't be synced. +If you enable this policy setting, the "Start layout" group will not be synced. -Use the option "Allow users to turn on start syncing" so that syncing is turned off by default but not disabled. +Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. -If you don't set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. +If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not sync start settings* -- GP name: *DisableStartLayoutSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_SettingSync/DisableSyncOnPaidNetwork** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableStartLayoutSettingSync | +| Friendly Name | Do not sync start settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableStartLayoutSettingSync | +| ADMX File Name | SettingSync.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSyncOnPaidNetwork -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableSyncOnPaidNetwork +``` + - - -This policy setting prevents syncing to and from this PC when on metered Internet connections. This option turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. + + +Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. -If you don't set or disable this setting, syncing on metered connections is configurable by the user. +If you do not set or disable this setting, syncing on metered connections is configurable by the user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not sync on metered connections* -- GP name: *DisableSyncOnPaidNetwork* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_SettingSync/DisableWindowsSettingSync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSyncOnPaidNetwork | +| Friendly Name | Do not sync on metered connections | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableSyncOnPaidNetwork | +| ADMX File Name | SettingSync.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableWindowsSettingSync -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableWindowsSettingSync +``` + - - -This policy setting prevents the "Other Windows settings" group from syncing to and from this PC. This option turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. + + +Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "Other Windows settings" group won't be synced. +If you enable this policy setting, the "Other Windows settings" group will not be synced. -Use the option "Allow users to turn other Windows settings syncing on" so that syncing it is turned off by default but not disabled. +Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. -If you don't set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. +If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not sync other Windows settings* -- GP name: *DisableWindowsSettingSync* -- GP path: *Windows Components\Sync your settings* -- GP ADMX file name: *SettingSync.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableWindowsSettingSync | +| Friendly Name | Do not sync other Windows settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableWindowsSettingSync | +| ADMX File Name | SettingSync.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 1aa619b1dc..92e980608b 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,146 +1,162 @@ --- -title: Policy CSP - ADMX_SharedFolders -description: Learn about Policy CSP - ADMX_SharedFolders. +title: ADMX_SharedFolders Policy CSP +description: Learn more about the ADMX_SharedFolders Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SharedFolders + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_SharedFolders policies + +## PublishDfsRoots -
    -
    - ADMX_SharedFolders/PublishDfsRoots -
    -
    - ADMX_SharedFolders/PublishSharedFolders -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_SharedFolders/PublishDfsRoots +``` + - -**ADMX_SharedFolders/PublishDfsRoots** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). -If you enable or don't configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . +If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. -> [!NOTE] -> The default is to allow shared folders to be published when this setting is not configured. +**Note**: The default is to allow shared folders to be published when this setting is not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow DFS roots to be published* -- GP name: *PublishDfsRoots* -- GP path: *Shared Folders* -- GP ADMX file name: *SharedFolders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_SharedFolders/PublishSharedFolders** +| Name | Value | +|:--|:--| +| Name | PublishDfsRoots | +| Friendly Name | Allow DFS roots to be published | +| Location | User Configuration | +| Path | Shared Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SharedFolders | +| Registry Value Name | PublishDfsRoots | +| ADMX File Name | SharedFolders.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PublishSharedFolders - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_SharedFolders/PublishSharedFolders +``` + -
    - - - + + This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). -If you enable or don't configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. +If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. -If you disable this policy setting, users can't publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled. +If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled. -> [!NOTE] -> The default is to allow shared folders to be published when this setting is not configured. +**Note**: The default is to allow shared folders to be published when this setting is not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow shared folders to be published* -- GP name: *PublishSharedFolders* -- GP path: *Shared Folders* -- GP ADMX file name: *SharedFolders.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | PublishSharedFolders | +| Friendly Name | Allow shared folders to be published | +| Location | User Configuration | +| Path | Shared Folders | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\SharedFolders | +| Registry Value Name | PublishSharedFolders | +| ADMX File Name | SharedFolders.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 7b02e8d272..1a0e859eda 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,88 +1,162 @@ --- -title: Policy CSP - ADMX_Sharing -description: Learn about Policy CSP - ADMX_Sharing. +title: ADMX_Sharing Policy CSP +description: Learn more about the ADMX_Sharing Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Sharing + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Sharing policies + +## DisableHomeGroup -
    -
    - ADMX_Sharing/NoInplaceSharing -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sharing/DisableHomeGroup +``` + - -**ADMX_Sharing/NoInplaceSharing** + + +This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network. - +If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup. - -
    +This policy setting is not configured by default. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +You must restart the computer for this policy setting to take effect. + -> [!div class = "checklist"] -> * User + + + -
    + +**Description framework properties**: - - -This policy setting specifies whether users can share files within their profile. By default, users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you enable this policy setting, users can't share files within their profile using the sharing wizard. Also, the sharing wizard can't create a share at %root%\users and can only be used to create SMB shares on folders. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableHomeGroup | +| Friendly Name | Prevent the computer from joining a homegroup | +| Location | Computer Configuration | +| Path | Windows Components > HomeGroup | +| Registry Key Name | Software\Policies\Microsoft\Windows\HomeGroup | +| Registry Value Name | DisableHomeGroup | +| ADMX File Name | Sharing.admx | + + + + + + + + + +## NoInplaceSharing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sharing/NoInplaceSharing +``` + + + + +This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. + +If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from sharing files within their profile.* -- GP name: *NoInplaceSharing* -- GP path: *Windows Components\Network Sharing* -- GP ADMX file name: *Sharing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInplaceSharing | +| Friendly Name | Prevent users from sharing files within their profile. | +| Location | User Configuration | +| Path | Windows Components > Network Sharing | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInplaceSharing | +| ADMX File Name | Sharing.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index 0329365c45..e13b8bc97f 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,260 +1,290 @@ --- -title: Policy CSP - ADMX_ShellCommandPromptRegEditTools -description: Learn about Policy CSP - ADMX_ShellCommandPromptRegEditTools. +title: ADMX_ShellCommandPromptRegEditTools Policy CSP +description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ShellCommandPromptRegEditTools -
    - - -## ADMX_ShellCommandPromptRegEditTools policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisallowApps -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisableRegedit -
    -
    - ADMX_ShellCommandPromptRegEditTools/DisableCMD -
    -
    - ADMX_ShellCommandPromptRegEditTools/RestrictApps -
    -
    + + + + +## DisableCMD -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_ShellCommandPromptRegEditTools/DisallowApps** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD +``` + - + + +This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. - -
    +If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. + -> [!div class = "checklist"] -> * User + + + -
    + +**Description framework properties**: - - -This policy setting prevents users from running the interactive command prompt `Cmd.exe`. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. . +**ADMX mapping**: -If you disable this policy setting or don't configure it, users can run Cmd.exe and batch files normally. +| Name | Value | +|:--|:--| +| Name | DisableCMD | +| Friendly Name | Prevent access to the command prompt | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + -> [!NOTE] -> Don't prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. + + + + - + +## DisableRegedit + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Prevent access to the command prompt* -- GP name: *DisallowApps* -- GP path: *System* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableRegedit +``` + - - -
    + + +Disables the Windows registry editor Regedit.exe. +If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. - -**ADMX_ShellCommandPromptRegEditTools/DisableRegedit** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting disables the Windows registry editor `Regedit.exe`. - -If you enable this policy setting and the user tries to start `Regedit.exe`, a message appears explaining that a policy setting prevents the action. - -If you disable this policy setting or don't configure it, users can run `Regedit.exe` normally. +If you disable this policy setting or do not configure it, users can run Regedit.exe normally. To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent access to registry editing tools* -- GP name: *DisableRegedit* -- GP path: *System\Server Manager* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_ShellCommandPromptRegEditTools/DisableCMD** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRegedit | +| Friendly Name | Prevent access to registry editing tools | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisallowApps -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisallowApps +``` + - - -This policy setting limits the Windows programs that users have permission to run on the computer. + + +Prevents Windows from running the programs you specify in this policy setting. + +If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. + +If you disable this policy setting or do not configure it, users can run any programs. + +This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. + +Note: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisallowApps | +| Friendly Name | Don't run specified Windows applications | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisallowRun | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + + + + + + + + + +## RestrictApps + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/RestrictApps +``` + + + + +Limits the Windows programs that users have permission to run on the computer. If you enable this policy setting, users can only run programs that you add to the list of allowed applications. -If you disable this policy setting or don't configure it, users can run all applications. This policy setting only prevents users from running programs that are started by the File Explorer process. +If you disable this policy setting or do not configure it, users can run all applications. -It doesn't prevent users from running programs such as Task Manager, which is started by the system process or by other processes. Also, if users have access to the command prompt `Cmd.exe`, this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. +This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. -Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +Note: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). + -To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe). + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Run only specified Windows applications* -- GP name: *DisableCMD* -- GP path: *System* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_ShellCommandPromptRegEditTools/RestrictApps** +| Name | Value | +|:--|:--| +| Name | RestrictApps | +| Friendly Name | Run only specified Windows applications | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | RestrictRun | +| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User +## Related articles -
    - - - -This policy setting prevents Windows from running the programs you specify in this policy setting. - -If you enable this policy setting, users can't run programs that you add to the list of disallowed applications. - -If you disable this policy setting or don't configure it, users can run any programs. - -This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. - -Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. - -To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (for example, Winword.exe, Poledit.exe, Powerpnt.exe). - - - - - - -ADMX Info: -- GP Friendly name: *Don't run specified Windows applications* -- GP name: *RestrictApps* -- GP path: *System* -- GP ADMX file name: *ShellCommandPromptRegEditTools.admx* - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) From cd5b6f02582c8cac8b69bfd2730a7c70d23914e5 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:34:50 -0500 Subject: [PATCH 108/152] sensors servermanager servicing --- .../mdm/policy-csp-admx-sensors.md | 502 ++++++++++-------- .../mdm/policy-csp-admx-servermanager.md | 484 +++++++++-------- .../mdm/policy-csp-admx-servicing.md | 132 ++--- 3 files changed, 607 insertions(+), 511 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 95bffd5ac9..d1318c4c1e 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,290 +1,338 @@ --- -title: Policy CSP - ADMX_Sensors -description: Learn about Policy CSP - ADMX_Sensors. +title: ADMX_Sensors Policy CSP +description: Learn more about the ADMX_Sensors Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Sensors + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Sensors policies + +## DisableLocationScripting_2 -
    -
    - ADMX_Sensors/DisableLocationScripting_1 -
    -
    - ADMX_Sensors/DisableLocationScripting_2 -
    -
    - ADMX_Sensors/DisableLocation_1 -
    -
    - ADMX_Sensors/DisableSensors_1 -
    -
    - ADMX_Sensors/DisableSensors_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocationScripting_2 +``` + -
    - - -**ADMX_Sensors/DisableLocationScripting_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting turns off scripting for the location feature. - -If you enable this policy setting, scripts for the location feature won't run. - -If you disable or don't configure this policy setting, all location scripts will run. - - - - - -ADMX Info: -- GP Friendly name: *Turn off location scripting* -- GP name: *DisableLocationScripting_1* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -
    - - -**ADMX_Sensors/DisableLocationScripting_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location feature will not run. -If you disable or don't configure this policy setting, all location scripts will run. +If you disable or do not configure this policy setting, all location scripts will run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off location scripting* -- GP name: *DisableLocationScripting_2* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Sensors/DisableLocation_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLocationScripting | +| Friendly Name | Turn off location scripting | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocationScripting | +| ADMX File Name | Sensors.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSensors_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableSensors_2 +``` + - - + + +This policy setting turns off the sensor feature for this computer. + +If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. + +If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSensors | +| Friendly Name | Turn off sensors | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableSensors | +| ADMX File Name | Sensors.admx | + + + + + + + + + +## DisableLocation_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocation_1 +``` + + + + This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. -If you disable or don't configure this policy setting, all programs on this computer won't be prevented from using location information from the location feature. +If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off location* -- GP name: *DisableLocation_1* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Sensors/DisableSensors_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLocation | +| Friendly Name | Turn off location | +| Location | User Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocation | +| ADMX File Name | Sensors.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableLocationScripting_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocationScripting_1 +``` + - - + + +This policy setting turns off scripting for the location feature. + +If you enable this policy setting, scripts for the location feature will not run. + +If you disable or do not configure this policy setting, all location scripts will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocationScripting | +| Friendly Name | Turn off location scripting | +| Location | User Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocationScripting | +| ADMX File Name | Sensors.admx | + + + + + + + + + +## DisableSensors_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableSensors_1 +``` + + + + This policy setting turns off the sensor feature for this computer. -If you enable this policy setting, the sensor feature is turned off, and all programs on this computer can't use the sensor feature. +If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. -If you disable or don't configure this policy setting, all programs on this computer can use the sensor feature. +If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off sensors* -- GP name: *DisableSensors_1* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Sensors/DisableSensors_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableSensors | +| Friendly Name | Turn off sensors | +| Location | User Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableSensors | +| ADMX File Name | Sensors.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting turns off the sensor feature for this computer. - -If you enable this policy setting, the sensor feature is turned off, and all programs on this computer can't use the sensor feature. - -If you disable or don't configure this policy setting, all programs on this computer can use the sensor feature. - - - - - -ADMX Info: -- GP Friendly name: *Turn off sensors* -- GP name: *DisableSensors_2* -- GP path: *Windows Components\Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index 24b6080943..931cd6af39 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,252 +1,288 @@ --- -title: Policy CSP - ADMX_ServerManager -description: Learn about Policy CSP - ADMX_ServerManager. +title: ADMX_ServerManager Policy CSP +description: Learn more about the ADMX_ServerManager Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_ServerManager -
    - - -## ADMX_ServerManager policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_ServerManager/Do_not_display_Manage_Your_Server_page -
    -
    - ADMX_ServerManager/ServerManagerAutoRefreshRate -
    -
    - ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks -
    -
    - ADMX_ServerManager/DoNotLaunchServerManager -
    -
    + + + + +## Do_not_display_Manage_Your_Server_page -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_ServerManager/Do_not_display_Manage_Your_Server_page** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/Do_not_display_Manage_Your_Server_page +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to turn off the automatic display of Server Manager at sign in. - -If you enable this policy setting, Server Manager isn't displayed automatically when a user signs in to the server. - -If you disable this policy setting, Server Manager is displayed automatically when a user signs in to the server. - -If you don't configure this policy setting, Server Manager is displayed when a user signs in to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console isn't displayed automatically at a sign in. - -> [!NOTE] -> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. - - - - - -ADMX Info: -- GP Friendly name: *Do not display Server Manager automatically at logon* -- GP name: *Do_not_display_Manage_Your_Server_page* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* - - - -
    - - - -**ADMX_ServerManager/ServerManagerAutoRefreshRate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you're managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. - -- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. - -- If you disable this policy setting, Server Manager doesn't refresh automatically. If you don't configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. - -> [!NOTE] -> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. - - - - - - -ADMX Info: -- GP Friendly name: *Configure the refresh interval for Server Manager* -- GP name: *ServerManagerAutoRefreshRate* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* - - - -
    - - -**ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at a sign in on Windows Server 2008 and Windows Server 2008 R2. - -If you enable this policy setting, the Initial Configuration Tasks window isn't displayed when an administrator signs in to the server. - -If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator signs in to the server. - -If you don't configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator signs in to the server. However, if an administrator selects the "Do not show this window at logon" option, the window isn't displayed on subsequent logons. - - - - - -ADMX Info: -- GP Friendly name: *Do not display Initial Configuration Tasks window automatically at logon* -- GP name: *DoNotLaunchInitialConfigurationTasks* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* - - - -
    - - -**ADMX_ServerManager/DoNotLaunchServerManager** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off the automatic display of the Manage Your Server page. -- If you enable this policy setting, the Manage Your Server page isn't displayed each time an administrator signs in to the server. +If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. -- If you disable or don't configure this policy setting, the Manage Your Server page is displayed each time an administrator signs in to the server. +If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. + -However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page isn't displayed. + + +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Do not display Manage Your Server page at logon* -- GP name: *DoNotLaunchServerManager* -- GP path: *System\Server Manager* -- GP ADMX file name: *ServerManager.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Do_not_display_Manage_Your_Server_page | +| Friendly Name | Do not display Manage Your Server page at logon | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS | +| Registry Value Name | DisableShowAtLogon | +| ADMX File Name | ServerManager.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + +## DoNotLaunchInitialConfigurationTasks + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks +``` + + + + +This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. + +If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. + +If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. + +If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotLaunchInitialConfigurationTasks | +| Friendly Name | Do not display Initial Configuration Tasks window automatically at logon | +| Location | Computer Configuration | +| Path | System > Server Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\Server\InitialConfigurationTasks | +| Registry Value Name | DoNotOpenAtLogon | +| ADMX File Name | ServerManager.admx | + + + + + + + + + +## DoNotLaunchServerManager + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/DoNotLaunchServerManager +``` + + + + +This policy setting allows you to turn off the automatic display of Server Manager at logon. + +If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. + +If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. + +If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon. + +Note: Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotLaunchServerManager | +| Friendly Name | Do not display Server Manager automatically at logon | +| Location | Computer Configuration | +| Path | System > Server Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\Server\ServerManager | +| Registry Value Name | DoNotOpenAtLogon | +| ADMX File Name | ServerManager.admx | + + + + + + + + + +## ServerManagerAutoRefreshRate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ServerManager/ServerManagerAutoRefreshRate +``` + + + + +This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. + +If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. + +If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. + +Note: The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ServerManagerAutoRefreshRate | +| Friendly Name | Configure the refresh interval for Server Manager | +| Location | Computer Configuration | +| Path | System > Server Manager | +| Registry Key Name | Software\Policies\Microsoft\Windows\Server\ServerManager | +| Registry Value Name | RefreshIntervalEnabled | +| ADMX File Name | ServerManager.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index 719e360bac..55228646cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,87 +1,99 @@ --- -title: Policy CSP - ADMX_Servicing -description: Learn about Policy CSP - ADMX_Servicing. +title: ADMX_Servicing Policy CSP +description: Learn more about the ADMX_Servicing Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Servicing +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Servicing policies + +## Servicing -
    -
    - ADMX_Servicing/Servicing -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Servicing/Servicing +``` + -
    - - -**ADMX_Servicing/Servicing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. -If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon. +If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon. -The network location can be either a folder, or a WIM file. If it's a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file, for example, “wim:\\server\share\install.wim:3”. +The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file. For example “wim:\\server\share\install.wim:3”. -If you disable or don't configure this policy setting, or if the required files can't be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. +If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify settings for optional component installation and component repair* -- GP name: *Servicing* -- GP path: *System* -- GP ADMX file name: *Servicing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | CloudFulfillmentGPO | +| Friendly Name | Specify settings for optional component installation and component repair | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Servicing | +| ADMX File Name | Servicing.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 3990c9962f26c70cc78a9ce0fb132daf57a31a15 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:39:18 -0500 Subject: [PATCH 109/152] sdiageng sdiagschd securitycenter --- .../mdm/policy-csp-admx-sdiageng.md | 295 ++++++++++-------- .../mdm/policy-csp-admx-sdiagschd.md | 132 ++++---- .../mdm/policy-csp-admx-securitycenter.md | 145 +++++---- 3 files changed, 314 insertions(+), 258 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 98532868c7..e75309b1c2 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,191 +1,220 @@ --- -title: Policy CSP - ADMX_sdiageng -description: Learn about Policy CSP - ADMX_sdiageng. +title: ADMX_sdiageng Policy CSP +description: Learn more about the ADMX_sdiageng Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_sdiageng + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_sdiageng policies + +## BetterWhenConnected -
    -
    - ADMX_sdiageng/BetterWhenConnected -
    -
    - ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy -
    -
    - ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiageng/BetterWhenConnected +``` + -
    + + +This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" - -**ADMX_sdiageng/BetterWhenConnected** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows Internet-connected users to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" - -If you enable or don't configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. +If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)* -- GP name: *BetterWhenConnected* -- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics* -- GP ADMX file name: *sdiageng.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | BetterWhenConnected | +| Friendly Name | Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS) | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scripted Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy | +| Registry Value Name | EnableQueryRemoteServer | +| ADMX File Name | sdiageng.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ScriptedDiagnosticsExecutionPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy +``` + - - + + This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. -If you enable or don't configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. +If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. -If this policy setting is disabled, the users cannot access or run the troubleshooting tools from the Control Panel. +If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel. ->[!NOTE] ->This setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. +Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Troubleshooting: Allow users to access and run Troubleshooting Wizards* -- GP name: *ScriptedDiagnosticsExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics* -- GP ADMX file name: *sdiageng.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ScriptedDiagnosticsExecutionPolicy | +| Friendly Name | Troubleshooting: Allow users to access and run Troubleshooting Wizards | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scripted Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics | +| Registry Value Name | EnableDiagnostics | +| ADMX File Name | sdiageng.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ScriptedDiagnosticsSecurityPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy +``` + - - + + This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. -If you disable or don't configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. +If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Security Policy for Scripted Diagnostics* -- GP name: *ScriptedDiagnosticsSecurityPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Scripted Diagnostics* -- GP ADMX file name: *sdiageng.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - -## Related topics +| Name | Value | +|:--|:--| +| Name | ScriptedDiagnosticsSecurityPolicy | +| Friendly Name | Configure Security Policy for Scripted Diagnostics | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scripted Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics | +| Registry Value Name | ValidateTrust | +| ADMX File Name | sdiageng.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 6de574029e..fdc494d23c 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,94 +1,106 @@ --- -title: Policy CSP - ADMX_sdiagschd -description: Learn about Policy CSP - ADMX_sdiagschd. +title: ADMX_sdiagschd Policy CSP +description: Learn more about the ADMX_sdiagschd Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_sdiagschd -
    - - -## ADMX_sdiagschd policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy -
    -
    + + + + +## ScheduledDiagnosticsExecutionPolicy -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy** + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy +``` + - + + +Determines whether scheduled diagnostics will run to proactively detect and resolve system problems. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. - -
    +If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. -> [!div class = "checklist"] -> * Device +If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. -
    +No reboots or service restarts are required for this policy to take effect: changes take effect immediately. - - -This policy determines whether scheduled diagnostics will run to proactively detect and resolve system problems. +This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics will not be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + -If you enable this policy setting, you must choose an execution level from the following: + + + -- If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. -- If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. + +**Description framework properties**: -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve problems on a scheduled basis. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you don't configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is stopped or disabled, scheduled diagnostics won't be executed. The Task Scheduler service can be configured with the Services snap-in to the Microsoft Management Console. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Configure Scheduled Maintenance Behavior* -- GP name: *ScheduledDiagnosticsExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Scheduled Maintenance* -- GP ADMX file name: *sdiagschd.admx* +| Name | Value | +|:--|:--| +| Name | ScheduledDiagnosticsExecutionPolicy | +| Friendly Name | Configure Scheduled Maintenance Behavior | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Scheduled Maintenance | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics | +| Registry Value Name | EnabledExecution | +| ADMX File Name | sdiagschd.admx | + - - -
    + + + + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index e223bafce2..d98d017b34 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,97 +1,112 @@ --- -title: Policy CSP - ADMX_Securitycenter -description: Learn about Policy CSP - ADMX_Securitycenter. +title: ADMX_Securitycenter Policy CSP +description: Learn more about the ADMX_Securitycenter Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Securitycenter + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Securitycenter policies + +## SecurityCenter_SecurityCenterInDomain -
    -
    - ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain +``` + -
    + + +This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. - -**ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain** +Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. - -The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center isn't enabled on the domain, the notifications and the Security Center status section aren't displayed. - -Security Center can only be turned off for computers that are joined to a Windows domain. When a computer isn't joined to a Windows domain, the policy setting will have no effect. - -If you don't configure this policy setting, the Security Center is turned off for domain members. +If you do not congifure this policy setting, the Security Center is turned off for domain members. If you enable this policy setting, Security Center is turned on for all users. If you disable this policy setting, Security Center is turned off for domain members. +Windows XP SP2 +---------------------- +In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. - +**Note** that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers. +Windows Vista +--------------------- +In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect. + - -ADMX Info: -- GP Friendly name: *Turn on Security Center (Domain PCs only)* -- GP name: *SecurityCenter_SecurityCenterInDomain* -- GP path: *Windows Components\Security Center* -- GP ADMX file name: *Securitycenter.admx* + + + - - -
    + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | SecurityCenter_SecurityCenterInDomain | +| Friendly Name | Turn on Security Center (Domain PCs only) | +| Location | Computer Configuration | +| Path | Windows Components > Security Center | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Security Center | +| Registry Value Name | SecurityCenterInDomain | +| ADMX File Name | Securitycenter.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 0630d0e12b2daff9d17736717e049689018a6ee1 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:53:12 -0500 Subject: [PATCH 110/152] rpc sam scripts --- .../mdm/policy-csp-admx-rpc.md | 428 +++--- .../mdm/policy-csp-admx-sam.md | 12 +- .../mdm/policy-csp-admx-scripts.md | 1199 +++++++++-------- 3 files changed, 900 insertions(+), 739 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index c2e8188d71..5970b4ca01 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,199 +1,197 @@ --- -title: Policy CSP - ADMX_RPC -description: Learn about Policy CSP - ADMX_RPC. +title: ADMX_RPC Policy CSP +description: Learn more about the ADMX_RPC Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_RPC + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_RPC policies + +## RpcExtendedErrorInformation -
    -
    - ADMX_RPC/RpcExtendedErrorInformation -
    -
    - ADMX_RPC/RpcIgnoreDelegationFailure -
    -
    - ADMX_RPC/RpcMinimumHttpConnectionTimeout -
    -
    - ADMX_RPC/RpcStateInformation -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcExtendedErrorInformation +``` + -
    - - -**ADMX_RPC/RpcExtendedErrorInformation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether the RPC runtime generates extended error information when an error occurs. Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs). If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. -If you don't configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. +If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. -If you enable this policy setting, the RPC runtime will generate extended error information. +If you enable this policy setting, the RPC runtime will generate extended error information. You must select an error response type in the drop-down box. -You must select an error response type from the folowing options in the drop-down box: +-- "Off" disables all extended error information for all processes. RPC only generates an error code. -- "Off" disables all extended error information for all processes. RPC only generates an error code. -- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. -- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. -- "On" enables extended error information for all processes. +-- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. -> [!NOTE] -> For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). -> -> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. -> -> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. -> -> This policy setting won't be applied until the system is rebooted. +-- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. - +-- "On" enables extended error information for all processes. - -ADMX Info: -- GP Friendly name: *Propagate extended error information* -- GP name: *RpcExtendedErrorInformation* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* +Note: For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). - - -
    +Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. - -**ADMX_RPC/RpcIgnoreDelegationFailure** +Note: The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. - +Note: This policy setting will not be applied until the system is rebooted. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * Device + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | RpcExtendedErrorInformation | +| Friendly Name | Propagate extended error information | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + + + + + + + + + +## RpcIgnoreDelegationFailure + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcIgnoreDelegationFailure +``` + + + + This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. -The constrained delegation model, introduced in Windows Server 2003, doesn't report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. +The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. -If you don't configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. +If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. If you enable this policy setting, then: -- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context doesn't support delegation. -- "On" directs the RPC Runtime to accept security contexts that don't support delegation even if delegation was asked for. +-- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. -> [!NOTE] -> This policy setting won't be applied until the system is rebooted. +-- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. - +Note: This policy setting will not be applied until the system is rebooted. + + + + - -ADMX Info: -- GP Friendly name: *Ignore Delegation Failure* -- GP name: *RpcIgnoreDelegationFailure* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RPC/RpcMinimumHttpConnectionTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RpcIgnoreDelegationFailure | +| Friendly Name | Ignore Delegation Failure | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RpcMinimumHttpConnectionTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcMinimumHttpConnectionTimeout +``` + - - + + This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout. @@ -204,89 +202,131 @@ The minimum allowed value for this policy setting is 90 seconds. The maximum is If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. -If you don't configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. +If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. -> [!NOTE] -> This policy setting won't be applied until the system is rebooted. +Note: This policy setting will not be applied until the system is rebooted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Minimum Idle Connection Timeout for RPC/HTTP connections* -- GP name: *RpcMinimumHttpConnectionTimeout* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RPC/RpcStateInformation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RpcMinimumHttpConnectionTimeout | +| Friendly Name | Set Minimum Idle Connection Timeout for RPC/HTTP connections | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RpcStateInformation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcStateInformation +``` + - - + + This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. If you disable this policy setting, the RPC runtime defaults to "Auto2" level. -If you don't configure this policy setting, the RPC defaults to "Auto2" level. +If you do not configure this policy setting, the RPC defaults to "Auto2" level. -If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information from the following: +If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. -- "None" indicates that the system doesn't maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting isn't recommended for most installations. -- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. -- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. -- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. -- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it's recommended for use only while you're investigating an RPC problem. +-- "None" indicates that the system does not maintain any RPC state information. -> [!NOTE] -> To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. -> -> This policy setting won't be applied until the system is rebooted. +**Note**: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. - +-- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. - -ADMX Info: -- GP Friendly name: *Maintain RPC Troubleshooting State Information* -- GP name: *RpcStateInformation* -- GP path: *System\Remote Procedure Call* -- GP ADMX file name: *RPC.admx* +-- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. - - -
    +-- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. +-- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem. - +Note: To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. -## Related topics +Note: This policy setting will not be applied until the system is rebooted. + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RpcStateInformation | +| Friendly Name | Maintain RPC Troubleshooting State Information | +| Location | Computer Configuration | +| Path | System > Remote Procedure Call | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc | +| ADMX File Name | RPC.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md index 16f8928707..b0eae0e07b 100644 --- a/windows/client-management/mdm/policy-csp-admx-sam.md +++ b/windows/client-management/mdm/policy-csp-admx-sam.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_sam Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/05/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,13 +43,14 @@ ms.topic: reference + This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability. For more information on the ROCA vulnerability, please see: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361 + -https://en.wikipedia.org/wiki/ROCA_vulnerability + If you enable this policy setting the following options are supported: @@ -67,7 +68,7 @@ A reboot is not required for changes to this setting to take effect. Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. -More information is available at https://go.microsoft.com/fwlink/?linkid=2116430. +More information is available at . @@ -84,6 +85,9 @@ More information is available at https://go.microsoft.com/fwlink/?linkid=2116430 +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 8fb9f59bb0..cea112d18a 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,199 +1,174 @@ --- -title: Policy CSP - ADMX_Scripts -description: Learn about Policy CSP - ADMX_Scripts. +title: ADMX_Scripts Policy CSP +description: Learn more about the ADMX_Scripts Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/17/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Scripts + > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Scripts policies + +## Allow_Logon_Script_NetbiosDisabled -
    -
    - ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled -
    -
    - ADMX_Scripts/MaxGPOScriptWaitPolicy -
    -
    - ADMX_Scripts/Run_Computer_PS_Scripts_First -
    -
    - ADMX_Scripts/Run_Legacy_Logon_Script_Hidden -
    -
    - ADMX_Scripts/Run_Logoff_Script_Visible -
    -
    - ADMX_Scripts/Run_Logon_Script_Sync_1 -
    -
    - ADMX_Scripts/Run_Logon_Script_Sync_2 -
    -
    - ADMX_Scripts/Run_Logon_Script_Visible -
    -
    - ADMX_Scripts/Run_Shutdown_Script_Visible -
    -
    - ADMX_Scripts/Run_Startup_Script_Sync -
    -
    - ADMX_Scripts/Run_Startup_Script_Visible -
    -
    - ADMX_Scripts/Run_User_PS_Scripts_First -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled +``` + -
    - - -**ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes aren't configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. + + +This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. -If you disable or don't configure this policy setting, user account cross-forest, interactive logging can't run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes aren't configured. +If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow logon scripts when NetBIOS or WINS is disabled* -- GP name: *Allow_Logon_Script_NetbiosDisabled* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Scripts/MaxGPOScriptWaitPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Allow_Logon_Script_NetbiosDisabled | +| Friendly Name | Allow logon scripts when NetBIOS or WINS is disabled | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | Allow-LogonScript-NetbiosDisabled | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MaxGPOScriptWaitPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/MaxGPOScriptWaitPolicy +``` + - - + + This policy setting determines how long the system waits for scripts applied by Group Policy to run. -This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts haven't finished running when the specified time expires, the system stops script processing and records an error event. +This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0. -This interval is important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop. +This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop. -An excessively long interval can delay the system and cause inconvenience to users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely. +An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely. -If you disable or don't configure this setting, the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This value is the default value. +If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify maximum wait time for Group Policy scripts* -- GP name: *MaxGPOScriptWaitPolicy* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Scripts/Run_Computer_PS_Scripts_First** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MaxGPOScriptWaitPolicy | +| Friendly Name | Specify maximum wait time for Group Policy scripts | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Computer_PS_Scripts_First -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Computer_PS_Scripts_First +``` + - - + + This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. @@ -204,470 +179,338 @@ There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled i GPO B and GPO C include the following computer startup scripts: -- GPO B: B.cmd, B.ps1 -- GPO C: C.cmd, C.ps1 +GPO B: B.cmd, B.ps1 +GPO C: C.cmd, C.ps1 Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT: -- Within GPO B: B.ps1, B.cmd -- Within GPO C: C.ps1, C.cmd +Within GPO B: B.ps1, B.cmd +Within GPO C: C.ps1, C.cmd For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales: -- Within GPO B: B.cmd, B.ps1 -- Within GPO C: C.cmd, C.ps1 +Within GPO B: B.cmd, B.ps1 +Within GPO C: C.cmd, C.ps1 -> [!NOTE] -> This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: -> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup -> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown +Note: This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: - +Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup +Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown + + + + - -ADMX Info: -- GP Friendly name: *Run Windows PowerShell scripts first at computer startup, shutdown* -- GP name: *Run_Computer_PS_Scripts_First* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Scripts/Run_Legacy_Logon_Script_Hidden** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Run_Computer_PS_Scripts_First | +| Friendly Name | Run Windows PowerShell scripts first at computer startup, shutdown | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunComputerPSScriptsFirst | +| ADMX File Name | Scripts.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Run_Logon_Script_Sync_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2 +``` + -Logon scripts are batch files of instructions that run when the user logs on. By default, Windows displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it doesn't display logon scripts written for Windows. - -If you enable this setting, Windows doesn't display logon scripts written for Windows NT 4.0 and earlier. - -If you disable or don't configure this policy setting, Windows displays login scripts written for Windows NT 4.0 and earlier. - -Also, see the "Run Logon Scripts Visible" setting. - - - - - -ADMX Info: -- GP Friendly name: *Run legacy logon scripts hidden* -- GP name: *Run_Legacy_Logon_Script_Hidden* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* - - - -
    - - -**ADMX_Scripts/Run_Logoff_Script_Visible** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting displays the instructions in logoff scripts as they run. - -Logoff scripts are batch files of instructions that run when the user signs out. By default, the system doesn't display the instructions in the logoff script. - -If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. - -If you disable or don't configure this policy setting, the instructions are suppressed. - - - - - -ADMX Info: -- GP Friendly name: *Display instructions in logoff scripts as they run* -- GP name: *Run_Logoff_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* - - - -
    - - -**ADMX_Scripts/Run_Logon_Script_Sync_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. -If you enable this policy setting, File Explorer doesn't start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. +If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. -If you disable or don't configure this policy setting, the logon scripts and File Explorer aren't synchronized and can run simultaneously. +If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run logon scripts synchronously* -- GP name: *Run_Logon_Script_Sync_1* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Scripts/Run_Logon_Script_Sync_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Sync | +| Friendly Name | Run logon scripts synchronously | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunLogonScriptSync | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Shutdown_Script_Visible -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible +``` + - - -This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. - -If you enable this policy setting, File Explorer doesn't start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. - -If you disable or don't configure this policy setting, the logon scripts and File Explorer aren't synchronized and can run simultaneously. - -This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. - - - - - -ADMX Info: -- GP Friendly name: *Run logon scripts synchronously* -- GP name: *Run_Logon_Script_Sync_2* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* - - - -
    - - -**ADMX_Scripts/Run_Logon_Script_Visible** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting displays the instructions in logon scripts as they run. - -Logon scripts are batch files of instructions that run when the user logs on. By default, the system doesn't display the instructions in logon scripts. - -If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. - -If you disable or don't configure this policy setting, the instructions are suppressed. - - - - - -ADMX Info: -- GP Friendly name: *Display instructions in logon scripts as they run* -- GP name: *Run_Logon_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* - - - -
    - - -**ADMX_Scripts/Run_Shutdown_Script_Visible** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting displays the instructions in shutdown scripts as they run. -Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system doesn't display the instructions in the shutdown script. +Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window. -If you disable or don't configure this policy setting, the instructions are suppressed. +If you disable or do not configure this policy setting, the instructions are suppressed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display instructions in shutdown scripts as they run* -- GP name: *Run_Shutdown_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Scripts/Run_Startup_Script_Sync** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Shutdown_Script_Visible | +| Friendly Name | Display instructions in shutdown scripts as they run | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideShutdownScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Startup_Script_Sync -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync +``` + - - + + This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. -If you enable this policy setting, the system doesn't coordinate the running of startup scripts. As a result, startup scripts can run simultaneously. +If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously. -If you disable or don't configure this policy setting, a startup can't run until the previous script is complete. +If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete. -> [!NOTE] -> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not. +Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the ""Run startup scripts visible"" policy setting is enabled or not. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run startup scripts asynchronously* -- GP name: *Run_Startup_Script_Sync* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Scripts/Run_Startup_Script_Visible** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Startup_Script_Sync | +| Friendly Name | Run startup scripts asynchronously | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunStartupScriptSync | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_Startup_Script_Visible -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible +``` + - - + + This policy setting displays the instructions in startup scripts as they run. -Startup scripts are batch files of instructions that run before the user is invited to sign in. By default, the system doesn't display the instructions in the startup script. +Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users. -If you disable or don't configure this policy setting, the instructions are suppressed. +If you disable or do not configure this policy setting, the instructions are suppressed. -> [!NOTE] -> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not. +Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display instructions in startup scripts as they run* -- GP name: *Run_Startup_Script_Visible* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Scripts/Run_User_PS_Scripts_First** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Run_Startup_Script_Visible | +| Friendly Name | Display instructions in startup scripts as they run | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideStartupScripts | +| ADMX File Name | Scripts.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Run_User_PS_Scripts_First -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First +``` - - -This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user sign in and sign out. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First +``` + -If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user sign in and sign out. + + +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. + +If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. For example, assume the following scenario: @@ -675,46 +518,320 @@ There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled i GPO B and GPO C include the following user logon scripts: -- GPO B: B.cmd, B.ps1 -- GPO C: C.cmd, C.ps1 +GPO B: B.cmd, B.ps1 +GPO C: C.cmd, C.ps1 Assume also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin: -- Within GPO B: B.ps1, B.cmd -- Within GPO C: C.ps1, C.cmd +Within GPO B: B.ps1, B.cmd +Within GPO C: C.ps1, C.cmd For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara: -- Within GPO B: B.cmd, B.ps1 -- Within GPO C: C.cmd, C.ps1 +Within GPO B: B.cmd, B.ps1 +Within GPO C: C.cmd, C.ps1 -> [!NOTE] -> This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: -> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon -> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff +Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: + +User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon +User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Run Windows PowerShell scripts first at user logon, logoff* -- GP name: *Run_User_PS_Scripts_First* -- GP path: *System\Scripts* -- GP ADMX file name: *Scripts.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Run_User_PS_Scripts_First | +| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff | +| Location | Computer and User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunUserPSScriptsFirst | +| ADMX File Name | Scripts.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + +## Run_Legacy_Logon_Script_Hidden + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Legacy_Logon_Script_Hidden +``` + + + + +This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. + +Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. + +If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier. + +If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier. + +Also, see the "Run Logon Scripts Visible" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Legacy_Logon_Script_Hidden | +| Friendly Name | Run legacy logon scripts hidden | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideLegacyLogonScripts | +| ADMX File Name | Scripts.admx | + + + + + + + + + +## Run_Logoff_Script_Visible + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logoff_Script_Visible +``` + + + + +This policy setting displays the instructions in logoff scripts as they run. + +Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. + +If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. + +If you disable or do not configure this policy setting, the instructions are suppressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Logoff_Script_Visible | +| Friendly Name | Display instructions in logoff scripts as they run | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideLogoffScripts | +| ADMX File Name | Scripts.admx | + + + + + + + + + +## Run_Logon_Script_Sync_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_1 +``` + + + + +This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. + +If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. + +If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. + +This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Sync | +| Friendly Name | Run logon scripts synchronously | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunLogonScriptSync | +| ADMX File Name | Scripts.admx | + + + + + + + + + +## Run_Logon_Script_Visible + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Visible +``` + + + + +This policy setting displays the instructions in logon scripts as they run. + +Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. + +If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. + +If you disable or do not configure this policy setting, the instructions are suppressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Visible | +| Friendly Name | Display instructions in logon scripts as they run | +| Location | User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideLogonScripts | +| ADMX File Name | Scripts.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 0163f5f4e42c396f01c6defc883e62d20775ac61 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 10:06:34 -0500 Subject: [PATCH 111/152] reliability remoteassistance removablestorage --- .../mdm/policy-csp-admx-reliability.md | 390 ++- .../mdm/policy-csp-admx-remoteassistance.md | 229 +- .../mdm/policy-csp-admx-removablestorage.md | 3089 +++++++++-------- 3 files changed, 2052 insertions(+), 1656 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index d6f224badc..9163e7efe9 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,237 +1,244 @@ --- -title: Policy CSP - ADMX_Reliability -description: Policy CSP - ADMX_Reliability +title: ADMX_Reliability Policy CSP +description: Learn more about the ADMX_Reliability Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Reliability ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Reliability policies + +## EE_EnablePersistentTimeStamp -
    -
    - ADMX_Reliability/EE_EnablePersistentTimeStamp -
    -
    - ADMX_Reliability/PCH_ReportShutdownEvents -
    -
    - ADMX_Reliability/ShutdownEventTrackerStateFile -
    -
    - ADMX_Reliability/ShutdownReason -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/EE_EnablePersistentTimeStamp +``` + -
    - - -**ADMX_Reliability/EE_EnablePersistentTimeStamp** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. -If you enable this policy setting, you're able to specify how often the Persistent System Timestamp is refreshed and then written to the disk. You can specify the Timestamp Interval in seconds. +If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. -If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns isn't recorded. +If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. -If you don't configure this policy setting, the Persistent System Timestamp is refreshed according to the default, which is every 60 seconds beginning with Windows Server 2003. +If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. -> [!NOTE] -> This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. +Note: This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Persistent Time Stamp* -- GP name: *EE_EnablePersistentTimeStamp* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Reliability/PCH_ReportShutdownEvents** +| Name | Value | +|:--|:--| +| Name | EE_EnablePersistentTimeStamp | +| Friendly Name | Enable Persistent Time Stamp | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Reliability | +| Registry Value Name | TimeStampEnabled | +| ADMX File Name | Reliability.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PCH_ReportShutdownEvents - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/PCH_ReportShutdownEvents +``` + -
    - - - + + This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. -If you disable this policy setting, unplanned shutdown events aren't included in error reporting. +If you disable this policy setting, unplanned shutdown events are not included in error reporting. -If you don't configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. +If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. Also see the "Configure Error Reporting" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Report unplanned shutdown events* -- GP name: *PCH_ReportShutdownEvents* -- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Reliability/ShutdownEventTrackerStateFile** +| Name | Value | +|:--|:--| +| Name | PCH_ReportShutdownEvents | +| Friendly Name | Report unplanned shutdown events | +| Location | Computer Configuration | +| Path | CAT_WindowsErrorReporting > Advanced Error Reporting Settings | +| Registry Key Name | Software\Policies\Microsoft\PCHealth\ErrorReporting | +| Registry Value Name | IncludeShutdownErrs | +| ADMX File Name | Reliability.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ShutdownEventTrackerStateFile - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/ShutdownEventTrackerStateFile +``` + -
    - - - + + This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. -The system state data file contains information about the basic system state and the state of all running processes. +The system state data file contains information about the basic system state as well as the state of all running processes. If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. If you disable this policy setting, the System State Data feature is never activated. -If you don't configure this policy setting, the default behavior for the System State Data feature occurs. +If you do not configure this policy setting, the default behavior for the System State Data feature occurs. +Note: By default, the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all supported versions. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Activate Shutdown Event Tracker System State Data feature* -- GP name: *ShutdownEventTrackerStateFile* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Reliability/ShutdownReason** +| Name | Value | +|:--|:--| +| Name | ShutdownEventTrackerStateFile | +| Friendly Name | Activate Shutdown Event Tracker System State Data feature | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Reliability | +| Registry Value Name | SnapShot | +| ADMX File Name | Reliability.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ShutdownReason - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Reliability/ShutdownReason +``` + -
    - - - -The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This tracker is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you're shutting down the computer. + + +The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. @@ -239,28 +246,55 @@ If you enable this policy setting and choose "Server Only" from the drop-down me If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) -If you disable this policy setting, the Shutdown Event Tracker isn't displayed when you shut down the computer. +If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer. -If you don't configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. +If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. -> [!NOTE] -> By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. +Note: By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Display Shutdown Event Tracker* -- GP name: *ShutdownReason* -- GP path: *System* -- GP ADMX file name: *Reliability.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | ShutdownReason | +| Friendly Name | Display Shutdown Event Tracker | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Reliability | +| Registry Value Name | ShutdownReasonOn | +| ADMX File Name | Reliability.admx | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index bece2eb4d9..324ddf127c 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,159 +1,176 @@ --- -title: Policy CSP - ADMX_RemoteAssistance -description: Learn about Policy CSP - ADMX_RemoteAssistance. +title: ADMX_RemoteAssistance Policy CSP +description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_RemoteAssistance ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_RemoteAssistance policies + +## RA_EncryptedTicketOnly -
    -
    - ADMX_RemoteAssistance/RA_EncryptedTicketOnly -
    -
    - ADMX_RemoteAssistance/RA_Optimize_Bandwidth -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemoteAssistance/RA_EncryptedTicketOnly +``` + -
    - - -**ADMX_RemoteAssistance/RA_EncryptedTicketOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting doesn't affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. + + +This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. -If you don't configure this policy setting, users can configure this setting in System Properties in the Control Panel. +If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow only Windows Vista or later connections* -- GP name: *RA_EncryptedTicketOnly* -- GP path: *System\Remote Assistance* -- GP ADMX file name: *RemoteAssistance.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RemoteAssistance/RA_Optimize_Bandwidth** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_EncryptedTicketOnly | +| Friendly Name | Allow only Windows Vista or later connections | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | CreateEncryptedOnlyTickets | +| ADMX File Name | RemoteAssistance.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RA_Optimize_Bandwidth -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemoteAssistance/RA_Optimize_Bandwidth +``` + - - + + This policy setting allows you to improve performance in low bandwidth scenarios. -This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. +This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting. For example: "Turn off background" will include the following optimizations: - -- No full window drag -- Turn off background +-No full window drag +-Turn off background "Full optimization" will include the following optimizations: - -- Use 16-bit color (8-bit color in Windows Vista) -- Turn off font smoothing (not supported in Windows Vista) -- No full window drag -- Turn off background +-Use 16-bit color (8-bit color in Windows Vista) +-Turn off font smoothing (not supported in Windows Vista) +-No full window drag +-Turn off background If you enable this policy setting, bandwidth optimization occurs at the level specified. If you disable this policy setting, application-based settings are used. -If you don't configure this policy setting, application-based settings are used. +If you do not configure this policy setting, application-based settings are used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on bandwidth optimization* -- GP name: *RA_Optimize_Bandwidth* -- GP path: *System\Remote Assistance* -- GP ADMX file name: *RemoteAssistance.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RA_Optimize_Bandwidth | +| Friendly Name | Turn on bandwidth optimization | +| Location | Computer Configuration | +| Path | System > Remote Assistance | +| Registry Key Name | Software\policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseBandwidthOptimization | +| ADMX File Name | RemoteAssistance.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 13c9f54981..1623673a7b 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,1623 +1,1968 @@ --- -title: Policy CSP - ADMX_RemovableStorage -description: Learn about Policy CSP - ADMX_RemovableStorage. +title: ADMX_RemovableStorage Policy CSP +description: Learn more about the ADMX_RemovableStorage Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/10/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_RemovableStorage ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_RemovableStorage policies + +## AccessRights_RebootTime_2 -
    -
    - ADMX_RemovableStorage/AccessRights_RebootTime_1 -
    -
    - ADMX_RemovableStorage/AccessRights_RebootTime_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 -
    -
    - ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 -
    -
    - ADMX_RemovableStorage/Removable_Remote_Allow_Access -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 -
    -
    - ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/AccessRights_RebootTime_2 +``` + -
    - - -**ADMX_RemovableStorage/AccessRights_RebootTime_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. -If you disable or don't configure this setting, the operating system does not force a reboot. +If you disable or do not configure this setting, the operating system does not force a reboot. -> [!NOTE] -> If no reboot is forced, the access right does not take effect until the operating system is restarted. +Note: If no reboot is forced, the access right does not take effect until the operating system is restarted. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set time (in seconds) to force reboot* -- GP name: *AccessRights_RebootTime_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RemovableStorage/AccessRights_RebootTime_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AccessRights_RebootTime | +| Friendly Name | Set time (in seconds) to force reboot | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | RebootTimeinSeconds_state | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CDandDVD_DenyExecute_Access_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2 +``` + - - -This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. - -If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. - -If you disable or don't configure this setting, the operating system does not force a reboot - -> [!NOTE] -> If no reboot is forced, the access right does not take effect until the operating system is restarted. - - - - - -ADMX Info: -- GP Friendly name: *Set time (in seconds) to force reboot* -- GP name: *AccessRights_RebootTime_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - -
    - - -**ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting denies execute access to the CD and DVD removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny execute access* -- GP name: *CDandDVD_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyExecute_Access | +| Friendly Name | CD and DVD: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CDandDVD_DenyRead_Access_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2 +``` + - - + + This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny read access* -- GP name: *CDandDVD_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyRead_Access | +| Friendly Name | CD and DVD: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## CDandDVD_DenyWrite_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting denies read access to the CD and DVD removable storage class. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2 +``` + -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny read access* -- GP name: *CDandDVD_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - -
    - - -**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny write access* -- GP name: *CDandDVD_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyWrite_Access | +| Friendly Name | CD and DVD: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomClasses_DenyRead_Access_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2 +``` + - - -This policy setting denies write access to the CD and DVD removable storage class. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *CD and DVD: Deny write access* -- GP name: *CDandDVD_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - -
    - - -**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. -If you disable or don't configure this policy setting, read access is allowed to these removable storage classes. +If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny read access* -- GP name: *CustomClasses_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyRead_Access | +| Friendly Name | Custom Classes: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomClasses_DenyWrite_Access_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2 +``` + - - -This policy setting denies read access to custom removable storage classes. - -If you enable this policy setting, read access is denied to these removable storage classes. - -If you disable or don't configure this policy setting, read access is allowed to these removable storage classes. - - - - - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny read access* -- GP name: *CustomClasses_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - -
    - - -**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. -If you disable or don't configure this policy setting, write access is allowed to these removable storage classes. +If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny write access* -- GP name: *CustomClasses_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyWrite_Access | +| Friendly Name | Custom Classes: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## FloppyDrives_DenyExecute_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting denies write access to custom removable storage classes. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2 +``` + -If you enable this policy setting, write access is denied to these removable storage classes. - -If you disable or don't configure this policy setting, write access is allowed to these removable storage classes. - - - - - -ADMX Info: -- GP Friendly name: *Custom Classes: Deny write access* -- GP name: *CustomClasses_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny execute access* -- GP name: *FloppyDrives_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyExecute_Access | +| Friendly Name | Floppy Drives: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## FloppyDrives_DenyRead_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2 +``` + + + + This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny read access* -- GP name: *FloppyDrives_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyRead_Access | +| Friendly Name | Floppy Drives: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## FloppyDrives_DenyWrite_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2 +``` + -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny read access* -- GP name: *FloppyDrives_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - - - - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny write access* -- GP name: *FloppyDrives_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *Floppy Drives: Deny write access* -- GP name: *FloppyDrives_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting denies execute access to removable disks. - -If you enable this policy setting, execute access is denied to this removable storage class. - -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. - - - - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny execute access* -- GP name: *RemovableDisks_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting denies read access to removable disks. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny read access* -- GP name: *RemovableDisks_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting denies read access to removable disks. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - - - - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny read access* -- GP name: *RemovableDisks_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting denies write access to removable disks. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - -> [!NOTE] -> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - -ADMX Info: -- GP Friendly name: *Removable Disks: Deny write access* -- GP name: *RemovableDisks_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -Configure access to all removable storage classes. - -This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. - -If you enable this policy setting, no access is allowed to any removable storage class. - -If you disable or don't configure this policy setting, write and read accesses are allowed to all removable storage classes. - - - - - -ADMX Info: -- GP Friendly name: *All Removable Storage classes: Deny all access* -- GP name: *RemovableStorageClasses_DenyAll_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Configure access to all removable storage classes. - -This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. - -If you enable this policy setting, no access is allowed to any removable storage class. - -If you disable or don't configure this policy setting, write and read accesses are allowed to all removable storage classes. - - - - - -ADMX Info: -- GP Friendly name: *All Removable Storage classes: Deny all access* -- GP name: *RemovableStorageClasses_DenyAll_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/Removable_Remote_Allow_Access** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyWrite_Access | +| Friendly Name | Floppy Drives: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## Removable_Remote_Allow_Access + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/Removable_Remote_Allow_Access +``` + + + + This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. -If you disable or don't configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. +If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *All Removable Storage: Allow direct access in remote sessions* -- GP name: *Removable_Remote_Allow_Access* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Removable_Remote_Allow_Access | +| Friendly Name | All Removable Storage: Allow direct access in remote sessions | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | AllowRemoteDASD | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RemovableDisks_DenyExecute_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2 +``` + + + + +This policy setting denies execute access to removable disks. + +If you enable this policy setting, execute access is denied to this removable storage class. + +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyExecute_Access | +| Friendly Name | Removable Disks: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## RemovableDisks_DenyRead_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +``` + + + + +This policy setting denies read access to removable disks. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyRead_Access | +| Friendly Name | Removable Disks: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## RemovableStorageClasses_DenyAll_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +``` + + + + +Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +If you enable this policy setting, no access is allowed to any removable storage class. + +If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableStorageClasses_DenyAll_Access | +| Friendly Name | All Removable Storage classes: Deny all access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | Deny_All | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## TapeDrives_DenyExecute_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +``` + + + + This policy setting denies execute access to the Tape Drive removable storage class. If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or don't configure this policy setting, execute access is allowed to this removable storage class. +If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny execute access* -- GP name: *TapeDrives_DenyExecute_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyExecute_Access | +| Friendly Name | Tape Drives: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## TapeDrives_DenyRead_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +``` + + + + This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny read access* -- GP name: *TapeDrives_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyRead_Access | +| Friendly Name | Tape Drives: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## TapeDrives_DenyWrite_Access_2 - - -This policy setting denies read access to the Tape Drive removable storage class. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, read access is denied to this removable storage class. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +``` + -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny read access* -- GP name: *TapeDrives_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny write access* -- GP name: *TapeDrives_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    + +**Description framework properties**: - -**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyWrite_Access | +| Friendly Name | Tape Drives: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## WPDDevices_DenyRead_Access_2 - - -This policy setting denies write access to the Tape Drive removable storage class. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, write access is denied to this removable storage class. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +``` + -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. - - - - - -ADMX Info: -- GP Friendly name: *Tape Drives: Deny write access* -- GP name: *TapeDrives_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access | +| Friendly Name | WPD Devices: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## WPDDevices_DenyWrite_Access_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +``` + -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or don't configure this policy setting, read access is allowed to this removable storage class. - - - - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny read access* -- GP name: *WPDDevices_DenyRead_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    - - -**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_1* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access | +| Friendly Name | WPD Devices: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## AccessRights_RebootTime_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting denies write access to removable disks that may include media players, cellular phones, auxiliary displays, and CE devices. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/AccessRights_RebootTime_1 +``` + + + + +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. + +If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. + +If you disable or do not configure this setting, the operating system does not force a reboot. + +Note: If no reboot is forced, the access right does not take effect until the operating system is restarted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AccessRights_RebootTime | +| Friendly Name | Set time (in seconds) to force reboot | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | RebootTimeinSeconds_state | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## CDandDVD_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to the CD and DVD removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyRead_Access | +| Friendly Name | CD and DVD: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## CDandDVD_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. -If you disable or don't configure this policy setting, write access is allowed to this removable storage class. +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *WPD Devices: Deny write access* -- GP name: *WPDDevices_DenyWrite_Access_2* -- GP path: *System\Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyWrite_Access | +| Friendly Name | CD and DVD: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + +## CustomClasses_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to custom removable storage classes. + +If you enable this policy setting, read access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyRead_Access | +| Friendly Name | Custom Classes: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## CustomClasses_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to custom removable storage classes. + +If you enable this policy setting, write access is denied to these removable storage classes. + +If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyWrite_Access | +| Friendly Name | Custom Classes: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## FloppyDrives_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyRead_Access | +| Friendly Name | Floppy Drives: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## FloppyDrives_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyWrite_Access | +| Friendly Name | Floppy Drives: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## RemovableDisks_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to removable disks. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyRead_Access | +| Friendly Name | Removable Disks: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## RemovableDisks_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to removable disks. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyWrite_Access | +| Friendly Name | Removable Disks: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## RemovableStorageClasses_DenyAll_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1 +``` + + + + +Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +If you enable this policy setting, no access is allowed to any removable storage class. + +If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableStorageClasses_DenyAll_Access | +| Friendly Name | All Removable Storage classes: Deny all access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | Deny_All | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## TapeDrives_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to the Tape Drive removable storage class. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyRead_Access | +| Friendly Name | Tape Drives: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## TapeDrives_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to the Tape Drive removable storage class. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyWrite_Access | +| Friendly Name | Tape Drives: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## WPDDevices_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, read access is denied to this removable storage class. + +If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access | +| Friendly Name | WPD Devices: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## WPDDevices_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +If you enable this policy setting, write access is denied to this removable storage class. + +If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access | +| Friendly Name | WPD Devices: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From ca02bf537a857271217d3529b53a8144c7fd31e7 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 10:36:26 -0500 Subject: [PATCH 112/152] printing printing2 programs qos --- .../mdm/policy-csp-admx-printing.md | 2675 +++++++++-------- .../mdm/policy-csp-admx-printing2.md | 807 ++--- .../mdm/policy-csp-admx-programs.md | 622 ++-- .../mdm/policy-csp-admx-qos.md | 78 +- 4 files changed, 2324 insertions(+), 1858 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 3728163906..e21e90d625 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,568 +1,1337 @@ --- -title: Policy CSP - ADMX_Printing -description: Learn about Policy CSP - ADMX_Printing. +title: ADMX_Printing Policy CSP +description: Learn more about the ADMX_Printing Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/15/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Printing ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Printing policies + +## AllowWebPrinting -
    -
    - ADMX_Printing/AllowWebPrinting -
    -
    - ADMX_Printing/ApplicationDriverIsolation -
    -
    - ADMX_Printing/CustomizedSupportUrl -
    -
    - ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate -
    -
    - ADMX_Printing/DomainPrinters -
    -
    - ADMX_Printing/DownlevelBrowse -
    -
    - ADMX_Printing/EMFDespooling -
    -
    - ADMX_Printing/ForceSoftwareRasterization -
    -
    - ADMX_Printing/IntranetPrintersUrl -
    -
    - ADMX_Printing/KMPrintersAreBlocked -
    -
    - ADMX_Printing/LegacyDefaultPrinterMode -
    -
    - ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS -
    -
    - ADMX_Printing/NoDeletePrinter -
    -
    - ADMX_Printing/NonDomainPrinters -
    -
    - ADMX_Printing/PackagePointAndPrintOnly -
    -
    - ADMX_Printing/PackagePointAndPrintOnly_Win7 -
    -
    - ADMX_Printing/PackagePointAndPrintServerList -
    -
    - ADMX_Printing/PackagePointAndPrintServerList_Win7 -
    -
    - ADMX_Printing/PhysicalLocation -
    -
    - ADMX_Printing/PhysicalLocationSupport -
    -
    - ADMX_Printing/PrintDriverIsolationExecutionPolicy -
    -
    - ADMX_Printing/PrintDriverIsolationOverrideCompat -
    -
    - ADMX_Printing/PrinterDirectorySearchScope -
    -
    - ADMX_Printing/PrinterServerThread -
    -
    - ADMX_Printing/ShowJobTitleInEventLogs -
    -
    - ADMX_Printing/V4DriverDisallowPrinterExtension -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/AllowWebPrinting +``` + -
    - - -**ADMX_Printing/AllowWebPrinting** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. If you enable this policy setting, Internet printing is activated on this server. -If you disable this policy setting or don't configure it, Internet printing isn't activated. +If you disable this policy setting or do not configure it, Internet printing is not activated. Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing support and this setting must be enabled. -> [!NOTE] -> This setting affects the server side of Internet printing only. It doesn't prevent the print client on the computer from printing across the Internet. +Note: This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Activate Internet printing* -- GP name: *AllowWebPrinting* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/ApplicationDriverIsolation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowWebPrinting | +| Friendly Name | Activate Internet printing | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPrinting | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ApplicationDriverIsolation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/ApplicationDriverIsolation +``` + - - + + Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. -Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they're configured for it. +Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. -If you enable or don't configure this policy setting, then applications that are configured to support driver isolation will be isolated. +If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated. If you disable this policy setting, then print drivers will be loaded within all associated application processes. -> [!NOTE] -> - This policy setting applies only to applications opted into isolation. -> - This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler aren't affected. -> - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. +Notes: +-This policy setting applies only to applications opted into isolation. +-This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected. +-This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Isolate print drivers from applications* -- GP name: *ApplicationDriverIsolation* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/CustomizedSupportUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ApplicationDriverIsolation | +| Friendly Name | Isolate print drivers from applications | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ApplicationDriverIsolation | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomizedSupportUrl -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/CustomizedSupportUrl +``` + - - + + By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. -If you disable this setting or don't configure it, or if you don't enter an alternate Internet address, the default link will appear in the Printers folder. +If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder. -> [!NOTE] -> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. -> To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders." +Note: Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom support URL in the Printers folder's left pane* -- GP name: *CustomizedSupportUrl* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomizedSupportUrl | +| Friendly Name | Custom support URL in the Printers folder's left pane | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DomainPrinters -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/DomainPrinters +``` + - - -This policy setting allows you to manage where client computers search for Point and Printer drivers. + + +If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) -If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. +If this policy setting is disabled, the network scan page will not be displayed. -If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it's unable to find a compatible driver, then the Point and Print connection will fail. - -This policy setting isn't configured by default, and the behavior depends on the version of Windows that you're using. - - - - -ADMX Info: -- GP Friendly name: *Extend Point and Print connection to search Windows Update* -- GP name: *DoNotInstallCompatibleDriverFromWindowsUpdate* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/DomainPrinters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, for example, a domain-joined laptop on a corporate network.) - -If this policy setting is disabled, the network scan page won't be displayed. - -If this policy setting isn't configured, the Add Printer wizard will display the default number of printers of each type: - -- Directory printers: 20 -- TCP/IP printers: 0 -- Web Services printers: 0 -- Bluetooth printers: 10 -- Shared printers: 0 +If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type: +Directory printers: 20 +TCP/IP printers: 0 +Web Services printers: 0 +Bluetooth printers: 10 +Shared printers: 0 In order to view available Web Services printers on your network, ensure that network discovery is turned on. To turn on network discovery, click "Start", click "Control Panel", and then click "Network and Internet". On the "Network and Internet" page, click "Network and Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on network discovery", and then click "Save changes". If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. -In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or don't configure this policy setting, the default limit is applied. +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. -In Windows 8 and later, Bluetooth printers aren't shown so its limit doesn't apply to those versions of Windows. +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Add Printer wizard - Network scan page (Managed network)* -- GP name: *DomainPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/DownlevelBrowse** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DomainPrinters | +| Friendly Name | Add Printer wizard - Network scan page (Managed network) | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | DomainDisplayPrinters_State | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DoNotInstallCompatibleDriverFromWindowsUpdate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate +``` + - - -Allows users to use the Add Printer Wizard to search the network for shared printers. + + +This policy setting allows you to manage where client computers search for Point and Printer drivers. -If you enable this setting or don't configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and don't specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. +If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. -If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users can't search the network but must type a printer name. +If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail. -> [!NOTE] -> This setting affects the Add Printer Wizard only. It doesn't prevent users from using other programs to search for shared printers or to connect to network printers. +This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. +By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Browse the network to find printers* -- GP name: *DownlevelBrowse* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/EMFDespooling** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DoNotInstallCompatibleDriverFromWindowsUpdate | +| Friendly Name | Extend Point and Print connection to search Windows Update | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DoNotInstallCompatibleDriverFromWindowsUpdate | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EMFDespooling -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/EMFDespooling +``` + - - -When printing is being done through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. + + +When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. -This policy setting only affects printing to a Windows print server. +This policy setting only effects printing to a Windows print server. -If you enable this policy setting on a client machine, the client spooler won't process print jobs before sending them to the print server, thereby decreasing the workload on the client at the expense of increasing the load on the server. +If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server. -If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will pass the commands to the printer. This process increases the workload of the client while decreasing the load on the server. +If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server. -If you don't enable this policy setting, the behavior is the same as disabling it. +If you do not enable this policy setting, the behavior is the same as disabling it. -> [!NOTE] -> This policy doesn't determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. -> -> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server doesn't support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting doesn't override this behavior. -> -> In cases where the client print driver doesn't match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. +Note: This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. - +Note: Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior. +Note: In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. + - -ADMX Info: -- GP Friendly name: *Always render print jobs on the server* -- GP name: *EMFDespooling* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_Printing/ForceSoftwareRasterization** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | EMFDespooling | +| Friendly Name | Always render print jobs on the server | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ForceCSREMFDespooling | +| ADMX File Name | Printing.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## ForceSoftwareRasterization - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/ForceSoftwareRasterization +``` + + + + Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. + - + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ForceSWRas | +| Friendly Name | Always rasterize content to be printed using a software rasterizer | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ForceSoftwareRasterization | +| ADMX File Name | Printing.admx | + + + + + + + + + +## KMPrintersAreBlocked + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/KMPrintersAreBlocked +``` + + + + +Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. + +If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. + +If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. + +If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. + +Note: By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | KMPrintersAreBlocked | +| Friendly Name | Disallow installation of printers using kernel-mode drivers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | KMPrintersAreBlocked | +| ADMX File Name | Printing.admx | + + + + + + + + + +## MXDWUseLegacyOutputFormatMSXPS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS +``` + + + + +Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022. + +If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). + +If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MXDWUseLegacyOutputFormatMSXPS | +| Friendly Name | Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps) | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | MXDWUseLegacyOutputFormatMSXPS | +| ADMX File Name | Printing.admx | + + + + + + + + + +## NonDomainPrinters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/NonDomainPrinters +``` + + + + +This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) + +If this setting is disabled, the network scan page will not be displayed. + +If this setting is not configured, the Add Printer wizard will display the default number of printers of each type: +TCP/IP printers: 50 +Web Services printers: 50 +Bluetooth printers: 10 +Shared printers: 50 + +If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. + +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. + +In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NonDomainPrinters | +| Friendly Name | Add Printer wizard - Network scan page (Unmanaged network) | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | NonDomainDisplayPrinters_State | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PackagePointAndPrintOnly_Win7 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintOnly_Win7 +``` + + + + +This policy restricts clients computers to use package point and print only. + +If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintOnly | +| Friendly Name | Only use Package Point and print | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintOnly | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PackagePointAndPrintServerList_Win7 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintServerList_Win7 +``` + + + + +Restricts package point and print to approved servers. + +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. + +Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. + +If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintServerList | +| Friendly Name | Package Point and print - Approved servers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintServerList | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PhysicalLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PhysicalLocation +``` + + + + +If this policy setting is enabled, it specifies the default location criteria used when searching for printers. + +This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. + +When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here overrides the actual location of the computer conducting the search. + +Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. + +If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PhysicalLocation | +| Friendly Name | Computer location | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PhysicalLocationSupport + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PhysicalLocationSupport +``` + + + + +Enables the physical Location Tracking setting for Windows printers. + +Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. + +If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. + +If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PhysicalLocationSupport | +| Friendly Name | Pre-populate printer search location text | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PhysicalLocationSupport | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PrintDriverIsolationExecutionPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PrintDriverIsolationExecutionPolicy +``` + + + + +This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. + +If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. + +If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. - -ADMX Info: -- GP Friendly name: *Always rasterize content to be printed using a software rasterizer* -- GP name: *ForceSoftwareRasterization* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* +Notes: +-Other system or driver policy settings may alter the process in which a print driver is executed. +-This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +-This policy setting takes effect without restarting the print spooler service. + - - -
    + + + - -**ADMX_Printing/IntranetPrintersUrl** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | PrintDriverIsolationExecutionPolicy | +| Friendly Name | Execute print drivers in isolated processes | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PrintDriverIsolationExecutionPolicy | +| ADMX File Name | Printing.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - + +## PrintDriverIsolationOverrideCompat + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PrintDriverIsolationOverrideCompat +``` + + + + +This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. + +If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. + +If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. + +Notes: +-Other system or driver policy settings may alter the process in which a print driver is executed. +-This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. +-This policy setting takes effect without restarting the print spooler service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrintDriverIsolationOverrideCompat | +| Friendly Name | Override print driver execution compatibility setting reported by print driver | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PrintDriverIsolationOverrideCompat | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PrinterServerThread + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/PrinterServerThread +``` + + + + +Announces the presence of shared printers to print servers for the domain. + +On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. + +If you enable this setting, the print spooler announces shared printers to the print servers. + +If you disable this setting, shared printers are not announced to print servers, even if Active Directory is not available. + +If you do not configure this setting, shared printers are announced to servers only when Active Directory is not available. + +Note: A client license is used each time a client computer announces a printer to a print browse master on the domain. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrinterServerThread | +| Friendly Name | Printer browsing | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ServerThread | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ShowJobTitleInEventLogs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/ShowJobTitleInEventLogs +``` + + + + +This policy controls whether the print job name will be included in print event logs. + +If you disable or do not configure this policy setting, the print job name will not be included. + +If you enable this policy setting, the print job name will be included in new log entries. + +Note: This setting does not apply to Branch Office Direct Printing jobs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowJobTitleInEventLogs | +| Friendly Name | Allow job name in event logs | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | ShowJobTitleInEventLogs | +| ADMX File Name | Printing.admx | + + + + + + + + + +## V4DriverDisallowPrinterExtension + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing/V4DriverDisallowPrinterExtension +``` + + + + +This policy determines if v4 printer drivers are allowed to run printer extensions. + +V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. + +If you enable this policy setting, then all printer extensions will not be allowed to run. + +If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | V4DriverDisallowPrinterExtension | +| Friendly Name | Do not allow v4 printer drivers to show printer extensions | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | V4DriverDisallowPrinterExtension | +| ADMX File Name | Printing.admx | + + + + + + + + + +## DownlevelBrowse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/DownlevelBrowse +``` + + + + +Allows users to use the Add Printer Wizard to search the network for shared printers. + +If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. + +If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. + +Note: This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DownlevelBrowse | +| Friendly Name | Browse the network to find printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | Downlevel Browse | +| ADMX File Name | Printing.admx | + + + + + + + + + +## IntranetPrintersUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/IntranetPrintersUrl +``` + + + + Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a Web page from which they can install printers. @@ -572,880 +1341,358 @@ If you enable this setting and type an Internet or intranet address in the text This setting makes it easy for users to find the printers you want them to add. Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Browse a common web site to find printers* -- GP name: *IntranetPrintersUrl* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/KMPrintersAreBlocked** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | IntranetPrintersUrl | +| Friendly Name | Browse a common web site to find printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LegacyDefaultPrinterMode -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/LegacyDefaultPrinterMode +``` + - - -Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly written kernel-mode drivers can cause stop errors. - - -If you don't configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. - -If you enable this setting, installation of a printer using a kernel-mode driver won't be allowed. - -> [!NOTE] -> This policy doesn't apply to 64-bit kernel-mode printer drivers as they can't be installed and associated with a print queue. - - - - - -ADMX Info: -- GP Friendly name: *Disallow installation of printers using kernel-mode drivers* -- GP name: *KMPrintersAreBlocked* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/LegacyDefaultPrinterMode** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This preference allows you to change default printer management. -If you enable this setting, Windows won't manage the default printer. +If you enable this setting, Windows will not manage the default printer. If you disable this setting, Windows will manage the default printer. -If you don't configure this setting, default printer management won't change. +If you do not configure this setting, default printer management will not change. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows default printer management* -- GP name: *LegacyDefaultPrinterMode* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SetDefaultPrinterMRUModeOff | +| Friendly Name | Turn off Windows default printer management | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows NT\CurrentVersion\Windows | +| Registry Value Name | LegacyDefaultPrinterMode | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoDeletePrinter -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/NoDeletePrinter +``` + - - -Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019. - -If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). - -If you disable or don't configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). - - - - - -ADMX Info: -- GP Friendly name: *Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)* -- GP name: *MXDWUseLegacyOutputFormatMSXPS* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/NoDeletePrinter** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. -This setting doesn't prevent users from running other programs to delete a printer. +This setting does not prevent users from running other programs to delete a printer. If this policy is disabled, or not configured, users can delete printers using the methods described above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent deletion of printers* -- GP name: *NoDeletePrinter* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/NonDomainPrinters** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDeletePrinter | +| Friendly Name | Prevent deletion of printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDeletePrinter | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PackagePointAndPrintOnly -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintOnly +``` + - - -This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer isn't able to reach a domain controller, for example, a domain-joined laptop on a home network.) - -If this setting is disabled, the network scan page won't be displayed. - -If this setting isn't configured, the Add Printer wizard will display the default number of printers of each type: - -- TCP/IP printers: 50 -- Web Services printers: 50 -- Bluetooth printers: 10 -- Shared printers: 50 - -If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. - -In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or don't configure this policy setting, the default limit is applied. - -In Windows 8 and later, Bluetooth printers aren't shown so its limit doesn't apply to those versions of Windows. - - - - - -ADMX Info: -- GP Friendly name: *Add Printer wizard - Network scan page (Unmanaged network)* -- GP name: *NonDomainPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PackagePointAndPrintOnly** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy restricts clients computers to use package point and print only. -If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. +If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, users won't be restricted to package-aware point and print only. +If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Only use Package Point and print* -- GP name: *PackagePointAndPrintOnly* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/PackagePointAndPrintOnly_Win7** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintOnly | +| Friendly Name | Only use Package Point and print | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintOnly | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PackagePointAndPrintServerList -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintServerList +``` + - - -This policy restricts clients computers to use package point and print only. - -If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. - -If this setting is disabled, or not configured, users won't be restricted to package-aware point and print only. - - - - - -ADMX Info: -- GP Friendly name: *Only use Package Point and print* -- GP name: *PackagePointAndPrintOnly_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PackagePointAndPrintServerList** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Restricts package point and print to approved servers. -This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. -If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. - -If this setting is disabled, or not configured, package point and print won't be restricted to specific print servers. - - - - - -ADMX Info: -- GP Friendly name: *Package Point and print - Approved servers* -- GP name: *PackagePointAndPrintServerList* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PackagePointAndPrintServerList_Win7** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Restricts package point and print to approved servers. - -This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. - -Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. - -If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When package point and print are being used, client computers will check the driver signature of all drivers that are downloaded from print servers. - -If this setting is disabled, or not configured, package point and print won't be restricted to specific print servers. - - - - - -ADMX Info: -- GP Friendly name: *Package Point and print - Approved servers* -- GP name: *PackagePointAndPrintServerList_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PhysicalLocation** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -If this policy setting is enabled, it specifies the default location criteria used when searching for printers. - -This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. - -When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here overrides the actual location of the computer conducting the search. - -Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. - -If you disable this setting or don't configure it, and the user doesn't type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. - - - - - -ADMX Info: -- GP Friendly name: *Computer location* -- GP name: *PhysicalLocation* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PhysicalLocationSupport** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Enables the physical Location Tracking setting for Windows printers. - -Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. - -If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. - -If you disable this setting or don't configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). - - - - - -ADMX Info: -- GP Friendly name: *Pre-populate printer search location text* -- GP name: *PhysicalLocationSupport* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PrintDriverIsolationExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure won't cause the print spooler service to fail. - -If you enable or don't configure this policy setting, the print spooler will execute print drivers in an isolated process by default. - -If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. - -> [!NOTE] -> - Other system or driver policy settings may alter the process in which a print driver is executed. -> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications aren't affected. -> - This policy setting takes effect without restarting the print spooler service. - - - - - -ADMX Info: -- GP Friendly name: *Execute print drivers in isolated processes* -- GP name: *PrintDriverIsolationExecutionPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PrintDriverIsolationOverrideCompat** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This policy setting enables executing print drivers in an isolated process, even if the driver doesn't report compatibility. - -If you enable this policy setting, the print spooler isolates all print drivers that don't explicitly opt out of Driver Isolation. - -If you disable or don't configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. - -> [!NOTE] -> - Other system or driver policy settings may alter the process in which a print driver is executed. -> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications aren't affected. -> - This policy setting takes effect without restarting the print spooler service. - - - - - -ADMX Info: -- GP Friendly name: *Override print driver execution compatibility setting reported by print driver* -- GP name: *PrintDriverIsolationOverrideCompat* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/PrinterDirectorySearchScope** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - +If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintServerList | +| Friendly Name | Package Point and print - Approved servers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintServerList | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PrinterDirectorySearchScope + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PrinterDirectorySearchScope +``` + + + + Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. -This setting only provides a starting point for Active Directory searches for printers. It doesn't restrict user searches through Active Directory. +This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Default Active Directory path when searching for printers* -- GP name: *PrinterDirectorySearchScope* -- GP path: *Control Panel\Printers* -- GP ADMX file name: *Printing.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing/PrinterServerThread** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PrinterDirectorySearchScope | +| Friendly Name | Default Active Directory path when searching for printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| ADMX File Name | Printing.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -Announces the presence of shared printers to print browse main servers for the domain. - -On domains with Active Directory, shared printer resources are available in Active Directory and aren't announced. - -If you enable this setting, the print spooler announces shared printers to the print browse main servers. - -If you disable this setting, shared printers aren't announced to print browse main servers, even if Active Directory isn't available. - -If you don't configure this setting, shared printers are announced to browse main servers only when Active Directory isn't available. - -> [!NOTE] -> A client license is used each time a client computer announces a printer to a print browse master on the domain. - - - - - -ADMX Info: -- GP Friendly name: *Printer browsing* -- GP name: *PrinterServerThread* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/ShowJobTitleInEventLogs** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy controls whether the print job name will be included in print event logs. - -If you disable or don't configure this policy setting, the print job name won't be included. - -If you enable this policy setting, the print job name will be included in new log entries. - -> [!NOTE] -> This setting doesn't apply to Branch Office Direct Printing jobs. - - - - - -ADMX Info: -- GP Friendly name: *Allow job name in event logs* -- GP name: *ShowJobTitleInEventLogs* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**ADMX_Printing/V4DriverDisallowPrinterExtension** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy determines if v4 printer drivers are allowed to run printer extensions. - -V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but these extensions may not be appropriate for all enterprises. - -If you enable this policy setting, then all printer extensions won't be allowed to run. - -If you disable this policy setting or don't configure it, then all printer extensions that have been installed will be allowed to run. - - - - - -ADMX Info: -- GP Friendly name: *Do not allow v4 printer drivers to show printer extensions* -- GP name: *V4DriverDisallowPrinterExtension* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index 0b8ff6c5be..d2d9a11183 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,540 +1,617 @@ --- -title: Policy CSP - ADMX_Printing2 -description: Learn about Policy CSP - ADMX_Printing2. +title: ADMX_Printing2 Policy CSP +description: Learn more about the ADMX_Printing2 Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/15/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Printing2 ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Printing2 policies + +## AutoPublishing -
    -
    - ADMX_Printing2/AutoPublishing -
    -
    - ADMX_Printing2/ImmortalPrintQueue -
    -
    - ADMX_Printing2/PruneDownlevel -
    -
    - ADMX_Printing2/PruningInterval -
    -
    - ADMX_Printing2/PruningPriority -
    -
    - ADMX_Printing2/PruningRetries -
    -
    - ADMX_Printing2/PruningRetryLog -
    -
    - ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint -
    -
    - ADMX_Printing2/VerifyPublishedState -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/AutoPublishing +``` + -
    - - -**ADMX_Printing2/AutoPublishing** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. -If you enable this setting or don't configure it, the Add Printer Wizard automatically publishes all shared printers. +If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. -If you disable this setting, the Add Printer Wizard doesn't automatically publish printers. However, you can publish shared printers manually. +If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually. The default behavior is to automatically publish shared printers in Active Directory. -> [!NOTE] -> This setting is ignored if the "Allow printers to be published" setting is disabled. +Note: This setting is ignored if the "Allow printers to be published" setting is disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Automatically publish new printers in Active Directory* -- GP name: *AutoPublishing* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing2/ImmortalPrintQueue** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AutoPublishing | +| Friendly Name | Automatically publish new printers in Active Directory | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | Auto Publishing | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ImmortalPrintQueue -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/ImmortalPrintQueue +``` + - - + + Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. -By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them doesn't respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. +By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. -If you enable this setting or don't configure it, the domain controller prunes this computer's printers when the computer doesn't respond. +If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond. -If you disable this setting, the domain controller doesn't prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. +If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. -> [!NOTE] -> You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. +Note: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow pruning of published printers* -- GP name: *ImmortalPrintQueue* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing2/PruneDownlevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ImmortalPrintQueue | +| Friendly Name | Allow pruning of published printers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | Immortal | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruneDownlevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruneDownlevel +``` + - - -This policy setting determines whether the pruning service on a domain controller prunes printer objects that aren't automatically republished whenever the host computer doesn't respond, just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. + + +Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest. -The Windows pruning service prunes printer objects from Active Directory when the computer that published them doesn't respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains can't republish printers in Active Directory automatically, by default, the system never prunes their printer objects. +The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects. You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-republishing printers" box: -- "Never" specifies that printer objects that aren't automatically republished are never pruned. "Never" is the default. +-- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default. -- "Only if Print Server is found" prunes printer objects that aren't automatically republished only when the print server responds, but the printer is unavailable. +-- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable. -- "Whenever printer is not found" prunes printer objects that aren't automatically republished whenever the host computer doesn't respond, just as it does with Windows 2000 printers. +-- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. -> [!NOTE] -> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It doesn't apply to printers published by using Printers in Control Panel. +Note: This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. +Tip: If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | PruneDownlevel | +| Friendly Name | Prune printers that are not automatically republished | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + - -ADMX Info: -- GP Friendly name: *Prune printers that are not automatically republished* -- GP name: *PruneDownlevel* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* + + + - - -
    + - -**ADMX_Printing2/PruningInterval** + +## PruningInterval - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningInterval +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. -The pruning service periodically contacts computers that have published printers. If a computer doesn't respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. +The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory. If you enable this setting, you can change the interval between contact attempts. -If you don't configure or disable this setting, the default values will be used. +If you do not configure or disable this setting the default values will be used. -> [!NOTE] -> This setting is used only on domain controllers. +Note: This setting is used only on domain controllers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Directory pruning interval* -- GP name: *PruningInterval* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing2/PruningPriority** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruningInterval | +| Friendly Name | Directory pruning interval | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningPriority -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningPriority +``` + - - + + Sets the priority of the pruning thread. -The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object doesn't respond to contact attempts. This process keeps printer information in Active Directory current. +The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current. -The thread priority influences the order in which the thread receives processor time and determines how likely it's to be preempted by higher priority threads. +The thread priority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads. By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service. -> [!NOTE] -> This setting is used only on domain controllers. +Note: This setting is used only on domain controllers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Directory pruning priority* -- GP name: *PruningPriority* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing2/PruningRetries** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruningPriority | +| Friendly Name | Directory pruning priority | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningRetries -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningRetries +``` + - - + + Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. -The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer doesn't respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. If you enable this setting, you can change the interval between attempts. -If you don't configure or disable this setting, the default values are used. +If you do not configure or disable this setting, the default values are used. -> [!NOTE] -> This setting is used only on domain controllers. +Note: This setting is used only on domain controllers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Directory pruning retry* -- GP name: *PruningRetries* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing2/PruningRetryLog** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PruningRetries | +| Friendly Name | Directory pruning retry | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PruningRetryLog -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/PruningRetryLog +``` + - - + + Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. -The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer doesn't respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer hasn't responded by the last contact attempt, its printers are pruned from the directory. +The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. If you enable this policy setting, the contact events are recorded in the event log. -If you disable or don't configure this policy setting, the contact events aren't recorded in the event log. +If you disable or do not configure this policy setting, the contact events are not recorded in the event log. -> [!NOTE] -> This setting doesn't affect the logging of pruning events; the actual pruning of a printer is always logged. This setting is used only on domain controllers. +Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. - +Note: This setting is used only on domain controllers. + + + + - -ADMX Info: -- GP Friendly name: *Log directory pruning retry events* -- GP name: *PruningRetryLog* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PruningRetryLog | +| Friendly Name | Log directory pruning retry events | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PruningRetryLog | +| ADMX File Name | Printing2.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## RegisterSpoolerRemoteRpcEndPoint -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint +``` + + + + This policy controls whether the print spooler will accept client connections. -When the policy isn't configured or enabled, the spooler will always accept client connections. +When the policy is unconfigured or enabled, the spooler will always accept client connections. -When the policy is disabled, the spooler won't accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. +When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. The spooler must be restarted for changes to this policy to take effect. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow Print Spooler to accept client connections* -- GP name: *RegisterSpoolerRemoteRpcEndPoint* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Printing2/VerifyPublishedState** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RegisterSpoolerRemoteRpcEndPoint | +| Friendly Name | Allow Print Spooler to accept client connections | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | RegisterSpoolerRemoteRpcEndPoint | +| ADMX File Name | Printing2.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## VerifyPublishedState -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Printing2/VerifyPublishedState +``` + - - + + Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. -To enable this extra verification, enable this setting, and then select a verification interval. +To enable this additional verification, enable this setting, and then select a verification interval. To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Check published state* -- GP name: *VerifyPublishedState* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | VerifyPublishedState | +| Friendly Name | Check published state | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing2.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 228cd52bf6..8d788b646e 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,285 +1,301 @@ --- -title: Policy CSP - ADMX_Programs -description: Learn about Policy CSP - ADMX_Programs. +title: ADMX_Programs Policy CSP +description: Learn more about the ADMX_Programs Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Programs ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Programs policies + +## NoDefaultPrograms -
    -
    - ADMX_Programs/NoDefaultPrograms -
    -
    - ADMX_Programs/NoGetPrograms -
    -
    - ADMX_Programs/NoInstalledUpdates -
    -
    - ADMX_Programs/NoProgramsAndFeatures -
    -
    - ADMX_Programs/NoProgramsCPL -
    -
    - ADMX_Programs/NoWindowsFeatures -
    -
    - ADMX_Programs/NoWindowsMarketplace -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoDefaultPrograms +``` + -
    - - -**ADMX_Programs/NoDefaultPrograms** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users can't view or change the associated page. + + +This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. -If this setting is disabled or not configured, the "Set Program Access and Defaults" button is available to all users. +If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. -This setting doesn't prevent users from using other tools and methods to change program access or defaults. +This setting does not prevent users from using other tools and methods to change program access or defaults. -This setting doesn't prevent the Default Programs icon from appearing on the Start menu. +This setting does not prevent the Default Programs icon from appearing on the Start menu. + - + + + - -ADMX Info: -- GP Friendly name: *Hide "Set Program Access and Computer Defaults" page* -- GP name: *NoDefaultPrograms* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Programs/NoGetPrograms** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoDefaultPrograms | +| Friendly Name | Hide "Set Program Access and Computer Defaults" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoDefaultPrograms | +| ADMX File Name | Programs.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NoGetPrograms -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoGetPrograms +``` + + + + Prevents users from viewing or installing published programs from the network. -This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. +This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the netowrk" task. The "Get Programs" page lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. -If this setting is enabled, users can't view the programs that have been published by the system administrator, and they can't use the "Get Programs" page to install published programs. Enabling this feature doesn't prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. +If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. -If this setting is disabled or isn't configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. +If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. -> [!NOTE] -> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. +Note: If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Get Programs" page* -- GP name: *NoGetPrograms* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Programs/NoInstalledUpdates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoGetPrograms | +| Friendly Name | Hide "Get Programs" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoGetPrograms | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoInstalledUpdates -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoInstalledUpdates +``` + - - + + This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. -This setting doesn't prevent users from using other tools and methods to install or uninstall programs. +This setting does not prevent users from using other tools and methods to install or uninstall programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Installed Updates" page* -- GP name: *NoInstalledUpdates* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Programs/NoProgramsAndFeatures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoInstalledUpdates | +| Friendly Name | Hide "Installed Updates" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoInstalledUpdates | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoProgramsAndFeatures -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoProgramsAndFeatures +``` + - - + + This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. If this setting is disabled or not configured, "Programs and Features" will be available to all users. -This setting doesn't prevent users from using other tools and methods to view or uninstall programs. It also doesn't prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. +This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Programs and Features" page* -- GP name: *NoProgramsAndFeatures* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Programs/NoProgramsCPL** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoProgramsAndFeatures | +| Friendly Name | Hide "Programs and Features" page | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoProgramsAndFeatures | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoProgramsCPL -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoProgramsCPL +``` + - - + + This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. @@ -288,125 +304,175 @@ If this setting is disabled or not configured, the Programs Control Panel in Cat When enabled, this setting takes precedence over the other settings in this folder. -This setting doesn't prevent users from using other tools and methods to install or uninstall programs. +This setting does not prevent users from using other tools and methods to install or uninstall programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide the Programs Control Panel* -- GP name: *NoProgramsCPL* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Programs/NoWindowsFeatures** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoProgramsCPL | +| Friendly Name | Hide the Programs Control Panel | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoProgramsCPL | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWindowsFeatures -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoWindowsFeatures +``` + - - -This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users can't view, enable, or disable various Windows features and services. + + +This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. -If this setting is disabled or isn't configured, the "Turn Windows features on or off" task will be available to all users. +If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. -This setting doesn't prevent users from using other tools and methods to configure services or enable or disable program components. +This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Windows Features"* -- GP name: *NoWindowsFeatures* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Programs/NoWindowsMarketplace** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoWindowsFeatures | +| Friendly Name | Hide "Windows Features" | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoWindowsFeatures | +| ADMX File Name | Programs.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NoWindowsMarketplace -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Programs/NoWindowsMarketplace +``` + - - + + This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. -Enabling this feature doesn't prevent users from navigating to Windows Marketplace using other methods. +Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. -If this feature is disabled or isn't configured, the "Get new programs from Windows Marketplace" task link will be available to all users. +If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users. -> [!NOTE] -> If the "Hide Programs control Panel" setting is enabled, this setting is ignored. +Note: If the "Hide Programs control Panel" setting is enabled, this setting is ignored. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Hide "Windows Marketplace"* -- GP name: *NoWindowsMarketplace* -- GP path: *Control Panel\Programs* -- GP ADMX file name: *Programs.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NoWindowsMarketplace | +| Friendly Name | Hide "Windows Marketplace" | +| Location | User Configuration | +| Path | Control Panel > Programs | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Programs | +| Registry Value Name | NoWindowsMarketplace | +| ADMX File Name | Programs.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md index 615fe1f468..4447d06173 100644 --- a/windows/client-management/mdm/policy-csp-admx-qos.md +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_QOS Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/05/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,6 +43,7 @@ ms.topic: reference + Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit. "Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent. @@ -68,6 +69,9 @@ Important: If the maximum number of outstanding packets is specified in the regi +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -102,6 +106,7 @@ Important: If the maximum number of outstanding packets is specified in the regi + Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system. By default, the Packet Scheduler limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default. @@ -127,6 +132,9 @@ Important: If a bandwidth limit is set for a particular network adapter in the r +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -161,6 +169,7 @@ Important: If a bandwidth limit is set for a particular network adapter in the r + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. @@ -186,6 +195,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -220,6 +232,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. @@ -245,6 +258,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -279,6 +295,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default priority value associated with the Best Effort service type. @@ -302,6 +319,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -336,6 +356,7 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. @@ -361,6 +382,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -395,6 +419,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. @@ -420,6 +445,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -454,6 +482,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default priority value associated with the Controlled Load service type. @@ -477,6 +506,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -511,6 +543,7 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. @@ -536,6 +569,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -570,6 +606,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. @@ -595,6 +632,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -629,6 +669,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default priority value associated with the Guaranteed service type. @@ -652,6 +693,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -686,6 +730,7 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. @@ -711,6 +756,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -745,6 +793,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. @@ -770,6 +819,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -804,6 +856,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default priority value associated with the Network Control service type. @@ -827,6 +880,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -861,6 +917,7 @@ Important: If the Layer-2 priority value for this service type is specified in t + Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default priority value associated with nonconforming packets. @@ -884,6 +941,9 @@ Important: If the Layer-2 priority value for nonconforming packets is specified +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -918,6 +978,7 @@ Important: If the Layer-2 priority value for nonconforming packets is specified + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that conform to the flow specification. @@ -943,6 +1004,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -977,6 +1041,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packets that do not conform to the flow specification. @@ -1002,6 +1067,9 @@ Important: If the DSCP value for this service type is specified in the registry +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -1036,6 +1104,7 @@ Important: If the DSCP value for this service type is specified in the registry + Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default priority value associated with the Qualitative service type. @@ -1059,6 +1128,9 @@ Important: If the Layer-2 priority value for this service type is specified in t +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | @@ -1093,6 +1165,7 @@ Important: If the Layer-2 priority value for this service type is specified in t + Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry. If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. @@ -1116,6 +1189,9 @@ Important: If a timer resolution is specified in the registry for a particular n +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + **ADMX mapping**: | Name | Value | From acd6597a340d18c86498fb78c6541106127703f9 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 10:57:56 -0500 Subject: [PATCH 113/152] power powershellexecutionpolicy perviousversions --- .../mdm/policy-csp-admx-power.md | 2107 +++++++++-------- ...licy-csp-admx-powershellexecutionpolicy.md | 416 ++-- .../mdm/policy-csp-admx-previousversions.md | 1056 ++++++--- 3 files changed, 2101 insertions(+), 1478 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index e43327ec72..b2005dd694 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,1330 +1,1557 @@ --- -title: Policy CSP - ADMX_Power -description: Learn about Policy CSP - ADMX_Power. +title: ADMX_Power Policy CSP +description: Learn more about the ADMX_Power Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Power ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Power policies + +## ACConnectivityInStandby_2 -
    -
    - ADMX_Power/ACConnectivityInStandby_2 -
    -
    - ADMX_Power/ACCriticalSleepTransitionsDisable_2 -
    -
    - ADMX_Power/ACStartMenuButtonAction_2 -
    -
    - ADMX_Power/AllowSystemPowerRequestAC -
    -
    - ADMX_Power/AllowSystemPowerRequestDC -
    -
    - ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC -
    -
    - ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC -
    -
    - ADMX_Power/CustomActiveSchemeOverride_2 -
    -
    - ADMX_Power/DCBatteryDischargeAction0_2 -
    -
    - ADMX_Power/DCBatteryDischargeAction1_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel0_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel1UINotification_2 -
    -
    - ADMX_Power/DCBatteryDischargeLevel1_2 -
    -
    - ADMX_Power/DCConnectivityInStandby_2 -
    -
    - ADMX_Power/DCCriticalSleepTransitionsDisable_2 -
    -
    - ADMX_Power/DCStartMenuButtonAction_2 -
    -
    - ADMX_Power/DiskACPowerDownTimeOut_2 -
    -
    - ADMX_Power/DiskDCPowerDownTimeOut_2 -
    -
    - ADMX_Power/Dont_PowerOff_AfterShutdown -
    -
    - ADMX_Power/EnableDesktopSlideShowAC -
    -
    - ADMX_Power/EnableDesktopSlideShowDC -
    -
    - ADMX_Power/InboxActiveSchemeOverride_2 -
    -
    - ADMX_Power/PW_PromptPasswordOnResume -
    -
    - ADMX_Power/PowerThrottlingTurnOff -
    -
    - ADMX_Power/ReserveBatteryNotificationLevel -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACConnectivityInStandby_2 +``` + -
    - - -**ADMX_Power/ACConnectivityInStandby_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. -If you disable this policy setting, network connectivity in standby isn't guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. -If you don't configure this policy setting, users control this setting. +If you do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow network connectivity during connected-standby (plugged in)* -- GP name: *ACConnectivityInStandby_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/ACCriticalSleepTransitionsDisable_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACConnectivityInStandby | +| Friendly Name | Allow network connectivity during connected-standby (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ACCriticalSleepTransitionsDisable_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACCriticalSleepTransitionsDisable_2 +``` + - - + + This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on the ability for applications to prevent sleep transitions (plugged in)* -- GP name: *ACCriticalSleepTransitionsDisable_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/ACStartMenuButtonAction_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ACCriticalSleepTransitionsDisable | +| Friendly Name | Turn on the ability for applications to prevent sleep transitions (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ACStartMenuButtonAction_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ACStartMenuButtonAction_2 +``` + - - + + This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: +-Sleep +-Hibernate +-Shut down -- Sleep -- Hibernate -- Shut down +If you disable this policy or do not configure this policy setting, users control this setting. + -If you disable this policy or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Select the Start menu Power button action (plugged in)* -- GP name: *ACStartMenuButtonAction_2* -- GP path: *System\Power Management\Button Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Power/AllowSystemPowerRequestAC** +| Name | Value | +|:--|:--| +| Name | ACStartMenuButtonAction | +| Friendly Name | Select the Start menu Power button action (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowSystemPowerRequestAC - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemPowerRequestAC +``` + -
    - - - + + This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. -If you disable or don't configure this policy setting, applications, services, or drivers don't prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow applications to prevent automatic sleep (plugged in)* -- GP name: *AllowSystemPowerRequestAC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/AllowSystemPowerRequestDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemPowerRequestAC | +| Friendly Name | Allow applications to prevent automatic sleep (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSystemPowerRequestDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemPowerRequestDC +``` + - - + + This policy setting allows applications and services to prevent automatic sleep. If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. -If you disable or don't configure this policy setting, applications, services, or drivers don't prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow applications to prevent automatic sleep (on battery)* -- GP name: *AllowSystemPowerRequestDC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemPowerRequestDC | +| Friendly Name | Allow applications to prevent automatic sleep (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSystemSleepWithRemoteFilesOpenAC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC +``` + - - + + This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. -If you disable or don't configure this policy setting, the computer doesn't automatically sleep when network files are open. +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow automatic sleep with Open Network Files (plugged in)* -- GP name: *AllowSystemSleepWithRemoteFilesOpenAC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemSleepWithRemoteFilesOpenAC | +| Friendly Name | Allow automatic sleep with Open Network Files (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## AllowSystemSleepWithRemoteFilesOpenDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC +``` + - - + + This policy setting allows you to manage automatic sleep with open network files. If you enable this policy setting, the computer automatically sleeps when network files are open. -If you disable or don't configure this policy setting, the computer doesn't automatically sleep when network files are open. +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow automatic sleep with Open Network Files (on battery)* -- GP name: *AllowSystemSleepWithRemoteFilesOpenDC* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/CustomActiveSchemeOverride_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowSystemSleepWithRemoteFilesOpenDC | +| Friendly Name | Allow automatic sleep with Open Network Files (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomActiveSchemeOverride_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/CustomActiveSchemeOverride_2 +``` + - - -This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using `powercfg`, the power configuration command line tool. + + +This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. -If you disable or don't configure this policy setting, users can see and change this setting. +If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify a custom active power plan* -- GP name: *CustomActiveSchemeOverride_2* -- GP path: *System\Power Management* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/DCBatteryDischargeAction0_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomActiveSchemeOverride | +| Friendly Name | Specify a custom active power plan | +| Location | Computer Configuration | +| Path | System > Power Management | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCBatteryDischargeAction0_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeAction0_2 +``` + - - + + This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. If you enable this policy setting, select one of the following actions: +-Take no action +-Sleep +-Hibernate +-Shut down -- Take no action -- Sleep -- Hibernate -- Shut down +If you disable or do not configure this policy setting, users control this setting. + -If you disable or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Critical battery notification action* -- GP name: *DCBatteryDischargeAction0_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Power/DCBatteryDischargeAction1_2** +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeAction0 | +| Friendly Name | Critical battery notification action | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\637EA02F-BBCB-4015-8E2C-A1C7B9C0B546 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DCBatteryDischargeAction1_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeAction1_2 +``` + -
    - - - + + This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. If you enable this policy setting, select one of the following actions: +-Take no action +-Sleep +-Hibernate +-Shut down -- Take no action -- Sleep -- Hibernate -- Shut down +If you disable or do not configure this policy setting, users control this setting. + -If you disable or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Low battery notification action* -- GP name: *DCBatteryDischargeAction1_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Power/DCBatteryDischargeLevel0_2** +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeAction1 | +| Friendly Name | Low battery notification action | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DCBatteryDischargeLevel0_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeLevel0_2 +``` + -
    - - - + + This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. To set the action that is triggered, see the "Critical Battery Notification Action" policy setting. -If you disable this policy setting or don't configure it, users control this setting. +If you disable this policy setting or do not configure it, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Critical battery notification level* -- GP name: *DCBatteryDischargeLevel0_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/DCBatteryDischargeLevel1UINotification_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeLevel0 | +| Friendly Name | Critical battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\9A66D8D7-4FF7-4EF9-B5A2-5A326CA2A469 | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCBatteryDischargeLevel1_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeLevel1_2 +``` + - - -This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. - -If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. - -To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. - -The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". - -If you disable or don't configure this policy setting, users can control this setting. - - - - - -ADMX Info: -- GP Friendly name: *Turn off low battery user notification* -- GP name: *DCBatteryDischargeLevel1UINotification_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* - - - -
    - - -**ADMX_Power/DCBatteryDischargeLevel1_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. To set the action that is triggered, see the "Low Battery Notification Action" policy setting. -If you disable this policy setting or don't configure it, users control this setting. +If you disable this policy setting or do not configure it, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Low battery notification level* -- GP name: *DCBatteryDischargeLevel1_2* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/DCConnectivityInStandby_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeLevel1 | +| Friendly Name | Low battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\8183ba9a-e910-48da-8769-14ae6dc1170a | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCBatteryDischargeLevel1UINotification_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCBatteryDischargeLevel1UINotification_2 +``` + - - + + +This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. + +If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. + +The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". + +If you disable or do not configure this policy setting, users can control this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DCBatteryDischargeLevel1UINotification | +| Friendly Name | Turn off low battery user notification | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\bcded951-187b-4d05-bccc-f7e51960c258 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + + + + + + + + + +## DCConnectivityInStandby_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCConnectivityInStandby_2 +``` + + + + This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. -If you disable this policy setting, network connectivity in standby isn't guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. -If you don't configure this policy setting, users control this setting. +If you do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow network connectivity during connected-standby (on battery)* -- GP name: *DCConnectivityInStandby_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/DCCriticalSleepTransitionsDisable_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCConnectivityInStandby | +| Friendly Name | Allow network connectivity during connected-standby (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCCriticalSleepTransitionsDisable_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCCriticalSleepTransitionsDisable_2 +``` + - - + + This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on the ability for applications to prevent sleep transitions (on battery)* -- GP name: *DCCriticalSleepTransitionsDisable_2* -- GP path: *System\Power Management\Sleep Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/DCStartMenuButtonAction_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DCCriticalSleepTransitionsDisable | +| Friendly Name | Turn on the ability for applications to prevent sleep transitions (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Sleep Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DCStartMenuButtonAction_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DCStartMenuButtonAction_2 +``` + - - + + This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. If you enable this policy setting, select one of the following actions: +-Sleep +-Hibernate +-Shut down -- Sleep -- Hibernate -- Shut down +If you disable this policy or do not configure this policy setting, users control this setting. + -If you disable this policy or don't configure this policy setting, users control this setting. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Select the Start menu Power button action (on battery)* -- GP name: *DCStartMenuButtonAction_2* -- GP path: *System\Power Management\Button Settings* -- GP ADMX file name: *Power.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_Power/DiskACPowerDownTimeOut_2** +| Name | Value | +|:--|:--| +| Name | DCStartMenuButtonAction | +| Friendly Name | Select the Start menu Power button action (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Button Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5 | +| ADMX File Name | Power.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DiskACPowerDownTimeOut_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DiskACPowerDownTimeOut_2 +``` + -
    - - - + + This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. -If you disable or don't configure this policy setting, users can see and change this setting. +If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn Off the hard disk (plugged in)* -- GP name: *DiskACPowerDownTimeOut_2* -- GP path: *System\Power Management\Hard Disk Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/DiskDCPowerDownTimeOut_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DiskACPowerDownTimeOut | +| Friendly Name | Turn Off the hard disk (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Hard Disk Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DiskDCPowerDownTimeOut_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/DiskDCPowerDownTimeOut_2 +``` + - - + + This policy setting specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. -If you disable or don't configure this policy setting, users can see and change this setting. +If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn Off the hard disk (on battery)* -- GP name: *DiskDCPowerDownTimeOut_2* -- GP path: *System\Power Management\Hard Disk Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/Dont_PowerOff_AfterShutdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DiskDCPowerDownTimeOut | +| Friendly Name | Turn Off the hard disk (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Hard Disk Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Dont_PowerOff_AfterShutdown -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/Dont_PowerOff_AfterShutdown +``` + - - -This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. - -This setting doesn't affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. - -Applications such as UPS software may rely on Windows shutdown behavior. + + +This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. Applications such as UPS software may rely on Windows shutdown behavior. This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown(). If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. -If you disable or don't configure this policy setting, the computer system safely shuts down to a fully powered-off state. +If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not turn off system power after a Windows system shutdown has occurred.* -- GP name: *Dont_PowerOff_AfterShutdown* -- GP path: *System* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/EnableDesktopSlideShowAC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Dont_PowerOff_AfterShutdown | +| Friendly Name | Do not turn off system power after a Windows system shutdown has occurred. | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows NT | +| Registry Value Name | DontPowerOffAfterShutdown | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableDesktopSlideShowAC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/EnableDesktopSlideShowAC +``` + - - + + This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. If you disable this policy setting, the desktop background slideshow is disabled. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on desktop background slideshow (plugged in)* -- GP name: *EnableDesktopSlideShowAC* -- GP path: *System\Power Management\Video and Display Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/EnableDesktopSlideShowDC** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableDesktopSlideShowAC | +| Friendly Name | Turn on desktop background slideshow (plugged in) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4 | +| Registry Value Name | ACSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableDesktopSlideShowDC -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/EnableDesktopSlideShowDC +``` + - - + + This policy setting allows you to specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. If you disable this policy setting, the desktop background slideshow is disabled. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on desktop background slideshow (on battery)* -- GP name: *EnableDesktopSlideShowDC* -- GP path: *System\Power Management\Video and Display Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/InboxActiveSchemeOverride_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableDesktopSlideShowDC | +| Friendly Name | Turn on desktop background slideshow (on battery) | +| Location | Computer Configuration | +| Path | System > Power Management > Video and Display Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4 | +| Registry Value Name | DCSettingIndex | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## InboxActiveSchemeOverride_2 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/InboxActiveSchemeOverride_2 +``` + - - + + This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. If you enable this policy setting, specify a power plan from the Active Power Plan list. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Select an active power plan* -- GP name: *InboxActiveSchemeOverride_2* -- GP path: *System\Power Management* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/PW_PromptPasswordOnResume** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | InboxActiveSchemeOverride | +| Friendly Name | Select an active power plan | +| Location | Computer Configuration | +| Path | System > Power Management | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PowerThrottlingTurnOff -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/PowerThrottlingTurnOff +``` + - - -This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. - -If you enable this policy setting, the client computer is locked and prompted for a password when it's resumed from a suspend or hibernate state. - -If you disable or don't configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. - - - - - -ADMX Info: -- GP Friendly name: *Prompt for password on resume from hibernate/suspend* -- GP name: *PW_PromptPasswordOnResume* -- GP path: *System\Power Management* -- GP ADMX file name: *Power.admx* - - - -
    - - -**ADMX_Power/PowerThrottlingTurnOff** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn off Power Throttling. If you enable this policy setting, Power Throttling will be turned off. -If you disable or don't configure this policy setting, users control this setting. +If you disable or do not configure this policy setting, users control this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Power Throttling* -- GP name: *PowerThrottlingTurnOff* -- GP path: *System\Power Management\Power Throttling Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Power/ReserveBatteryNotificationLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PowerThrottlingTurnOff | +| Friendly Name | Turn off Power Throttling | +| Location | Computer Configuration | +| Path | System > Power Management > Power Throttling Settings | +| Registry Key Name | System\CurrentControlSet\Control\Power\PowerThrottling | +| Registry Value Name | PowerThrottlingOff | +| ADMX File Name | Power.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ReserveBatteryNotificationLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ReserveBatteryNotificationLevel +``` + - - + + This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. -If you disable or don't configure this policy setting, users can see and change this setting. +If you disable or do not configure this policy setting, users can see and change this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Reserve battery notification level* -- GP name: *ReserveBatteryNotificationLevel* -- GP path: *System\Power Management\Notification Settings* -- GP ADMX file name: *Power.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ReserveBatteryNotificationLevel | +| Friendly Name | Reserve battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F00 | +| ADMX File Name | Power.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + +## PW_PromptPasswordOnResume + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Power/PW_PromptPasswordOnResume +``` + + + + +This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. + +If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. + +If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PW_PromptPasswordOnResume | +| Friendly Name | Prompt for password on resume from hibernate/suspend | +| Location | User Configuration | +| Path | System > Power Management | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Power | +| Registry Value Name | PromptPasswordOnResume | +| ADMX File Name | Power.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 5659a2f23c..336e6879ec 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,263 +1,321 @@ --- -title: Policy CSP - ADMX_PowerShellExecutionPolicy -description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy. +title: ADMX_PowerShellExecutionPolicy Policy CSP +description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/26/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PowerShellExecutionPolicy ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PowerShellExecutionPolicy policies + +## EnableModuleLogging -
    -
    - ADMX_PowerShellExecutionPolicy/EnableModuleLogging -
    -
    - ADMX_PowerShellExecutionPolicy/EnableScripts -
    -
    - ADMX_PowerShellExecutionPolicy/EnableTranscripting -
    -
    - ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableModuleLogging +``` -
    +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableModuleLogging +``` + - -**ADMX_PowerShellExecutionPolicy/EnableModuleLogging** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device -> * User - -
    - - - + + This policy setting allows you to turn on logging for Windows PowerShell modules. -If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell login Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. +If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. -If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting isn't configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. +If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. + +If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. -> [!NOTE] -> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on Module Logging* -- GP name: *EnableModuleLogging* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PowerShellExecutionPolicy/EnableScripts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableModuleLogging | +| Friendly Name | Turn on Module Logging | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging | +| Registry Value Name | EnableModuleLogging | +| ADMX File Name | PowerShellExecutionPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableScripts -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableScripts +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableScripts +``` + + + + This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. -If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they're signed by a trusted publisher. +If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. -The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run. And, the scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run. +The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. + +The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher. + +The "Allow all scripts" policy setting allows all scripts to run. If you disable this policy setting, no scripts are allowed to run. -> [!NOTE] -> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that isn't configured is "No scripts allowed." +Note: This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." - +If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." + + + + - -ADMX Info: -- GP Friendly name: *Turn on Script Execution* -- GP name: *EnableScripts* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_PowerShellExecutionPolicy/EnableTranscripting** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | EnableScripts | +| Friendly Name | Turn on Script Execution | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell | +| Registry Value Name | EnableScripts | +| ADMX File Name | PowerShellExecutionPolicy.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device -> * User + +## EnableTranscripting -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableTranscripting +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableTranscripting +``` + + + + This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. -If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that use the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. +If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other +applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents +directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent +to calling the Start-Transcript cmdlet on each Windows PowerShell session. -If you disable this policy setting, transcription of PowerShell-based applications is disabled by default, although transcription can still be enabled through the Start-Transcript cmdlet. +If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled +through the Start-Transcript cmdlet. -If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. +If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users +from viewing the transcripts of other users or computers. -> [!NOTE] -> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on PowerShell Transcription* -- GP name: *EnableTranscripting* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | EnableTranscripting | +| Friendly Name | Turn on PowerShell Transcription | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\Transcription | +| Registry Value Name | EnableTranscripting | +| ADMX File Name | PowerShellExecutionPolicy.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableUpdateHelpDefaultSourcePath -> [!div class = "checklist"] -> * Device -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +``` - - +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +``` + + + + This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. -If this policy setting is disabled or not configured, this policy setting doesn't set a default value for the SourcePath parameter of the Update-Help cmdlet. +If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet. -> [!NOTE] -> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set the default source path for Update-Help* -- GP name: *EnableUpdateHelpDefaultSourcePath* -- GP path: *Windows Components\Windows PowerShell* -- GP ADMX file name: *PowerShellExecutionPolicy.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | EnableUpdateHelpDefaultSourcePath | +| Friendly Name | Set the default source path for Update-Help | +| Location | Computer and User Configuration | +| Path | Windows Components > Windows PowerShell | +| Registry Key Name | Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp | +| Registry Value Name | EnableUpdateHelpDefaultSourcePath | +| ADMX File Name | PowerShellExecutionPolicy.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index 4f35241526..554221fd36 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,444 +1,782 @@ --- -title: Policy CSP - ADMX_PreviousVersions -description: Policy CSP - ADMX_PreviousVersions +title: ADMX_PreviousVersions Policy CSP +description: Learn more about the ADMX_PreviousVersions Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PreviousVersions -## ADMX_PreviousVersions policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - + +## DisableBackupRestore_2 -
    -
    - ADMX_PreviousVersions/DisableLocalPage_1 -
    -
    - ADMX_PreviousVersions/DisableLocalPage_2 -
    -
    - ADMX_PreviousVersions/DisableRemotePage_1 -
    -
    - ADMX_PreviousVersions/DisableRemotePage_2 -
    -
    - ADMX_PreviousVersions/HideBackupEntries_1 -
    -
    - ADMX_PreviousVersions/HideBackupEntries_2 -
    -
    - ADMX_PreviousVersions/DisableLocalRestore_1 -
    -
    - ADMX_PreviousVersions/DisableLocalRestore_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableBackupRestore_2 +``` + -
    + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. - -**ADMX_PreviousVersions/DisableLocalPage_1** +If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. - +If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * User +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableBackupRestore | +| Friendly Name | Prevent restoring previous versions from backups | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableBackupRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalPage_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalPage_2 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. + +If you enable this policy setting, users cannot list or restore previous versions of files on local disks. + +If you disable this policy setting, users cannot list and restore previous versions of files on local disks. + +If you do not configure this policy setting, it defaults to disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocalPage | +| Friendly Name | Hide previous versions list for local files | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalPage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalRestore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalRestore_2 +``` + + + + This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. -- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a local file. +If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. - +If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. +If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + - -ADMX Info: -- GP Friendly name: *Prevent restoring local previous versions* -- GP name: *DisableLocalPage_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableLocalPage_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableLocalRestore | +| Friendly Name | Prevent restoring local previous versions | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalRestore | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableRemotePage_2 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemotePage_2 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. + +If you enable this policy setting, users cannot list or restore previous versions of files on file shares. + +If you disable this policy setting, users can list and restore previous versions of files on file shares. + +If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemotePage | +| Friendly Name | Hide previous versions list for remote files | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemotePage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableRemoteRestore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemoteRestore_2 +``` + + + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemoteRestore | +| Friendly Name | Prevent restoring remote previous versions | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemoteRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## HideBackupEntries_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/HideBackupEntries_2 +``` + + + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideBackupEntries | +| Friendly Name | Hide previous versions of files on backup location | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | HideBackupEntries | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableBackupRestore_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableBackupRestore_1 +``` + + + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. + +If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. + +If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. + +If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableBackupRestore | +| Friendly Name | Prevent restoring previous versions from backups | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableBackupRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalPage_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalPage_1 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. + +If you enable this policy setting, users cannot list or restore previous versions of files on local disks. + +If you disable this policy setting, users cannot list and restore previous versions of files on local disks. + +If you do not configure this policy setting, it defaults to disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocalPage | +| Friendly Name | Hide previous versions list for local files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalPage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableLocalRestore_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalRestore_1 +``` + + + + This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. -- If the user clicks the Restore button, Windows attempts to restore the file from the local disk. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a local file. +If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. - +If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. +If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + - -ADMX Info: -- GP Friendly name: *Prevent restoring local previous versions* -- GP name: *DisableLocalPage_2* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableRemotePage_1** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableLocalRestore | +| Friendly Name | Prevent restoring local previous versions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalRestore | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## DisableRemotePage_1 - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemotePage_1 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. + +If you enable this policy setting, users cannot list or restore previous versions of files on file shares. + +If you disable this policy setting, users can list and restore previous versions of files on file shares. + +If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemotePage | +| Friendly Name | Hide previous versions list for remote files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemotePage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + + +## DisableRemoteRestore_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemoteRestore_1 +``` + + + + This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. +If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. - +If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. +If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableRemotePage_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/DisableRemotePage_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | DisableRemoteRestore | +| Friendly Name | Prevent restoring remote previous versions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemoteRestore | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## HideBackupEntries_1 - - -This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/HideBackupEntries_1 +``` + - - - - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableRemotePage_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* - - - - -
    - - -**ADMX_PreviousVersions/HideBackupEntries_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. -- If you enable this policy setting, users can't see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. -- If you disable this policy setting, users can see previous versions corresponding to backup copies and previous versions corresponding to on-disk restore points. -- If you don't configure this policy setting, it's disabled by default. +If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. - +If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. +If you do not configure this policy setting, it is disabled by default. + - -ADMX Info: -- GP Friendly name: *Hide previous versions of files on backup location* -- GP name: *HideBackupEntries_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_PreviousVersions/HideBackupEntries_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | HideBackupEntries | +| Friendly Name | Hide previous versions of files on backup location | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | HideBackupEntries | +| ADMX File Name | PreviousVersions.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + + + - - -This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + -- If you enable this policy setting, users can't see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. -- If you disable this policy setting, users can see previous versions corresponding to backup copies and previous versions corresponding to on-disk restore points. -- If you don't configure this policy setting, it's disabled by default. +## Related articles - - - - -ADMX Info: -- GP Friendly name: *Hide previous versions of files on backup location* -- GP name: *HideBackupEntries_2* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* - - - -
    - - -**ADMX_PreviousVersions/DisableLocalRestore_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. - -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. - - - - - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableLocalRestore_1* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* - - - - -
    - -**ADMX_PreviousVersions/DisableLocalRestore_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. - -- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. -- If the user clicks the Restore button, Windows attempts to restore the file from the file share. -- If you don't configure this policy setting, it's disabled by default. The Restore button is active when the previous version is of a file on a file share. - - - - -ADMX Info: -- GP Friendly name: *Prevent restoring remote previous versions* -- GP name: *DisableLocalRestore_2* -- GP path: *Windows Components\File Explorer\Previous Versions* -- GP ADMX file name: *PreviousVersions.admx* - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From a875c629fd93a89813a464f8c319453b82d474d2 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 11:12:41 -0500 Subject: [PATCH 114/152] peertopeercaching pentraining performancediagnostics --- .../mdm/policy-csp-admx-peertopeercaching.md | 883 ++++++++++-------- .../mdm/policy-csp-admx-pentraining.md | 212 +++-- .../policy-csp-admx-performancediagnostics.md | 460 ++++----- 3 files changed, 864 insertions(+), 691 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index b3727a7219..0bd323a6d7 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,209 +1,206 @@ --- -title: Policy CSP - ADMX_PeerToPeerCaching -description: Learn about Policy CSP - ADMX_PeerToPeerCaching. +title: ADMX_PeerToPeerCaching Policy CSP +description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PeerToPeerCaching ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PeerToPeerCaching policies + +## EnableWindowsBranchCache -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers -
    -
    - ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB -
    -
    - ADMX_PeerToPeerCaching/SetCachePercent -
    -
    - ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge -
    -
    - ADMX_PeerToPeerCaching/SetDowngrading -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache +``` + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following policy settings: + + +This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings: - Set BranchCache Distributed Cache mode + - Set BranchCache Hosted Cache mode + - Configure Hosted Cache Servers -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. -- Enabled: With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache is turned off for all client computers where the policy is applied. +Select one of the following: -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. - +- Enabled. With this selection, BranchCache is turned on for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache is turned on for all domain member client computers to which the policy is applied. +- Disabled. With this selection, BranchCache is turned off for all client computers where the policy is applied. - -ADMX Info: -- GP Friendly name: *Turn on BranchCache* -- GP name: *EnableWindowsBranchCache* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - - -
    + + + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | WBC_Enable | +| Friendly Name | Turn on BranchCache | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\Service | +| Registry Value Name | Enable | +| ADMX File Name | PeerToPeerCaching.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableWindowsBranchCache_Distributed + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed +``` + + + + This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. -- Enabled: With this selection, BranchCache distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache distributed cache mode is turned off for all client computers where the policy is applied. +Select one of the following: -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. - +- Enabled. With this selection, BranchCache distributed cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache distributed cache mode is turned on for all domain member client computers to which the policy is applied. +- Disabled. With this selection, BranchCache distributed cache mode is turned off for all client computers where the policy is applied. - -ADMX Info: -- GP Friendly name: *Set BranchCache Distributed Cache mode* -- GP name: *EnableWindowsBranchCache_Distributed* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - - -
    + + + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | WBC_Distributed_Enable | +| Friendly Name | Set BranchCache Distributed Cache mode | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching | +| Registry Value Name | Enable | +| ADMX File Name | PeerToPeerCaching.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableWindowsBranchCache_Hosted + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted +``` + + + + This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers. -When a client computer is configured as a hosted cache mode client, it's able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. +When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. -- Enabled: With this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache hosted cache mode is turned off for all client computers where the policy is applied. +Select one of the following: + +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual client computers where you want to enable BranchCache. + +- Enabled. With this selection, BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example, if this policy is enabled in domain Group Policy, BranchCache hosted cache mode is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache hosted cache mode is turned off for all client computers where the policy is applied. In circumstances where this setting is enabled, you can also select and configure the following option: @@ -211,379 +208,499 @@ In circumstances where this setting is enabled, you can also select and configur Hosted cache clients must trust the server certificate that is issued to the hosted cache server. Ensure that the issuing CA certificate is installed in the Trusted Root Certification Authorities certificate store on all hosted cache client computers. -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set BranchCache Hosted Cache mode* -- GP name: *EnableWindowsBranchCache_Hosted* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WBC_HostedCache_Location | +| Friendly Name | Set BranchCache Hosted Cache mode | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableWindowsBranchCache_HostedCacheDiscovery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery +``` + - - + + This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. -If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they don't detect hosted cache servers, hosted cache mode isn't turned on, and the client uses any other configuration that is specified manually or by Group Policy. +If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. -When this policy setting is applied, the client computer performs or doesn't perform automatically hosted cache server discovery under the following circumstances: +When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances: -If no other BranchCache mode-based policy settings are applied, the client computer performs automatically hosted cache server discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode. +If no other BranchCache mode-based policy settings are applied, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode. -If the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy, the client computer performs automatically hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures for hosted cache mode only. +If the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures for hosted cache mode only. -If the policy setting "Set BranchCache Hosted Cache Mode" is applied, the client computer doesn't perform automatically hosted cache discovery. This restriction is also true in cases where the policy setting "Configure Hosted Cache Servers" is applied. +If the policy setting "Set BranchCache Hosted Cache Mode" is applied, the client computer does not perform automatic hosted cache discovery. This is also true in cases where the policy setting "Configure Hosted Cache Servers" is applied. This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. -If you disable, or don't configure this setting, a client won't attempt to discover hosted cache servers by service connection point. +If you disable, or do not configure this setting, a client will not attempt to discover hosted cache servers by service connection point. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy setting, and client computers don't perform hosted cache server discovery. -- Enabled: With this selection, the policy setting is applied to client computers, which perform automatically hosted cache server discovery and which are configured as hosted cache mode clients. -- Disabled: With this selection, this policy isn't applied to client computers. +Select one of the following: - +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting, and client computers do not perform hosted cache server discovery. +- Enabled. With this selection, the policy setting is applied to client computers, which perform automatic hosted cache server discovery and which are configured as hosted cache mode clients. - -ADMX Info: -- GP Friendly name: *Enable Automatic Hosted Cache Discovery by Service Connection Point* -- GP name: *EnableWindowsBranchCache_HostedCacheDiscovery* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +- Disabled. With this selection, this policy is not applied to client computers. + - - -
    + + + - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | WBC_HostedCacheDiscovery_Enable | +| Friendly Name | Enable Automatic Hosted Cache Discovery by Service Connection Point | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Discovery | +| Registry Value Name | SCPDiscoveryEnabled | +| ADMX File Name | PeerToPeerCaching.admx | + -> [!div class = "checklist"] -> * Device + + + -
    + - - + +## EnableWindowsBranchCache_HostedMultipleServers + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers +``` + + + + This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. -This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and don't use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode". +This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode." -If you don't configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. +If you do not configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache settings aren't applied to client computers by this policy setting. -- Enabled: With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers." -- Disabled: With this selection, this policy isn't applied to client computers. +Select one of the following: + +- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. + +- Enabled. With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers." + +- Disabled. With this selection, this policy is not applied to client computers. In circumstances where this setting is enabled, you can also select and configure the following option: - Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Hosted Cache Servers* -- GP name: *EnableWindowsBranchCache_HostedMultipleServers* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WBC_HostedCache_MultipleServers | +| Friendly Name | Configure Hosted Cache Servers | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\MultipleServers | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## EnableWindowsBranchCache_SMB -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB +``` + - - -This policy setting is used only when you've deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients don't cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. + + +This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache latency settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the latency setting that you use on individual client computers. -- Enabled: With this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache client computers use the default latency setting of 80 milliseconds. +Select one of the following: + +- Not Configured. With this selection, BranchCache latency settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache latency setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the latency setting that you use on individual client computers. + +- Enabled. With this selection, the BranchCache maximum round trip latency setting is enabled for all client computers where the policy is applied. For example, if Configure BranchCache for network files is enabled in domain Group Policy, the BranchCache latency setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache client computers use the default latency setting of 80 milliseconds. In circumstances where this policy setting is enabled, you can also select and configure the following option: - Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time, in milliseconds, after which BranchCache client computers begin to cache content locally. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure BranchCache for network files* -- GP name: *EnableWindowsBranchCache_SMB* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PeerToPeerCaching/SetCachePercent** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WBC_SMB_Enable | +| Friendly Name | Configure BranchCache for network files | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetCachePercent -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/SetCachePercent +``` + - - + + This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. -If you disable or don't configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. +If you disable or do not configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache client computer cache settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the client computer cache setting that you use on individual client computers. -- Enabled: With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the client computer. +Select one of the following: + +- Not Configured. With this selection, BranchCache client computer cache settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache setting that you use on individual client computers. + +- Enabled. With this selection, the BranchCache client computer cache setting is enabled for all client computers where the policy is applied. For example, if Set percentage of disk space used for client computer cache is enabled in domain Group Policy, the BranchCache client computer cache setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the client computer. In circumstances where this setting is enabled, you can also select and configure the following option: - Specify the percentage of total disk space allocated for the cache. Specifies an integer that is the percentage of total client computer disk space to use for the BranchCache client computer cache. -> [!NOTE] -> This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. +* This policy setting is supported on computers that are running Windows Vista Business, Enterprise, and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set percentage of disk space used for client computer cache* -- GP name: *SetCachePercent* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WBC_Cache_Percent | +| Friendly Name | Set percentage of disk space used for client computer cache | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetDataCacheEntryMaxAge -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge +``` + - - + + This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. -If you disable or don't configure this policy setting, the age is set to 28 days. +If you disable or do not configure this policy setting, the age is set to 28 days. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, BranchCache client computer cache age settings aren't applied to client computers by this policy. In the circumstance where client computers are domain members but you don't want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting isn't configured, it won't over-write the client computer cache age setting that you use on individual client computers. -- Enabled: With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied. -- Disabled: With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client computer. +Select one of the following: + +- Not Configured. With this selection, BranchCache client computer cache age settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache age setting that you use on individual client computers. + +- Enabled. With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied. + +- Disabled. With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client computer. In circumstances where this setting is enabled, you can also select and configure the following option: - Specify the age in days for which segments in the data cache are valid. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set age for segments in the data cache* -- GP name: *SetDataCacheEntryMaxAge* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PeerToPeerCaching/SetDowngrading** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WBC_Cache_MaxAge | +| Friendly Name | Set age for segments in the data cache | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\Retrieval | +| ADMX File Name | PeerToPeerCaching.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SetDowngrading -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PeerToPeerCaching/SetDowngrading +``` + - - -This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers don't use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. + + +This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." -If you don't configure this setting, all clients will use the version of BranchCache that matches their operating system. +If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system. -For policy configuration, select one of the following options: +Policy configuration -- Not Configured: With this selection, this policy setting isn't applied to client computers, and the clients run the version of BranchCache that is included with their operating system. -- Enabled: With this selection, this policy setting is applied to client computers based on the value of the option setting "Select from the following versions" that you specify. -- Disabled: With this selection, this policy setting isn't applied to client computers, and the clients run the version of BranchCache that is included with their operating system. +Select one of the following: + +- Not Configured. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system. + +- Enabled. With this selection, this policy setting is applied to client computers based on the value of the option setting "Select from the following versions" that you specify. + +- Disabled. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system. In circumstances where this setting is enabled, you can also select and configure the following option: Select from the following versions - Windows Vista with BITS 4.0 installed, Windows 7, or Windows Server 2008 R2. If you select this version, later versions of Windows run the version of BranchCache that is included in these operating systems rather than later versions of BranchCache. + - Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Client BranchCache Version Support* -- GP name: *SetDowngrading* -- GP path: *Network\BranchCache* -- GP ADMX file name: *PeerToPeerCaching.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | WBC_Downgrading | +| Friendly Name | Configure Client BranchCache Version Support | +| Location | Computer Configuration | +| Path | Network > BranchCache | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PeerDist\Service\Versioning | +| ADMX File Name | PeerToPeerCaching.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index b097ae7f99..89fc8838fa 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,138 +1,158 @@ --- -title: Policy CSP - ADMX_PenTraining -description: Learn about Policy CSP - ADMX_PenTraining. +title: ADMX_PenTraining Policy CSP +description: Learn more about the ADMX_PenTraining Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/22/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PenTraining > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PenTraining policies + +## PenTrainingOff_2 -
    -
    - ADMX_PenTraining/PenTrainingOff_1 -
    -
    - ADMX_PenTraining/PenTrainingOff_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PenTraining/PenTrainingOff_2 +``` + - -**ADMX_PenTraining/PenTrainingOff_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Turns off Tablet PC Pen Training. -- If you enable this policy setting, users can't open Tablet PC Pen Training. +If you enable this policy setting, users cannot open Tablet PC Pen Training. -- If you disable or don't configure this policy setting, users can open Tablet PC Pen Training. +If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC Pen Training* -- GP name: *PenTrainingOff_1* -- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training* -- GP ADMX file name: *PenTraining.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PenTraining/PenTrainingOff_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | PenTrainingOff | +| Friendly Name | Turn off Tablet PC Pen Training | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PenTraining | +| Registry Value Name | DisablePenTraining | +| ADMX File Name | PenTraining.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PenTrainingOff_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_PenTraining/PenTrainingOff_1 +``` + - - + + Turns off Tablet PC Pen Training. -- If you enable this policy setting, users can't open Tablet PC Pen Training. +If you enable this policy setting, users cannot open Tablet PC Pen Training. -- If you disable or don't configure this policy setting, users can open Tablet PC Pen Training. +If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Tablet PC Pen Training* -- GP name: *PenTrainingOff_2* -- GP path: *Windows Components\Tablet PC\Tablet PC Pen Training* -- GP ADMX file name: *PenTraining.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | PenTrainingOff | +| Friendly Name | Turn off Tablet PC Pen Training | +| Location | User Configuration | +| Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PenTraining | +| Registry Value Name | DisablePenTraining | +| ADMX File Name | PenTraining.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index e3cb20c6c1..4b5fd02e91 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,274 +1,310 @@ --- -title: Policy CSP - ADMX_PerformanceDiagnostics -description: Learn about Policy CSP - ADMX_PerformanceDiagnostics. +title: ADMX_PerformanceDiagnostics Policy CSP +description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PerformanceDiagnostics ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PerformanceDiagnostics policies + +## WdiScenarioExecutionPolicy_1 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3 -
    -
    - ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1 +``` + -
    + + +Determines the execution level for Windows Boot Performance Diagnostics. - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1** +If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. - +If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default. - -
    +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +No system restart or service restart is required for this policy to take effect: changes take effect immediately. -> [!div class = "checklist"] -> * Device +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -
    + + + - - -This policy setting determines the execution level for Windows Boot Performance Diagnostics. + +**Description framework properties**: -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -If you don't configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default. +**ADMX mapping**: -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Boot Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + ->[!Note] ->No system restart or service restart is required for this policy to take effect; changes take effect immediately. + + + -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + +## WdiScenarioExecutionPolicy_2 + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_1* -- GP path: *System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2 +``` + - - -
    + + +Determines the execution level for Windows System Responsiveness Diagnostics. - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2** +If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows System Responsiveness problems and indicate to the user that assisted resolution is available. - +If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows System Responsiveness problems that are handled by the DPS. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you do not configure this policy setting, the DPS will enable Windows System Responsiveness for resolution by default. - -
    +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +No system restart or service restart is required for this policy to take effect: changes take effect immediately. -> [!div class = "checklist"] -> * Device +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -
    + + + - - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows System Responsiveness Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + + + + + + + + + +## WdiScenarioExecutionPolicy_3 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3 +``` + + + + +Determines the execution level for Windows Shutdown Performance Diagnostics. + +If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. + +If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS. + +If you do not configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +No system restart or service restart is required for this policy to take effect: changes take effect immediately. + +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Shutdown Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + + + + + + + + + +## WdiScenarioExecutionPolicy_4 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4 +``` + + + + Determines the execution level for Windows Standby/Resume Performance Diagnostics. -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. +If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. +If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. -If you don't configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. +If you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No system restart or service restart is required for this policy to take effect: changes take effect immediately. -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_2* -- GP path: *System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Standby/Resume Performance Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | PerformanceDiagnostics.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting determines the execution level for Windows Shutdown Performance Diagnostics. - -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. - -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS. - -If you don't configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default. - -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. - -No system restart or service restart is required for this policy to take effect: changes take effect immediately. - -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. - - - - - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_3* -- GP path: *System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* - - - -
    - - -**ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -Determines the execution level for Windows Standby/Resume Performance Diagnostics. - -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. - -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. - -If you don't configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. - -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. - -No system restart or service restart is required for this policy to take effect: changes take effect immediately. - -This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. - - - - - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy_4* -- GP path: *System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics* -- GP ADMX file name: *PerformanceDiagnostics.admx* - - - -
    - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 9dfab7a8a30c05c6ddc0971b0beb542fdb6f998d Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 12:33:24 -0500 Subject: [PATCH 115/152] networkconnections offlinefiles pca --- .../mdm/policy-csp-admx-networkconnections.md | 2818 +++++----- .../mdm/policy-csp-admx-offlinefiles.md | 4579 +++++++++-------- .../mdm/policy-csp-admx-pca.md | 730 +-- 3 files changed, 4389 insertions(+), 3738 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index c027b216d6..a18568b85f 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,1020 +1,1249 @@ --- -title: Policy CSP - ADMX_NetworkConnections -description: Learn about Policy CSP - ADMX_NetworkConnections. +title: ADMX_NetworkConnections Policy CSP +description: Learn more about the ADMX_NetworkConnections Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_NetworkConnections ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    - - -## ADMX_NetworkConnections policies - -
    -
    - ADMX_NetworkConnections/NC_AddRemoveComponents -
    -
    - ADMX_NetworkConnections/NC_AdvancedSettings -
    -
    - ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig -
    -
    - ADMX_NetworkConnections/NC_ChangeBindState -
    -
    - ADMX_NetworkConnections/NC_DeleteAllUserConnection -
    -
    - ADMX_NetworkConnections/NC_DeleteConnection -
    -
    - ADMX_NetworkConnections/NC_DialupPrefs -
    -
    - ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon -
    -
    - ADMX_NetworkConnections/NC_EnableAdminProhibits -
    -
    - ADMX_NetworkConnections/NC_ForceTunneling -
    -
    - ADMX_NetworkConnections/NC_IpStateChecking -
    -
    - ADMX_NetworkConnections/NC_LanChangeProperties -
    -
    - ADMX_NetworkConnections/NC_LanConnect -
    -
    - ADMX_NetworkConnections/NC_LanProperties -
    -
    - ADMX_NetworkConnections/NC_NewConnectionWizard -
    -
    - ADMX_NetworkConnections/NC_PersonalFirewallConfig -
    -
    - ADMX_NetworkConnections/NC_RasAllUserProperties -
    -
    - ADMX_NetworkConnections/NC_RasChangeProperties -
    -
    - ADMX_NetworkConnections/NC_RasConnect -
    -
    - ADMX_NetworkConnections/NC_RasMyProperties -
    -
    - ADMX_NetworkConnections/NC_RenameAllUserRasConnection -
    -
    - ADMX_NetworkConnections/NC_RenameConnection -
    -
    - ADMX_NetworkConnections/NC_RenameLanConnection -
    -
    - ADMX_NetworkConnections/NC_RenameMyRasConnection -
    -
    - ADMX_NetworkConnections/NC_ShowSharedAccessUI -
    -
    - ADMX_NetworkConnections/NC_Statistics -
    -
    - ADMX_NetworkConnections/NC_StdDomainUserSetLocation -
    -
    - - -
    - - -**ADMX_NetworkConnections/NC_AddRemoveComponents** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators aren't permitted to access network components in the Windows Components Wizard. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. - -The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). - -The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections. - -> [!NOTE] -> When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. -> -> Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit adding and removing components for a LAN or remote access connection* -- GP name: *NC_AddRemoveComponents* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_AdvancedSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. - -The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, the Advanced Settings item is enabled for administrators. - -> [!NOTE] -> Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit access to the Advanced Settings item on the Advanced menu* -- GP name: *NC_AdvancedSettings* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether users can configure advanced TCP/IP settings. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users can't open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. - -This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users can't gain access to the Advanced button for TCP/IP configuration. - -Changing this setting from Enabled to Not Configured doesn't enable the Advanced button until the user signs out. - -> [!NOTE] -> Nonadministrators (excluding Network Configuration Operators) don't have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. - > [!TIP] -> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit TCP/IP advanced configuration* -- GP name: *NC_AllowAdvancedTCPIPConfig* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_ChangeBindState** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting Determines whether administrators can enable and disable the components used by LAN connections. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators can't enable or disable the components that a connection uses. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. - -> [!NOTE] -> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit Enabling/Disabling components of a LAN connection* -- GP name: *NC_ChangeBindState* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_DeleteAllUserConnection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether users can delete all user remote access connections. - -To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. - -If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. - -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) can't delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you don't configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. - -When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) can't delete any remote access connections, and this setting is ignored. - -> [!NOTE] -> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You can't use the Network Connections folder to create or delete a LAN connection. +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - + + + + +## NC_DoNotShowLocalOnlyIcon - -ADMX Info: -- GP Friendly name: *Ability to delete all user remote access connections* -- GP name: *NC_DeleteAllUserConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +``` + - -**ADMX_NetworkConnections/NC_DeleteConnection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether users can delete remote access connections. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) can't delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, all users can delete their private remote access connections. Private connections are those connections that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) - -When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users can't delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. - -> [!NOTE] -> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You can't use the Network Connections folder to create or delete a LAN connection. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit deletion of remote access connections* -- GP name: *NC_DeleteConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_DialupPrefs** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. - -The Remote Access Preferences item lets users create and change connections before signing in and configure automatic dialing and callback features. - -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). - -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. - -If you disable this setting or don't configure it, the Remote Access Preferences item is enabled for all users. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit access to the Remote Access Preferences item on the Advanced menu* -- GP name: *NC_DialupPrefs* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies whether or not the "local access only" network icon will be shown. + + +Specifies whether or not the "local access only" network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. -If you disable this setting or don't configure it, the "local access only" icon will be used when a user is connected to a network with local access only. +If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not show the "local access only" network icon* -- GP name: *NC_DoNotShowLocalOnlyIcon* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_EnableAdminProhibits** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_DoNotShowLocalOnlyIcon | +| Friendly Name | Do not show the "local access only" network icon | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DoNotShowLocalOnlyIcon | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_ForceTunneling -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ForceTunneling +``` + - - -This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. - -The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. - -By default, Network Connections group settings in Windows don't have the ability to prohibit the use of features from Administrators. - -If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows behave the same for administrators. - -If you disable this setting or don't configure it, Windows settings that existed in Windows 2000 won't apply to administrators. - - - - - - - -ADMX Info: -- GP Friendly name: *Enable Windows 2000 Network Connections settings for Administrators* -- GP name: *NC_EnableAdminProhibits* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_ForceTunneling** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. + + +This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. -If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet isn't routed through the internal network. +If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. -If you don't configure this policy setting, traffic between remote client computers running DirectAccess and the Internet isn't routed through the internal network. +If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Route all traffic through the internal network* -- GP name: *NC_ForceTunneling* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_IpStateChecking** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_ForceTunneling | +| Friendly Name | Route all traffic through the internal network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_PersonalFirewallConfig -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_PersonalFirewallConfig +``` + - - -This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This retrieval failure is often signified by the assignment of an automatic private IP address"(that is, an IP address in the range 169.254.*.*). This assignment indicates that a DHCP server couldn't be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. + + +Prohibits use of Internet Connection Firewall on your DNS domain network. -If you enable this policy setting, this condition won't be reported as an error to the user. +Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. -If you disable or don't configure this policy setting, a DHCP-configured connection that hasn't been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. +Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. - +The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. +If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. - -ADMX Info: -- GP Friendly name: *Turn off notifications when a connection has only limited or no connectivity* -- GP name: *NC_IpStateChecking* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +Note: If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. - - -
    +If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. + - -**ADMX_NetworkConnections/NC_LanChangeProperties** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * User +| Name | Value | +|:--|:--| +| Name | NC_PersonalFirewallConfig | +| Friendly Name | Prohibit use of Internet Connection Firewall on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_PersonalFirewallConfig | +| ADMX File Name | NetworkConnections.admx | + -
    + + + - - -This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. + + + +## NC_ShowSharedAccessUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ShowSharedAccessUI +``` + + + + +Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. + +ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. + +If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. + +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) + +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. + +Note: Internet Connection Sharing is only available when two or more network connections are present. + +Note: When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. + +Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. + +Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_ShowSharedAccessUI | +| Friendly Name | Prohibit use of Internet Connection Sharing on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ShowSharedAccessUI | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_StdDomainUserSetLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_StdDomainUserSetLocation +``` + + + + +This policy setting determines whether to require domain users to elevate when setting a network's location. + +If you enable this policy setting, domain users must elevate when setting a network's location. + +If you disable or do not configure this policy setting, domain users can set a network's location without elevating. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_StdDomainUserSetLocation | +| Friendly Name | Require domain users to elevate when setting a network's location | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_StdDomainUserSetLocation | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_AddRemoveComponents + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_AddRemoveComponents +``` + + + + +Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. + +The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). + +The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections. + +Note: When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. + +Note: Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_AddRemoveComponents | +| Friendly Name | Prohibit adding and removing components for a LAN or remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AddRemoveComponents | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_AdvancedSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_AdvancedSettings +``` + + + + +Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. + +The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators. + +Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_AdvancedSettings | +| Friendly Name | Prohibit access to the Advanced Settings item on the Advanced menu | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AdvancedSettings | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_AllowAdvancedTCPIPConfig + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig +``` + + + + +Determines whether users can configure advanced TCP/IP settings. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. + +Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration. + +Note: Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. + +Tip: To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. + +Note: Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_AllowAdvancedTCPIPConfig | +| Friendly Name | Prohibit TCP/IP advanced configuration | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_AllowAdvancedTCPIPConfig | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_ChangeBindState + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ChangeBindState +``` + + + + +Determines whether administrators can enable and disable the components used by LAN connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. + +Note: When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. + +Note: Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_ChangeBindState | +| Friendly Name | Prohibit Enabling/Disabling components of a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ChangeBindState | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_DeleteAllUserConnection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DeleteAllUserConnection +``` + + + + +Determines whether users can delete all user remote access connections. + +To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. + +Important: When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored. + +Note: LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. + +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_DeleteAllUserConnection | +| Friendly Name | Ability to delete all user remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DeleteAllUserConnection | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_DeleteConnection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DeleteConnection +``` + + + + +Determines whether users can delete remote access connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) + +Important: When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. + +Note: LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. + +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_DeleteConnection | +| Friendly Name | Prohibit deletion of remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DeleteConnection | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_DialupPrefs + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DialupPrefs +``` + + + + +Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. + +The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). + +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_DialupPrefs | +| Friendly Name | Prohibit access to the Remote Access Preferences item on the Advanced menu | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DialupPrefs | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_EnableAdminProhibits + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_EnableAdminProhibits +``` + + + + +Determines whether settings that existed in Windows 2000 Server family will apply to Administrators. + +The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. + +By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. + +If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. + +If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. + +Note: This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_EnableAdminProhibits | +| Friendly Name | Enable Windows 2000 Network Connections settings for Administrators | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_EnableAdminProhibits | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_IpStateChecking + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_IpStateChecking +``` + + + + +This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. + +If you enable this policy setting, this condition will not be reported as an error to the user. + +If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_IpStateChecking | +| Friendly Name | Turn off notifications when a connection has only limited or no connectivity | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_IpStateChecking | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + + +## NC_LanChangeProperties + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_LanChangeProperties +``` + + + + +Determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enabled. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting doesn't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Properties button is enabled for administrators and Network Configuration Operators. +If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators. The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -> [!NOTE] -> Not all network components have configurable properties. For components that aren't configurable, the Properties button is always disabled. -> -> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. -> -> Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. -> -> Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. +Note: Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. - +Note: When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. +Note: Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. - -ADMX Info: -- GP Friendly name: *Prohibit access to properties of components of a LAN connection* -- GP name: *NC_LanChangeProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +Note: Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. + - - -
    + + + - -**ADMX_NetworkConnections/NC_LanConnect** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Name | Value | +|:--|:--| +| Name | NC_LanChangeProperties | +| Friendly Name | Prohibit access to properties of components of a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_LanChangeProperties | +| ADMX File Name | NetworkConnections.admx | + -> [!div class = "checklist"] -> * User + + + -
    + - - -This policy setting determines whether users can enable/disable LAN connections. + +## NC_LanConnect + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_LanConnect +``` + + + + +Determines whether users can enable/disable LAN connections. If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you don't configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. +If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. -> [!NOTE] -> Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. +Note: Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Ability to Enable/Disable a LAN connection* -- GP name: *NC_LanConnect* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_LanProperties** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_LanConnect | +| Friendly Name | Ability to Enable/Disable a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_LanConnect | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_LanProperties -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_LanProperties +``` + - - -This policy setting determines whether users can change the properties of a LAN connection. + + +Determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users can't open the Local Area Connection Properties dialog box. +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. +If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. -> [!NOTE] -> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. -> -> Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. +Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. - +Note: Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit access to properties of a LAN connection* -- GP name: *NC_LanProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_NewConnectionWizard** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_LanProperties | +| Friendly Name | Prohibit access to properties of a LAN connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_LanProperties | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_NewConnectionWizard -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_NewConnectionWizard +``` + -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon doesn't appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) can't start the New Connection Wizard. + + +Determines whether users can use the New Connection Wizard, which creates new network connections. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. -If you disable this setting or don't configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -> [!NOTE] -> Changing this setting from Enabled to Not Configured doesn't restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon doesn't appear or disappear in the Network Connections folder until the folder is refreshed. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. - +Note: Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - -ADMX Info: -- GP Friendly name: *Prohibit access to the New Connection Wizard* -- GP name: *NC_NewConnectionWizard* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_NetworkConnections/NC_PersonalFirewallConfig** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NC_NewConnectionWizard | +| Friendly Name | Prohibit access to the New Connection Wizard | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_NewConnectionWizard | +| ADMX File Name | NetworkConnections.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## NC_RasAllUserProperties - - -This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasAllUserProperties +``` + -> [!IMPORTANT] -> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting doesn't apply. - -The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. - -If you enable this setting, Internet Connection Firewall can't be enabled or configured by users (including administrators), and the Internet Connection Firewall service can't run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall isn't enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. - -If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. - -If you disable this setting or don't configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit use of Internet Connection Firewall on your DNS domain network* -- GP name: *NC_PersonalFirewallConfig* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_RasAllUserProperties** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. + + +Determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1022,168 +1251,205 @@ This setting determines whether the Properties menu item is enabled, and thus, w If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) can't open the remote access connection properties dialog box. +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you don't configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. +If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. -> [!NOTE] -> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +Note: This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. - +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + - -ADMX Info: -- GP Friendly name: *Ability to change properties of an all user remote access connection* -- GP name: *NC_RasAllUserProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RasChangeProperties** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RasAllUserProperties | +| Friendly Name | Ability to change properties of an all user remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasAllUserProperties | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RasChangeProperties -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasChangeProperties +``` + + + + +Determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting doesn't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Properties button is enabled for all users. +If you disable this setting or do not configure it, the Properties button is enabled for all users. The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -> [!NOTE] -> Not all network components have configurable properties. For components that aren't configurable, the Properties button is always disabled. -> -> When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +Note: Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. - +Note: When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - -ADMX Info: -- GP Friendly name: *Prohibit access to properties of components of a remote access connection* -- GP name: *NC_RasChangeProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_NetworkConnections/NC_RasConnect** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | NC_RasChangeProperties | +| Friendly Name | Prohibit access to properties of components of a remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasChangeProperties | +| ADMX File Name | NetworkConnections.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * User + -
    + +## NC_RasConnect - - -This policy setting determines whether users can connect and disconnect remote access connections. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasConnect +``` + + + + +Determines whether users can connect and disconnect remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. +If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit connecting and disconnecting a remote access connection* -- GP name: *NC_RasConnect* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_RasMyProperties** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_RasConnect | +| Friendly Name | Prohibit connecting and disconnecting a remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasConnect | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_RasMyProperties -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RasMyProperties +``` + - - -This policy setting determines whether users can view and change the properties of their private remote access connections. + + +Determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1191,57 +1457,69 @@ This setting determines whether the Properties menu item is enabled, and thus, w If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. +If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. -> [!NOTE] -> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +Note: This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. - +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit changing properties of a private remote access connection* -- GP name: *NC_RasMyProperties* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RenameAllUserRasConnection** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RasMyProperties | +| Friendly Name | Prohibit changing properties of a private remote access connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RasMyProperties | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RenameAllUserRasConnection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether nonadministrators can rename all-user remote access connections. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameAllUserRasConnection +``` + + + + +Determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1249,353 +1527,321 @@ If you enable this setting, the Rename option is enabled for all-user remote acc If you disable this setting, the Rename option is disabled for nonadministrators only. -If you don't configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. +If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. -> [!NOTE] -> This setting doesn't apply to Administrators. +Note: This setting does not apply to Administrators -When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting doesn't apply. +Note: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply. -This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Ability to rename all user remote access connections* -- GP name: *NC_RenameAllUserRasConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_RenameConnection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_RenameAllUserRasConnection | +| Friendly Name | Ability to rename all user remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameAllUserRasConnection | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_RenameConnection -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameConnection +``` + - - -This policy setting Determines whether users can rename LAN or all user remote access connections. + + +Determines whether users can rename LAN or all user remote access connections. If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If this setting isn't configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. +If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. -> [!NOTE] -> When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. -> -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to rename remote access connections. +Note: When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. - +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. + + + + - -ADMX Info: -- GP Friendly name: *Ability to rename LAN connections or remote access connections available to all users* -- GP name: *NC_RenameConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NetworkConnections/NC_RenameLanConnection** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NC_RenameConnection | +| Friendly Name | Ability to rename LAN connections or remote access connections available to all users | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameConnection | +| ADMX File Name | NetworkConnections.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## NC_RenameLanConnection -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether nonadministrators can rename a LAN connection. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameLanConnection +``` + + + + +Determines whether nonadministrators can rename a LAN connection. If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. If you disable this setting, the Rename option is disabled for nonadministrators only. -If you don't configure this setting, only Administrators and Network Configuration Operators can rename LAN connections +If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections -> [!NOTE] -> This setting doesn't apply to Administrators. +Note: This setting does not apply to Administrators. -When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting doesn't apply. +Note: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Ability to rename LAN connections* -- GP name: *NC_RenameLanConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_RenameMyRasConnection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_RenameLanConnection | +| Friendly Name | Ability to rename LAN connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameLanConnection | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_RenameMyRasConnection -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_RenameMyRasConnection +``` + - - -This policy setting determines whether users can rename their private remote access connections. + + +Determines whether users can rename their private remote access connections. -Private connections are those connections that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. +Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. +If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. -> [!NOTE] -> This setting doesn't prevent users from using other programs, such as Internet Explorer, to bypass this setting. +Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit renaming private remote access connections* -- GP name: *NC_RenameMyRasConnection* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_ShowSharedAccessUI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_RenameMyRasConnection | +| Friendly Name | Prohibit renaming private remote access connections | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_RenameMyRasConnection | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NC_Statistics -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_Statistics +``` + - - -This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. - -ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. - -If you enable this setting, ICS can't be enabled or configured by administrators, and the ICS service can't run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. - -If you disable this setting or don't configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. - -By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When administrators are running the New Connection Wizard or Network Setup Wizard, they can choose to enable ICS. - -> [!NOTE] -> Internet Connection Sharing is only available when two or more network connections are present. - -When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. - -Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. - -Disabling this setting doesn't prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit use of Internet Connection Sharing on your DNS domain network* -- GP name: *NC_ShowSharedAccessUI* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - -**ADMX_NetworkConnections/NC_Statistics** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether users can view the status for an active connection. + + +Determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. -If you enable this setting, the connection status taskbar icon and Status dialog box aren't available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users can't choose to show the connection icon in the taskbar from the Connection Properties dialog box. +If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box. -If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting won't apply to administrators on post-Windows 2000 computers. +Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or don't configure it, the connection status taskbar icon and Status dialog box are available to all users. +If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit viewing of status for an active connection* -- GP name: *NC_Statistics* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NetworkConnections/NC_StdDomainUserSetLocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NC_Statistics | +| Friendly Name | Prohibit viewing of status for an active connection | +| Location | User Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_Statistics | +| ADMX File Name | NetworkConnections.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    +## Related articles - - -This policy setting determines whether to require domain users to elevate when setting a network's location. - -If you enable this policy setting, domain users must elevate when setting a network's location. - -If you disable or don't configure this policy setting, domain users can set a network's location without elevating. - - - - - -ADMX Info: -- GP Friendly name: *Require domain users to elevate when setting a network's location* -- GP name: *NC_StdDomainUserSetLocation* -- GP path: *Network\Network Connections* -- GP ADMX file name: *NetworkConnections.admx* - - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 3105a17fd2..beeb09f493 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,2663 +1,3012 @@ --- -title: Policy CSP - ADMX_OfflineFiles -description: Learn about Policy CSP - ADMX_OfflineFiles. +title: ADMX_OfflineFiles Policy CSP +description: Learn more about the ADMX_OfflineFiles Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/21/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_OfflineFiles ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_OfflineFiles policies + +## Pol_AlwaysPinSubFolders -
    -
    - ADMX_OfflineFiles/Pol_AlwaysPinSubFolders -
    -
    - ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 -
    -
    - ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2 -
    -
    - ADMX_OfflineFiles/Pol_BackgroundSyncSettings -
    -
    - ADMX_OfflineFiles/Pol_CacheSize -
    -
    - ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 -
    -
    - ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2 -
    -
    - ADMX_OfflineFiles/Pol_DefCacheSize -
    -
    - ADMX_OfflineFiles/Pol_Enabled -
    -
    - ADMX_OfflineFiles/Pol_EncryptOfflineFiles -
    -
    - ADMX_OfflineFiles/Pol_EventLoggingLevel_1 -
    -
    - ADMX_OfflineFiles/Pol_EventLoggingLevel_2 -
    -
    - ADMX_OfflineFiles/Pol_ExclusionListSettings -
    -
    - ADMX_OfflineFiles/Pol_ExtExclusionList -
    -
    - ADMX_OfflineFiles/Pol_GoOfflineAction_1 -
    -
    - ADMX_OfflineFiles/Pol_GoOfflineAction_2 -
    -
    - ADMX_OfflineFiles/Pol_NoCacheViewer_1 -
    -
    - ADMX_OfflineFiles/Pol_NoCacheViewer_2 -
    -
    - ADMX_OfflineFiles/Pol_NoConfigCache_1 -
    -
    - ADMX_OfflineFiles/Pol_NoConfigCache_2 -
    -
    - ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 -
    -
    - ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2 -
    -
    - ADMX_OfflineFiles/Pol_NoPinFiles_1 -
    -
    - ADMX_OfflineFiles/Pol_NoPinFiles_2 -
    -
    - ADMX_OfflineFiles/Pol_NoReminders_1 -
    -
    - ADMX_OfflineFiles/Pol_NoReminders_2 -
    -
    - ADMX_OfflineFiles/Pol_OnlineCachingSettings -
    -
    - ADMX_OfflineFiles/Pol_PurgeAtLogoff -
    -
    - ADMX_OfflineFiles/Pol_QuickAdimPin -
    -
    - ADMX_OfflineFiles/Pol_ReminderFreq_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderFreq_2 -
    -
    - ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderInitTimeout_2 -
    -
    - ADMX_OfflineFiles/Pol_ReminderTimeout_1 -
    -
    - ADMX_OfflineFiles/Pol_ReminderTimeout_2 -
    -
    - ADMX_OfflineFiles/Pol_SlowLinkSettings -
    -
    - ADMX_OfflineFiles/Pol_SlowLinkSpeed -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogoff_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogoff_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogon_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtLogon_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtSuspend_1 -
    -
    - ADMX_OfflineFiles/Pol_SyncAtSuspend_2 -
    -
    - ADMX_OfflineFiles/Pol_SyncOnCostedNetwork -
    -
    - ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1 -
    -
    - ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AlwaysPinSubFolders +``` + -
    + + +Makes subfolders available offline whenever their parent folder is made available offline. - -**ADMX_OfflineFiles/Pol_AlwaysPinSubFolders** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting makes subfolders available offline whenever their parent folder is made available offline. - -This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users don't have the option of excluding subfolders. +This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. -If you disable this setting or don't configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. +If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Subfolders always available offline* -- GP name: *Pol_AlwaysPinSubFolders* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_AlwaysPinSubFolders | +| Friendly Name | Subfolders always available offline | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | AlwaysPinSubFolders | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_AssignedOfflineFiles_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2 +``` + - - -This policy setting lists network files and folders that are always available for offline use. Activation of this policy setting ensures that the specified files and folders are available offline to users of the computer. + + +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. -If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted. And, no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). +If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). -If you don't configure this policy setting, no files or folders are made available for offline use by Group Policy. +If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. +Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify administratively assigned Offline Files* -- GP name: *Pol_AssignedOfflineFiles_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_AssignedOfflineFiles | +| Friendly Name | Specify administratively assigned Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_BackgroundSyncSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_BackgroundSyncSettings +``` + - - -This policy setting lists network files and folders that are always available for offline use. Activation of this policy setting ensures that the specified files and folders are available offline to users of the computer. + + +This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. -If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. - -If you disable this policy setting, the list of files or folders made always available offline (including those files or folders inherited from lower precedence GPOs) is deleted. And, no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). - -If you don't configure this policy setting, no files or folders are made available for offline use by Group Policy. - -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. - - - - - -ADMX Info: -- GP Friendly name: *Specify administratively assigned Offline Files* -- GP name: *Pol_AssignedOfflineFiles_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_BackgroundSyncSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who signs in to the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. - -If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server regularly. +If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. You can also configure Background Sync for network shares that are in user selected Work Offline mode. This mode is in effect when a user selects the Work Offline button for a specific share. When selected, all configured settings will apply to shares in user selected Work Offline mode as well. -If you disable or don't configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval, with the start of the sync varying between 0 and 60 extra minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. +If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Background Sync* -- GP name: *Pol_BackgroundSyncSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_CacheSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_BackgroundSyncSettings | +| Friendly Name | Configure Background Sync | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | BackgroundSyncEnabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_CacheSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CacheSize +``` + - - -This policy setting limits the volume of disk space that can be used to store offline files. This volume includes the space used by automatically cached files and files that are made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. + + +This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share. -This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This disablement prevents users from trying to change the option while a policy setting controls it. +This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. If you enable this policy setting, you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can be used by automatically cached files. -If you disable this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. +If you disable this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. -If you don't configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet. +If you do not configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet. -If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjusted downward to 100 percent of the size of the drive. +If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjusted downward to 100 percent of the size of the drive. -If you enable this setting and specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full. +If you enable this setting and specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full. If you enable this setting and specify an auto-cached space limit greater than the total size limit, the auto-cached limit is automatically adjusted downward to equal the total size limit. This setting replaces the Default Cache Size setting used by pre-Windows Vista systems. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Limit disk space used by Offline Files* -- GP name: *Pol_CacheSize* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. - -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - -- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. - -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. - -If you don't configure this setting, users can work offline by default, but they can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + > [!TIP] -> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -Also, see the "Non-default server disconnect actions" setting. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_CacheSize | +| Friendly Name | Limit disk space used by Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_CustomGoOfflineActions_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + - - -
    + +## Pol_CustomGoOfflineActions_2 - -**ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2 +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. - -
    +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are disconnected from this server, or type "1" if they cannot. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. -> [!div class = "checklist"] -> * Device +Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. + -
    + + + - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + +**Description framework properties**: -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - -- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. - -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. - -If you don't configure this setting, users can work offline by default, but they can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + > [!TIP] -> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -Also, see the "Non-default server disconnect actions" setting. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_CustomGoOfflineActions | +| Friendly Name | Non-default server disconnect actions | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_CustomGoOfflineActions_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + - - -
    + +## Pol_DefCacheSize - -**ADMX_OfflineFiles/Pol_DefCacheSize** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_DefCacheSize +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + Limits the percentage of the computer's disk space that can be used to store automatically cached offline files. -This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. Automatic caching can be set on any network share. When a user opens a file on the share, the system automatically stores a copy of the file on the user's computer. -This setting doesn't limit the disk space available for files that user's make available offline manually. +This setting does not limit the disk space available for files that user's make available offline manually. If you enable this setting, you can specify an automatic-cache disk space limit. If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the system drive. -If you don't configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it. +If you do not configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it. +Tip: To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_DefCacheSize | +| Friendly Name | Default cache size | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Default cache size* -- GP name: *Pol_DefCacheSize* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_Enabled** + +## Pol_Enabled - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_Enabled +``` + - -
    + + +This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +If you enable this policy setting, Offline Files is enabled and users cannot disable it. -> [!div class = "checklist"] -> * Device +If you disable this policy setting, Offline Files is disabled and users cannot enable it. -
    +If you do not configure this policy setting, Offline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. - - -This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer isn't connected to the network. +Note: Changes to this policy setting do not take effect until the affected computer is restarted. + -If you enable this policy setting, Offline Files is enabled and users can't disable it. + + + -If you disable this policy setting, Offline Files is disabled and users can't enable it. + +**Description framework properties**: -If you don't configure this policy setting, Offline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!NOTE] -> Changes to this policy setting don't take effect until the affected computer is restarted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_Enabled | +| Friendly Name | Allow or Disallow use of the Offline Files feature | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | Enabled | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Allow or Disallow use of the Offline Files feature* -- GP name: *Pol_Enabled* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_EncryptOfflineFiles** + +## Pol_EncryptOfflineFiles - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EncryptOfflineFiles +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. -If you enable this policy setting, all files in the Offline Files cache are encrypted. These files include existing files and files added later. The cached copy on the local computer is affected, but the associated network copy isn't. The user can't unencrypt Offline Files through the user interface. +If you enable this policy setting, all files in the Offline Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface. -If you disable this policy setting, all files in the Offline Files cache are unencrypted. These files include existing files and files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy isn't. The user can't encrypt Offline Files through the user interface. +If you disable this policy setting, all files in the Offline Files cache are unencrypted. This includes existing files as well as files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot encrypt Offline Files through the user interface. -If you don't configure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it's fully encrypted. The cache doesn't return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache. +If you do not configure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache. -> [!NOTE] -> By default, this cache is protected on NTFS partitions by ACLs. +Note: By default, this cache is protected on NTFS partitions by ACLs. -This setting is applied at user sign-in. If this setting is changed after user sign-in, then user sign-out and sign-in is required for this setting to take effect. - +This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect. + + + + - -ADMX Info: -- GP Friendly name: *Encrypt the Offline Files cache* -- GP name: *Pol_EncryptOfflineFiles* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_OfflineFiles/Pol_EventLoggingLevel_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Pol_EncryptOfflineFiles | +| Friendly Name | Encrypt the Offline Files cache | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | EncryptCache | +| ADMX File Name | OfflineFiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Pol_EventLoggingLevel_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines which events the Offline Files feature records in the event log. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EventLoggingLevel_2 +``` + -Offline Files records events in the Application login Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record. + + +Determines which events the Offline Files feature records in the event log. + +Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. -- "0" records an error when the offline storage cache is corrupted. +"0" records an error when the offline storage cache is corrupted. -- "1" also records an event when the server hosting the offline file is disconnected from the network. +"1" also records an event when the server hosting the offline file is disconnected from the network. -- "2" also records events when the local computer is connected and disconnected from the network. +"2" also records events when the local computer is connected and disconnected from the network. -- "3" also records an event when the server hosting the offline file is reconnected to the network. +"3" also records an event when the server hosting the offline file is reconnected to the network. -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Event logging level* -- GP name: *Pol_EventLoggingLevel_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_EventLoggingLevel_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_EventLoggingLevel | +| Friendly Name | Event logging level | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ExclusionListSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ExclusionListSettings +``` + - - -This policy setting determines which events the Offline Files feature records in the event log. - -Offline Files records events in the Application login Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify the other events you want Offline Files to record. - -To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. - -- "0" records an error when the offline storage cache is corrupted. -- "1" also records an event when the server hosting the offline file is disconnected from the network. -- "2" also records events when the local computer is connected and disconnected from the network. -- "3" also records an event when the server hosting the offline file is reconnected to the network. - -> [!NOTE] -> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - -ADMX Info: -- GP Friendly name: *Event logging level* -- GP name: *Pol_EventLoggingLevel_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_ExclusionListSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. -If you disable or don't configure this policy setting, a user can create a file of any type in the folders that have been made available offline. +If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable file screens* -- GP name: *Pol_ExclusionListSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_ExtExclusionList** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ExclusionListSettings | +| Friendly Name | Enable file screens | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ExtExclusionList -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ExtExclusionList +``` + - - -Lists types of files that can't be used offline. + + +Lists types of files that cannot be used offline. -This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system doesn't cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type can't be made available offline." +This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline." -This setting is designed to protect files that can't be separated, such as database components. +This setting is designed to protect files that cannot be separated, such as database components. To use this setting, type the file name extension in the "Extensions" box. To type more than one extension, separate the extensions with a semicolon (;). -> [!NOTE] -> To make changes to this setting effective, you must log off and log on again. +Note: To make changes to this setting effective, you must log off and log on again. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Files not cached* -- GP name: *Pol_ExtExclusionList* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_GoOfflineAction_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ExtExclusionList | +| Friendly Name | Files not cached | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_GoOfflineAction_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_GoOfflineAction_2 +``` + - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + + +Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. +This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. If you enable this setting, you can use the "Action" box to specify how computers in the group respond. -- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. +-- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. -- "Never go offline" indicates that network files aren't available while the server is inaccessible. +-- "Never go offline" indicates that network files are not available while the server is inaccessible. If you disable this setting or select the "Work offline" option, users can work offline if disconnected. -If you don't configure this setting, users can work offline by default, but they can change this option. +If you do not configure this setting, users can work offline by default, but they can change this option. -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -> [!TIP] -> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. Also, see the "Non-default server disconnect actions" setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_GoOfflineAction_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_GoOfflineAction_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. - -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - -- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. - -- "Never go offline" indicates that network files aren't available while the server is inaccessible. - -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. - -If you don't configure this setting, users can work offline by default, but they can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + > [!TIP] -> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -Also, see the "Non-default server disconnect actions" setting. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_GoOfflineAction | +| Friendly Name | Action on server disconnect | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + - -ADMX Info: -- GP Friendly name: *Action on server disconnect* -- GP name: *Pol_GoOfflineAction_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + - - -
    + +## Pol_NoCacheViewer_2 - -**ADMX_OfflineFiles/Pol_NoCacheViewer_1** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoCacheViewer_2 +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +Disables the Offline Files folder. - -
    +This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting disables the Offline Files folder. - -This setting disables the "View Files" button on the Offline Files tab. As a result, users can't use the Offline Files folder to view or open copies of network files stored on their computer. Also, they can't use the folder to view characteristics of offline files, such as their server status, type, or location. - -This setting doesn't prevent users from working offline or from saving local copies of files available offline. Also, it doesn't prevent them from using other programs, such as Windows Explorer, to view their offline files. +This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_NoCacheViewer | +| Friendly Name | Prevent use of Offline Files folder | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoCacheViewer | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Prevent use of Offline Files folder* -- GP name: *Pol_NoCacheViewer_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_NoCacheViewer_2** + +## Pol_NoConfigCache_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoConfigCache_2 +``` + - -
    + + +Prevents users from enabling, disabling, or changing the configuration of Offline Files. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting disables the Offline Files folder. - -This setting disables the "View Files" button on the Offline Files tab. As a result, users can't use the Offline Files folder to view or open copies of network files stored on their computer. Also, they can't use the folder to view characteristics of offline files, such as their server status, type, or location. - -This setting doesn't prevent users from working offline or from saving local copies of files available offline. Also, it doesn't prevent them from using other programs, such as Windows Explorer, to view their offline files. +This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_NoConfigCache | +| Friendly Name | Prohibit user configuration of Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoConfigCache | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Prevent use of Offline Files folder* -- GP name: *Pol_NoCacheViewer_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_NoConfigCache_1** + +## Pol_NoMakeAvailableOffline_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2 +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. - -This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users can't view or change the options on the Offline Files tab or Offline Files dialog box. - -This setting is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -> [!TIP] -> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You don't have to disable any other settings in this folder. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit user configuration of Offline Files* -- GP name: *Pol_NoConfigCache_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_NoConfigCache_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files. - -This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users can't view or change the options on the Offline Files tab or Offline Files dialog box. - -This setting is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -> [!TIP] -> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You don't have to disable any other settings in this folder. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit user configuration of Offline Files* -- GP name: *Pol_NoConfigCache_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting prevents users from making network files and folders available offline. -If you enable this policy setting, users can't designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. +If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. -If you disable or don't configure this policy setting, users can manually specify files and folders that they want to make available offline. +If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. +Notes: - +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" command* -- GP name: *Pol_NoMakeAvailableOffline_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + +**Description framework properties**: - -**ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2** +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | Pol_NoMakeAvailableOffline | +| Friendly Name | Remove "Make Available Offline" command | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoMakeAvailableOffline | +| ADMX File Name | OfflineFiles.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## Pol_NoPinFiles_2 - - -This policy setting prevents users from making network files and folders available offline. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you enable this policy setting, users can't designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoPinFiles_2 +``` + -If you disable or don't configure this policy setting, users can manually specify files and folders that they want to make available offline. - -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. - - - - - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" command* -- GP name: *Pol_NoMakeAvailableOffline_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_NoPinFiles_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. -If you enable this policy setting, the "Make Available Offline" command isn't available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. +If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. -If you don't configure this policy setting, the "Make Available Offline" command is available for all files and folders. +If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> - This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. -> - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. +Notes: - +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" for these files and folders* -- GP name: *Pol_NoPinFiles_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. - - -
    +If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. + - -**ADMX_OfflineFiles/Pol_NoPinFiles_2** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | Pol_NoPinFiles | +| Friendly Name | Remove "Make Available Offline" for these files and folders | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -
    + + + - - -This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. + -If you enable this policy setting, the "Make Available Offline" command isn't available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. + +## Pol_NoReminders_2 -If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -If you don't configure this policy setting, the "Make Available Offline" command is available for all files and folders. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoReminders_2 +``` + -> [!NOTE] -> - This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. -> - The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. -> - This policy setting doesn't prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. -> - If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. - - - - - -ADMX Info: -- GP Friendly name: *Remove "Make Available Offline" for these files and folders* -- GP name: *Pol_NoPinFiles_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_NoReminders_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + Hides or displays reminder balloons, and prevents users from changing the setting. -Reminder balloons appear above the Offline Files icon in the notification area to notify users when they've lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. +Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. -If this setting isn't configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. +If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_NoReminders | +| Friendly Name | Turn off reminder balloons | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoReminders | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Turn off reminder balloons* -- GP name: *Pol_NoReminders_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_NoReminders_2** + +## Pol_OnlineCachingSettings - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_OnlineCachingSettings +``` + - -
    + + +This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. -> [!div class = "checklist"] -> * Device - -
    - - - -Hides or displays reminder balloons, and prevents users from changing the setting. - -Reminder balloons appear above the Offline Files icon in the notification area to notify users when they've lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. - -If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. - -If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. - -If this setting isn't configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. - -To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -> [!TIP] -> To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. - - - - - -ADMX Info: -- GP Friendly name: *Turn off reminder balloons* -- GP name: *Pol_NoReminders_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_OnlineCachingSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This read-action improves end-user response times and decreases bandwidth consumption over WAN links. - -The cached files are temporary and aren't available to the user when offline. The cached files aren't kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads. - -This policy setting is triggered by the configured round trip network latency value. We recommend using this policy setting when the network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less than 60 ms, reads to remote files won't be cached. +This policy setting is triggered by the configured round trip network latency value. We recommend using this policy setting when the network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less than 60ms, reads to remote files will not be cached. If you enable this policy setting, transparent caching is enabled and configurable. -If you disable or don't configure this policy setting, remote files won't be transparently cached on client computers. +If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable Transparent Caching* -- GP name: *Pol_OnlineCachingSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_AlwaysPinSubFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_OnlineCachingSettings | +| Friendly Name | Enable Transparent Caching | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_PurgeAtLogoff -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_PurgeAtLogoff +``` + - - -This policy setting makes subfolders available offline whenever their parent folder is made available offline. + + +Deletes local copies of the user's offline files when the user logs off. -This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users don't have the option of excluding subfolders. +This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. -If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. +If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use. -If you disable this setting or don't configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. +Caution: Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Subfolders always available offline* -- GP name: *Pol_AlwaysPinSubFolders* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_PurgeAtLogoff** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_PurgeAtLogoff | +| Friendly Name | At logoff, delete local copy of user’s offline files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | PurgeAtLogoff | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_QuickAdimPin -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_QuickAdimPin +``` + - - -This policy setting deletes local copies of the user's offline files when the user signs out. - -This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user signs out, the system deletes all local copies of offline files. - -If you disable this setting or don't configure it, automatically and manually cached copies are retained on the user's computer for later offline use. - -> [!CAUTION] -> Files aren't synchronized before they're deleted. Any changes to local files since the last synchronization are lost. - - - - - -ADMX Info: -- GP Friendly name: *At logoff, delete local copy of user’s offline files* -- GP name: *Pol_PurgeAtLogoff* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_QuickAdimPin** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to turn on economical application of administratively assigned Offline Files. -If you enable or don't configure this policy setting, only new files and folders in administratively assigned folders are synchronized at sign-in. Files and folders that are already available offline are skipped and are synchronized later. +If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. If you disable this policy setting, all administratively assigned folders are synchronized at logon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on economical application of administratively assigned Offline Files* -- GP name: *Pol_QuickAdimPin* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_ReminderFreq_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_QuickAdimPin | +| Friendly Name | Turn on economical application of administratively assigned Offline Files | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | EconomicalAdminPinning | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_ReminderFreq_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderFreq_2 +``` + - - -This policy setting determines how often reminder balloon updates appear. + + +Determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_ReminderFreq | +| Friendly Name | Reminder balloon frequency | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Reminder balloon frequency* -- GP name: *Pol_ReminderFreq_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_ReminderFreq_2** + +## Pol_ReminderInitTimeout_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderInitTimeout_2 +``` + - -
    + + +Determines how long the first reminder balloon for a network status change is displayed. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines how often reminder balloon updates appear. - -If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_ReminderInitTimeout | +| Friendly Name | Initial reminder balloon lifetime | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Reminder balloon frequency* -- GP name: *Pol_ReminderFreq_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_ReminderInitTimeout_1** + +## Pol_ReminderTimeout_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderTimeout_2 +``` + - -
    + + +Determines how long updated reminder balloons are displayed. - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines how long the first reminder balloon for a network status change is displayed. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Initial reminder balloon lifetime* -- GP name: *Pol_ReminderInitTimeout_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_ReminderInitTimeout_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_ReminderTimeout | +| Friendly Name | Reminder balloon lifetime | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SlowLinkSettings -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SlowLinkSettings +``` + - - -This policy setting determines how long the first reminder balloon for a network status change is displayed. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - -ADMX Info: -- GP Friendly name: *Initial reminder balloon lifetime* -- GP name: *Pol_ReminderInitTimeout_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_ReminderTimeout_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines how long updated reminder balloons are displayed. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - -ADMX Info: -- GP Friendly name: *Reminder balloon lifetime* -- GP name: *Pol_ReminderTimeout_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_ReminderTimeout_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines how long updated reminder balloons are displayed. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they're updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - -ADMX Info: -- GP Friendly name: *Reminder balloon lifetime* -- GP name: *Pol_ReminderTimeout_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_SlowLinkSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the network latency and throughput thresholds that will cause a client computer to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data isn't degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This scenario is similar to a user working offline. + + +This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. -You can configure the slow-link mode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip network latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you don't specify a Latency or Throughput value, computers running Windows Vista or Windows Server 2008 won't use the slow-link mode. +You can configure the slow-link mode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip network latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you do not specify a Latency or Throughput value, computers running Windows Vista or Windows Server 2008 will not use the slow-link mode. -If you don't configure this policy setting, computers running Windows Vista or Windows Server 2008 won't transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency. +If you do not configure this policy setting, computers running Windows Vista or Windows Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency. In Windows Vista or Windows Server 2008, once transitioned to slow-link mode, users will continue to operate in slow-link mode until the user clicks the Work Online button on the toolbar in Windows Explorer. Data will only be synchronized to the server if the user manually initiates synchronization by using Sync Center. In Windows 7, Windows Server 2008 R2, Windows 8 or Windows Server 2012, when operating in slow-link mode Offline Files synchronizes the user's files in the background at regular intervals, or as configured by the "Configure Background Sync" policy. While in slow-link mode, Windows periodically checks the connection to the folder and brings the folder back online if network speeds improve. -In Windows 8 or Windows Server 2012, set the Latency threshold to 1 m to keep users always working offline in slow-link mode. +In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep users always working offline in slow-link mode. -If you disable this policy setting, computers won't use the slow-link mode. +If you disable this policy setting, computers will not use the slow-link mode. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure slow-link mode* -- GP name: *Pol_SlowLinkSettings* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_SlowLinkSpeed** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SlowLinkSettings | +| Friendly Name | Configure slow-link mode | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SlowLinkEnabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SlowLinkSpeed -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SlowLinkSpeed +``` + - - -This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. + + +Configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow. -When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and won't automatically reconnect to a server when the presence of a server is detected. +When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. If you enable this setting, you can configure the threshold value that will be used to determine a slow network connection. If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow. -> [!NOTE] -> Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. +Note: Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Slow link speed* -- GP name: *Pol_SlowLinkSpeed* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_OfflineFiles/Pol_SyncAtLogoff_1** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Pol_SlowLinkSpeed | +| Friendly Name | Configure Slow link speed | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## Pol_SyncAtLogoff_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting determines whether offline files are fully synchronized when users sign out. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogoff_2 +``` + -This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. + + +Determines whether offline files are fully synchronized when users log off. + +This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. -If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but doesn't ensure that they're current. +If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. -If you don't configure this setting, the system performs a quick synchronization by default, but users can change this option. +If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogoff | +| Friendly Name | Synchronize all offline files before logging off | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogoff | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Synchronize all offline files before logging off* -- GP name: *Pol_SyncAtLogoff_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_SyncAtLogoff_2** + +## Pol_SyncAtLogon_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogon_2 +``` + - -
    + + +Determines whether offline files are fully synchronized when users log on. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -> [!div class = "checklist"] -> * Device +If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. -
    +If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. - - -This policy setting determines whether offline files are fully synchronized when users sign out. - -This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. - -If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but doesn't ensure that they're current. - -If you don't configure this setting, the system performs a quick synchronization by default, but users can change this option. +If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +Tip: To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + > [!TIP] -> To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogon | +| Friendly Name | Synchronize all offline files when logging on | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogon | +| ADMX File Name | OfflineFiles.admx | + - -ADMX Info: -- GP Friendly name: *Synchronize all offline files before logging off* -- GP name: *Pol_SyncAtLogoff_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* + + + - - -
    + - -**ADMX_OfflineFiles/Pol_SyncAtLogon_1** + +## Pol_SyncAtSuspend_2 - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtSuspend_2 +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether offline files are fully synchronized when users sign in. - -This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, offline files are fully synchronized at sign-in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. - -If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but doesn't ensure that they're current. - -If you don't configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -> [!TIP] -> To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. - - - - - -ADMX Info: -- GP Friendly name: *Synchronize all offline files when logging on* -- GP name: *Pol_SyncAtLogon_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - -
    - - -**ADMX_OfflineFiles/Pol_SyncAtLogon_2** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether offline files are fully synchronized when users sign in. - -This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This disablement prevents users from trying to change the option while a setting controls it. - -If you enable this setting, offline files are fully synchronized at sign-in. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. - -If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but doesn't ensure that they're current. - -If you don't configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default. However, users can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -> [!TIP] -> To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. - - - - - -ADMX Info: -- GP Friendly name: *Synchronize all offline files when logging on* -- GP name: *Pol_SyncAtLogon_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_SyncAtSuspend_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting determines whether offline files are synchronized before a computer is suspended. + + +Determines whether offline files are synchonized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. -If you disable or don't configure this setting, files aren't synchronized when the computer is suspended. +If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. -> [!NOTE] -> If the computer is suspended by closing the display on a portable computer, files aren't synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization isn't performed. +Note: If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Synchronize offline files before suspend* -- GP name: *Pol_SyncAtSuspend_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_SyncAtSuspend_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtSuspend | +| Friendly Name | Synchronize offline files before suspend | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_SyncOnCostedNetwork -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncOnCostedNetwork +``` + - - -This policy setting determines whether offline files are synchronized before a computer is suspended. - -If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. - -If you disable or don't configure this setting, files aren't synchronized when the computer is suspended. - -> [!NOTE] -> If the computer is suspended by closing the display on a portable computer, files aren't synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization isn't performed. - - - - - -ADMX Info: -- GP Friendly name: *Synchronize offline files before suspend* -- GP name: *Pol_SyncAtSuspend_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* - - - -
    - - -**ADMX_OfflineFiles/Pol_SyncOnCostedNetwork** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. -If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This synchronization may result in extra charges on cell phone or broadband plans. +If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. -If this setting is disabled or not configured, synchronization won't run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. +If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable file synchronization on costed networks* -- GP name: *Pol_SyncOnCostedNetwork* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_SyncOnCostedNetwork | +| Friendly Name | Enable file synchronization on costed networks | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncEnabledForCostedNetwork | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_WorkOfflineDisabled_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 +``` + - - + + This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. -If you enable this policy setting, the "Work offline" command isn't displayed in File Explorer. +If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. -If you disable or don't configure this policy setting, the "Work offline" command is displayed in File Explorer. +If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Work offline" command* -- GP name: *Pol_WorkOfflineDisabled_1* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Pol_WorkOfflineDisabled | +| Friendly Name | Remove "Work offline" command | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | WorkOfflineDisabled | +| ADMX File Name | OfflineFiles.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Pol_AssignedOfflineFiles_1 -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 +``` + - - + + +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. + +If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. + +If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). + +If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. + +Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AssignedOfflineFiles | +| Friendly Name | Specify administratively assigned Offline Files | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_CustomGoOfflineActions_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 +``` + + + + +Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. + +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are disconnected from this server, or type "1" if they cannot. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. + +Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_CustomGoOfflineActions | +| Friendly Name | Non-default server disconnect actions | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_EventLoggingLevel_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EventLoggingLevel_1 +``` + + + + +Determines which events the Offline Files feature records in the event log. + +Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. + +To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. + +"0" records an error when the offline storage cache is corrupted. + +"1" also records an event when the server hosting the offline file is disconnected from the network. + +"2" also records events when the local computer is connected and disconnected from the network. + +"3" also records an event when the server hosting the offline file is reconnected to the network. + +Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_EventLoggingLevel | +| Friendly Name | Event logging level | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_GoOfflineAction_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_GoOfflineAction_1 +``` + + + + +Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + +This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. + +If you enable this setting, you can use the "Action" box to specify how computers in the group respond. + +-- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. + +-- "Never go offline" indicates that network files are not available while the server is inaccessible. + +If you disable this setting or select the "Work offline" option, users can work offline if disconnected. + +If you do not configure this setting, users can work offline by default, but they can change this option. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. + +Also, see the "Non-default server disconnect actions" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_GoOfflineAction | +| Friendly Name | Action on server disconnect | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_NoCacheViewer_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoCacheViewer_1 +``` + + + + +Disables the Offline Files folder. + +This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. + +This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoCacheViewer | +| Friendly Name | Prevent use of Offline Files folder | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoCacheViewer | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_NoConfigCache_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoConfigCache_1 +``` + + + + +Prevents users from enabling, disabling, or changing the configuration of Offline Files. + +This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. + +This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoConfigCache | +| Friendly Name | Prohibit user configuration of Offline Files | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoConfigCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_NoMakeAvailableOffline_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 +``` + + + + +This policy setting prevents users from making network files and folders available offline. + +If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. + +If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. + +Notes: + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. + +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoMakeAvailableOffline | +| Friendly Name | Remove "Make Available Offline" command | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoMakeAvailableOffline | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_NoPinFiles_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoPinFiles_1 +``` + + + + +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. + +If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. + +If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. + +If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. + +Notes: + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. + +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + +This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. + +If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoPinFiles | +| Friendly Name | Remove "Make Available Offline" for these files and folders | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_NoReminders_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoReminders_1 +``` + + + + +Hides or displays reminder balloons, and prevents users from changing the setting. + +Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. + +If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. + +If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. + +If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. + +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoReminders | +| Friendly Name | Turn off reminder balloons | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoReminders | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_ReminderFreq_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderFreq_1 +``` + + + + +Determines how often reminder balloon updates appear. + +If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. + +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_ReminderFreq | +| Friendly Name | Reminder balloon frequency | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_ReminderInitTimeout_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 +``` + + + + +Determines how long the first reminder balloon for a network status change is displayed. + +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_ReminderInitTimeout | +| Friendly Name | Initial reminder balloon lifetime | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_ReminderTimeout_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderTimeout_1 +``` + + + + +Determines how long updated reminder balloons are displayed. + +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_ReminderTimeout | +| Friendly Name | Reminder balloon lifetime | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_SyncAtLogoff_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogoff_1 +``` + + + + +Determines whether offline files are fully synchronized when users log off. + +This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. + +If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. + +If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. + +If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogoff | +| Friendly Name | Synchronize all offline files before logging off | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogoff | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_SyncAtLogon_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogon_1 +``` + + + + +Determines whether offline files are fully synchronized when users log on. + +This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. + +If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. + +If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. + +If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +Tip: To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogon | +| Friendly Name | Synchronize all offline files when logging on | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogon | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_SyncAtSuspend_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtSuspend_1 +``` + + + + +Determines whether offline files are synchonized before a computer is suspended. + +If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. + +If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. + +Note: If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtSuspend | +| Friendly Name | Synchronize offline files before suspend | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + + +## Pol_WorkOfflineDisabled_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1 +``` + + + + This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. -If you enable this policy setting, the "Work offline" command isn't displayed in File Explorer. +If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. -If you disable or don't configure this policy setting, the "Work offline" command is displayed in File Explorer. +If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove "Work offline" command* -- GP name: *Pol_WorkOfflineDisabled_2* -- GP path: *Network\Offline Files* -- GP ADMX file name: *OfflineFiles.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | Pol_WorkOfflineDisabled | +| Friendly Name | Remove "Work offline" command | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | WorkOfflineDisabled | +| ADMX File Name | OfflineFiles.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 1efbbae1cd..89c7226673 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,380 +1,436 @@ --- -title: Policy CSP - ADMX_pca -description: Learn about Policy CSP - ADMX_pca. +title: ADMX_pca Policy CSP +description: Learn more about the ADMX_pca Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_pca > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_pca policies + +## DetectBlockedDriversPolicy -
    -
    - ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy -
    -
    - ADMX_pca/DetectDeprecatedComponentFailuresPolicy -
    -
    - ADMX_pca/DetectInstallFailuresPolicy -
    -
    - ADMX_pca/DetectUndetectedInstallersPolicy -
    -
    - ADMX_pca/DetectUpdateFailuresPolicy -
    -
    - ADMX_pca/DisablePcaUIPolicy -
    -
    - ADMX_pca/DetectBlockedDriversPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectBlockedDriversPolicy +``` + -
    + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + - -**ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DetectBlockedDriversText | +| Friendly Name | Notify blocked drivers | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{affc81e2-612a-4f70-6fb2-916ff5c7e3f8} | +| ADMX File Name | pca.admx | + -
    + + + - - + + + +## DetectDeprecatedCOMComponentFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectDeprecatedCOMComponentFailuresText | +| Friendly Name | Detect application failures caused by deprecated COM objects | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{88D69CE1-577A-4dd9-87AE-AD36D3CD9643} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectDeprecatedComponentFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectDeprecatedComponentFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectDeprecatedComponentFailuresText | +| Friendly Name | Detect application failures caused by deprecated Windows DLLs | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{659F08FB-2FAB-42a7-BD4F-566CFA528769} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectInstallFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectInstallFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectInstallFailuresText | +| Friendly Name | Detect application install failures | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{acfd1ca6-18b6-4ccf-9c07-580cdb6eded4} | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectUndetectedInstallersPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectUndetectedInstallersPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectUndetectedInstallersText | +| Friendly Name | Detect application installers that need to be run as administrator | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{D113E4AA-2D07-41b1-8D9B-C065194A791D} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DetectUpdateFailuresPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DetectUpdateFailuresPolicy +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectUpdateFailuresText | +| Friendly Name | Detect applications unable to launch installers under UAC | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{081D3213-48AA-4533-9284-D98F01BDC8E6} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | pca.admx | + + + + + + + + + +## DisablePcaUIPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_pca/DisablePcaUIPolicy +``` + + + + This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. -If you disable this policy setting, the PCA doesn't detect compatibility issues for applications and drivers. +If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. -If you don't configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. +If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. -> [!NOTE] -> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. +Note: This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + -The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Detect compatibility issues for applications and drivers* -- GP name: *DetectDeprecatedCOMComponentFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: -**ADMX_pca/DetectDeprecatedComponentFailuresPolicy** +| Name | Value | +|:--|:--| +| Name | DisablePcaUIText | +| Friendly Name | Detect compatibility issues for applications and drivers | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePcaUI | +| ADMX File Name | pca.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device +## Related articles -
    - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative -Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application install failures* -- GP name: *DetectDeprecatedComponentFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - - -
    - -**ADMX_pca/DetectInstallFailuresPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - -ADMX Info: -- GP Friendly name: *Detect applications unable to launch installers under UAC* -- GP name: *DetectInstallFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DetectUndetectedInstallersPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application failures caused by deprecated Windows DLLs* -- GP name: *DetectUndetectedInstallersPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DetectUpdateFailuresPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application failures caused by deprecated COM objects* -- GP name: *DetectUpdateFailuresPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DisablePcaUIPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Detect application installers that need to be run as administrator* -- GP name: *DisablePcaUIPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - -
    - -**ADMX_pca/DetectBlockedDriversPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This setting exists only for backward compatibility, and isn't valid for this version of Windows. - -To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - -ADMX Info: -- GP Friendly name: *Notify blocked drivers* -- GP name: *DetectBlockedDriversPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics* -- GP ADMX file name: *pca.admx* - - - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 0a646f5d5b76ef910a36ed79539bf5cce0e13ee9 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 5 Jan 2023 14:54:12 -0500 Subject: [PATCH 116/152] devicehealthmonitoring --- .../mdm/policy-csp-devicehealthmonitoring.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 38b1ab8c83..5458f5fe86 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -42,6 +42,7 @@ Enable/disable 4Nines device health monitoring on devices. +DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it. @@ -91,6 +92,9 @@ If the device is not opted-in to the DeviceHealthMonitoring service via the Allo +This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. +This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. +IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. @@ -171,6 +175,12 @@ If the device is not opted-in to the DeviceHealthMonitoring service via the Allo +This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. + +The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios. +In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. + +Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service. From db54ebf279106a70c0e655270956f82c5583a225 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 6 Jan 2023 08:45:01 -0500 Subject: [PATCH 117/152] nca ncsi netlogon --- .../mdm/policy-csp-admx-nca.md | 712 ++-- .../mdm/policy-csp-admx-ncsi.md | 589 ++-- .../mdm/policy-csp-admx-netlogon.md | 3001 +++++++++-------- 3 files changed, 2347 insertions(+), 1955 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index a2a46c2c76..95602c2c77 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,446 +1,528 @@ --- -title: Policy CSP - ADMX_nca -description: Policy CSP - ADMX_nca +title: ADMX_nca Policy CSP +description: Learn more about the ADMX_nca Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_nca ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_nca policies + +## CorporateResources -
    -
    - ADMX_nca/CorporateResources -
    -
    - ADMX_nca/CustomCommands -
    -
    - ADMX_nca/DTEs -
    -
    - ADMX_nca/FriendlyName -
    -
    - ADMX_nca/LocalNamesOn -
    -
    - ADMX_nca/PassiveMode -
    -
    - ADMX_nca/ShowUI -
    -
    - ADMX_nca/SupportEmail -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/CorporateResources +``` + -
    - - -**ADMX_nca/CorporateResources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. + + +Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: - A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1. -> [!NOTE] -> We recommend that you use FQDNs instead of IPv6 addresses wherever possible. +Note -> [!IMPORTANT] -> At least one of the entries must be a PING: resource. -> - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/. -> - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. +We recommend that you use FQDNs instead of IPv6 addresses wherever possible. + +Important + +At least one of the entries must be a PING: resource. + +- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP: or HTTP:https://2002:836b:1::1/. + +- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. You must configure this setting to have complete NCA functionality. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Corporate Resources* -- GP name: *CorporateResources* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_nca/CustomCommands** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CorporateResources | +| Friendly Name | Corporate Resources | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## CustomCommands -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/CustomCommands +``` + - - -This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. + + +Specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Custom Commands* -- GP name: *CustomCommands* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_nca/DTEs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CustomCommands | +| Friendly Name | Custom Commands | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\CustomCommands | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DTEs -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/DTEs +``` + - - -This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. + + +Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel. Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example: PING:2002:836b:1::836b:1. You must configure this setting to have complete NCA functionality. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *IPsec Tunnel Endpoints* -- GP name: *DTEs* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_nca/FriendlyName** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DTEs | +| Friendly Name | IPsec Tunnel Endpoints | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## FriendlyName -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/FriendlyName +``` + - - -This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. + + +Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. -If this setting isn't configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. +If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Friendly Name* -- GP name: *FriendlyName* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_nca/LocalNamesOn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | FriendlyName | +| Friendly Name | Friendly Name | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## LocalNamesOn -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/LocalNamesOn +``` + - - -This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. + + +Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. -If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. NCA doesn't remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. +If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. -The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection hasn't correctly determined that the DirectAccess client computer is connected to its own intranet. +**Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. + +The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet. To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect. -> [!NOTE] -> If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT. +Note +If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT. -If this setting isn't configured, users don't have Connect or Disconnect options. +If this setting is not configured, users do not have Connect or Disconnect options. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prefer Local Names Allowed* -- GP name: *LocalNamesOn* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_nca/PassiveMode** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | LocalNamesOn | +| Friendly Name | Prefer Local Names Allowed | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| Registry Value Name | NamePreferenceAllowed | +| ADMX File Name | nca.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## PassiveMode -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/PassiveMode +``` + - - -This policy setting specifies whether NCA service runs in Passive Mode or not. + + +Specifies whether NCA service runs in Passive Mode or not. -Set this policy setting to Disabled to keep NCA probing actively all the time. If this setting isn't configured, NCA probing is in active mode by default. - +Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default. + + + + - -ADMX Info: -- GP Friendly name: *DirectAccess Passive Mode* -- GP name: *PassiveMode* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_nca/ShowUI** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | PassiveMode | +| Friendly Name | DirectAccess Passive Mode | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| Registry Value Name | PassiveMode | +| ADMX File Name | nca.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## ShowUI -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/ShowUI +``` + -Set this policy setting to Disabled to prevent user confusion when you're just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. + + +Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. -If this setting isn't configured, the entry for DirectAccess connectivity appears. +Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. - +If this setting is not configured, the entry for DirectAccess connectivity appears. + + + + - -ADMX Info: -- GP Friendly name: *User Interface* -- GP name: *ShowUI* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_nca/SupportEmail** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ShowUI | +| Friendly Name | User Interface | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| Registry Value Name | ShowUI | +| ADMX File Name | nca.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## SupportEmail -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_nca/SupportEmail +``` + + + + +Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Support Email Address* -- GP name: *SupportEmail* -- GP path: *Network\DirectAccess Client Experience Settings* -- GP ADMX file name: *nca.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | SupportEmail | +| Friendly Name | Support Email Address | +| Location | Computer Configuration | +| Path | Network > DirectAccess Client Experience Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant | +| ADMX File Name | nca.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 852728fcd1..89b5cd6963 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,364 +1,423 @@ --- -title: Policy CSP - ADMX_NCSI -description: Learn about Policy CSP - ADMX_NCSI. +title: ADMX_NCSI Policy CSP +description: Learn more about the ADMX_NCSI Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_NCSI ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_NCSI policies + +## NCSI_CorpDnsProbeContent -
    -
    - ADMX_NCSI/NCSI_CorpDnsProbeContent -
    -
    - ADMX_NCSI/NCSI_CorpDnsProbeHost -
    -
    - ADMX_NCSI/NCSI_CorpSitePrefixes -
    -
    - ADMX_NCSI/NCSI_CorpWebProbeUrl -
    -
    - ADMX_NCSI/NCSI_DomainLocationDeterminationUrl -
    -
    - ADMX_NCSI/NCSI_GlobalDns -
    -
    - ADMX_NCSI/NCSI_PassivePolling -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpDnsProbeContent +``` + -
    - - -**ADMX_NCSI/NCSI_CorpDnsProbeContent** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity. + - + + + - -ADMX Info: -- GP Friendly name: *Specify corporate DNS probe host address* -- GP name: *NCSI_CorpDnsProbeContent* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_NCSI/NCSI_CorpDnsProbeHost** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NCSI_CorpDnsProbeContent | +| Friendly Name | Specify corporate DNS probe host address | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## NCSI_CorpDnsProbeHost -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpDnsProbeHost +``` + + + + This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify corporate DNS probe host name* -- GP name: *NCSI_CorpDnsProbeHost* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NCSI/NCSI_CorpSitePrefixes** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NCSI_CorpDnsProbeHost | +| Friendly Name | Specify corporate DNS probe host name | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NCSI_CorpSitePrefixes -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpSitePrefixes +``` + - - -This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of the prefixes indicates corporate connectivity. + + +This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify corporate site prefix list* -- GP name: *NCSI_CorpSitePrefixes* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_NCSI/NCSI_CorpWebProbeUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NCSI_CorpSitePrefixes | +| Friendly Name | Specify corporate site prefix list | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## NCSI_CorpWebProbeUrl -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpWebProbeUrl +``` + - - + + This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify corporate Website probe URL* -- GP name: *NCSI_CorpWebProbeUrl* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -
    +**ADMX mapping**: - -**ADMX_NCSI/NCSI_DomainLocationDeterminationUrl** +| Name | Value | +|:--|:--| +| Name | NCSI_CorpWebProbeUrl | +| Friendly Name | Specify corporate Website probe URL | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NCSI_DomainLocationDeterminationUrl - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_DomainLocationDeterminationUrl +``` + -
    + + +This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. + - - -This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (that is, whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify domain location determination URL* -- GP name: *NCSI_DomainLocationDeterminationUrl* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_NCSI/NCSI_GlobalDns** +| Name | Value | +|:--|:--| +| Name | NCSI_DomainLocationDeterminationUrl | +| Friendly Name | Specify domain location determination URL | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity | +| ADMX File Name | NCSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NCSI_GlobalDns - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_GlobalDns +``` + -
    + + +This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. + - - -This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it's currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify global DNS* -- GP name: *NCSI_GlobalDns* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_NCSI/NCSI_PassivePolling** +| Name | Value | +|:--|:--| +| Name | NCSI_GlobalDns | +| Friendly Name | Specify global DNS | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator | +| ADMX File Name | NCSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## NCSI_PassivePolling - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_PassivePolling +``` + -
    + + +This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. + - - -This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify passive polling* -- GP name: *NCSI_PassivePolling* -- GP path: *Network\Network Connectivity Status Indicator* -- GP ADMX file name: *NCSI.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | NCSI_PassivePolling | +| Friendly Name | Specify passive polling | +| Location | Computer Configuration | +| Path | Network > Network Connectivity Status Indicator | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator | +| ADMX File Name | NCSI.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 22d8f1fe5a..80c36f00cc 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,800 +1,802 @@ --- -title: Policy CSP - ADMX_Netlogon -description: Learn about Policy CSP - ADMX_Netlogon. +title: ADMX_Netlogon Policy CSP +description: Learn more about the ADMX_Netlogon Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/05/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/15/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Netlogon ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Netlogon policies + +## Netlogon_AddressLookupOnPingBehavior -
    -
    - ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior -
    -
    - ADMX_Netlogon/Netlogon_AddressTypeReturned -
    -
    - ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch -
    -
    - ADMX_Netlogon/Netlogon_AllowNT4Crypto -
    -
    - ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain -
    -
    - ADMX_Netlogon/Netlogon_AutoSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery -
    -
    - ADMX_Netlogon/Netlogon_AvoidPdcOnWan -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod -
    -
    - ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime -
    -
    - ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod -
    -
    - ADMX_Netlogon/Netlogon_DebugFlag -
    -
    - ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords -
    -
    - ADMX_Netlogon/Netlogon_DnsRefreshInterval -
    -
    - ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames -
    -
    - ADMX_Netlogon/Netlogon_DnsTtl -
    -
    - ADMX_Netlogon/Netlogon_ExpectedDialupDelay -
    -
    - ADMX_Netlogon/Netlogon_ForceRediscoveryInterval -
    -
    - ADMX_Netlogon/Netlogon_GcSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages -
    -
    - ADMX_Netlogon/Netlogon_LdapSrvPriority -
    -
    - ADMX_Netlogon/Netlogon_LdapSrvWeight -
    -
    - ADMX_Netlogon/Netlogon_MaximumLogFileSize -
    -
    - ADMX_Netlogon/Netlogon_NdncSiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_NegativeCachePeriod -
    -
    - ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode -
    -
    - ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod -
    -
    - ADMX_Netlogon/Netlogon_PingUrgencyMode -
    -
    - ADMX_Netlogon/Netlogon_ScavengeInterval -
    -
    - ADMX_Netlogon/Netlogon_SiteCoverage -
    -
    - ADMX_Netlogon/Netlogon_SiteName -
    -
    - ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode -
    -
    - ADMX_Netlogon/Netlogon_TryNextClosestSite -
    -
    - ADMX_Netlogon/Netlogon_UseDynamicDns -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior +``` + -
    + + +This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. - -**ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address doesn't map to any configured site. - -Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses that may then be used to compute a matching site for the client. +Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client. The allowable values for this setting result in the following behaviors: -- 0 - DCs will never perform address lookups. -- 1 - DCs will perform an exhaustive address lookup to discover more client IP addresses. -- 2 - DCs will perform a fast, DNS-only address lookup to discover more client IP addresses. +0 - DCs will never perform address lookups. +1 - DCs will perform an exhaustive address lookup to discover additional client IP addresses. +2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP addresses. To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify address lookup behavior for DC locator ping* -- GP name: *Netlogon_AddressLookupOnPingBehavior* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Netlogon/Netlogon_AddressTypeReturned** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_AddressLookupOnPingBehavior | +| Friendly Name | Specify address lookup behavior for DC locator ping | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Netlogon_AddressTypeReturned -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AddressTypeReturned +``` + - - -This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. + + +This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios. By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. -If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator. +If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail. -If you don't configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator. +If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. + - + + + - -ADMX Info: -- GP Friendly name: *Return domain controller address type* -- GP name: *Netlogon_AddressTypeReturned* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_AddressTypeReturned | +| Friendly Name | Return domain controller address type | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AddressTypeReturned | +| ADMX File Name | Netlogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Netlogon_AllowDnsSuffixSearch -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch +``` + - - -This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, isn't used if the `AllowSingleLabelDnsDomain` policy setting is enabled. + + +This policy setting specifies whether the computers to which this setting is applied attemps DNS name resolution of single-lablel domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled. -By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the `AllowSingleLabelDnsDomain` policy setting is enabled. +By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. -If you enable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name isn't used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, if DNS resolution fails. +If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails. -If you disable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers won't attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. +If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.* -- GP name: *Netlogon_AllowDnsSuffixSearch* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_AllowNT4Crypto** +| Name | Value | +|:--|:--| +| Name | Netlogon_AllowDnsSuffixSearch | +| Friendly Name | Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled. | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowDnsSuffixSearch | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_AllowNT4Crypto - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowNT4Crypto +``` + -
    + + +This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. - - -This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier aren't as secure as newer algorithms used in Windows 2000 or later, including this version of Windows. - -By default, Net Logon won't allow the older cryptography algorithms to be used and won't include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 won't be able to establish a connection to this domain controller. +By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk. -If you disable this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms. +If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. -If you don't configure this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms. +If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow cryptography algorithms compatible with Windows NT 4.0* -- GP name: *Netlogon_AllowNT4Crypto* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain** +| Name | Value | +|:--|:--| +| Name | Netlogon_AllowNT4Crypto | +| Friendly Name | Allow cryptography algorithms compatible with Windows NT 4.0 | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowNT4Crypto | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_AllowSingleLabelDnsDomain - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain +``` + -
    + + +This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. - - -This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain name. - -By default, the behavior specified in the `AllowDnsSuffixSearch` is used. If the `AllowDnsSuffixSearch` policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. +By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution. -If you disable this policy setting, computers to which this setting is applied will use the `AllowDnsSuffixSearch` policy, if it isn't disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. The computers won't use the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. +If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC* -- GP name: *Netlogon_AllowSingleLabelDnsDomain* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_AutoSiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_AllowSingleLabelDnsDomain | +| Friendly Name | Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowSingleLabelDnsDomain | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_AutoSiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AutoSiteCoverage +``` + -
    - - - -This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. + + +This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. -If you disable this policy setting, the DCs won't register site-specific DC Locator DNS SRV records for any other sites but their own. +If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use automated site coverage by the DC Locator DNS SRV Records* -- GP name: *Netlogon_AutoSiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery** +| Name | Value | +|:--|:--| +| Name | Netlogon_AutoSiteCoverage | +| Friendly Name | Use automated site coverage by the DC Locator DNS SRV Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AutoSiteCoverage | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_AvoidFallbackNetbiosDiscovery - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery +``` + -
    - - - + + This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. -NetBIOS-based discovery uses a WINS server and mailslot messages but doesn't use site information. Hence it doesn't ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery isn't recommended. +NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. -> [!NOTE] -> This policy setting doesn't affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. +Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. -If you disable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This behavior is the default behavior. +If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior. If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails* -- GP name: *Netlogon_AvoidFallbackNetbiosDiscovery* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_AvoidPdcOnWan** +| Name | Value | +|:--|:--| +| Name | Netlogon_AvoidFallbackNetbiosDiscovery | +| Friendly Name | Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AvoidFallbackNetbiosDiscovery | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_AvoidPdcOnWan - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AvoidPdcOnWan +``` + -
    - - - + + This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password. -If you disable this policy setting, the DCs won't attempt to verify any passwords with the PDC emulator. +If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator. -If you don't configure this policy setting, it isn't applied to any DCs. +If you do not configure this policy setting, it is not applied to any DCs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Contact PDC on logon failure* -- GP name: *Netlogon_AvoidPdcOnWan* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_AvoidPdcOnWan | +| Friendly Name | Contact PDC on logon failure | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AvoidPdcOnWan | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundRetryInitialPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod +``` + -
    - - - + + This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. -The default value for this setting is 10 minutes (10*60). - -The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. +The default value for this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. This setting is relevant only to those callers of DsGetDcName that have specified the DS_BACKGROUND_ONLY flag. If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used. -> [!WARNING] -> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC isn't available, the traffic caused by periodic DC discoveries may be excessive. +Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use initial DC discovery retry setting for background callers* -- GP name: *Netlogon_BackgroundRetryInitialPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundRetryInitialPeriod | +| Friendly Name | Use initial DC discovery retry setting for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundRetryMaximumPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod +``` + -
    - - - -This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. + + +This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached. -The default value for this setting is 60 minutes (60*60). - -The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. +The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used. -> [!WARNING] -> If the value for this setting is too large, a client may take very long periods to try to find a DC. +Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC. -If the value for this setting is too small and the DC isn't available, the frequent retries may produce excessive network traffic. +If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use maximum DC discovery retry interval setting for background callers* -- GP name: *Netlogon_BackgroundRetryMaximumPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime** +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundRetryMaximumPeriod | +| Friendly Name | Use maximum DC discovery retry interval setting for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundRetryQuitTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime +``` + -
    - - - + + This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used. The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. -> [!WARNING] -> If the value for this setting is too small, a client will stop trying to find a DC too soon. +Warning: If the value for this setting is too small, a client will stop trying to find a DC too soon. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use final DC discovery retry setting for background callers* -- GP name: *Netlogon_BackgroundRetryQuitTime* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundRetryQuitTime | +| Friendly Name | Use final DC discovery retry setting for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_BackgroundSuccessfulRefreshPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod +``` + -
    + + +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). + - - -This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it's applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0). + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Use positive periodic DC cache refresh for background callers* -- GP name: *Netlogon_BackgroundSuccessfulRefreshPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_BackgroundSuccessfulRefreshPeriod | +| Friendly Name | Use positive periodic DC cache refresh for background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - -**ADMX_Netlogon/Netlogon_DebugFlag** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Netlogon_DebugFlag - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DebugFlag +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. @@ -803,182 +805,210 @@ If you enable this policy setting and specify a non-zero value, debug informatio If you specify zero for this policy setting, the default behavior occurs as described above. -If you disable this policy setting or don't configure it, the default behavior occurs as described above. +If you disable this policy setting or do not configure it, the default behavior occurs as described above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify log file debug output level* -- GP name: *Netlogon_DebugFlag* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords** +| Name | Value | +|:--|:--| +| Name | Netlogon_DebugFlag | +| Friendly Name | Specify log file debug output level | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_DnsAvoidRegisterRecords - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords +``` + -
    + + +This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. - - -This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service. +If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. -If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied. +Select the mnemonics from the following list: -Select the mnemonics from the following table: +Mnemonic Type DNS Record -|Mnemonic|Type|DNS Record| -|--------|---------|-----------| -|LdapIpAddress|A|``| -|Ldap|SRV|_ldap._tcp.``| -|LdapAtSite|SRV|_ldap._tcp.``._sites.``| -|Pdc|SRV|_ldap._tcp.pdc._msdcs.``| -|Gc|SRV|_ldap._tcp.gc._msdcs.``| -|GcAtSite|SRV|_ldap._tcp.``._sites.gc._msdcs.``| -|DcByGuid|SRV|_ldap._tcp.``.domains._msdcs.``| -|GcIpAddress|A|gc._msdcs.``| -|DsaCname|CNAME|``._msdcs.``| -|Kdc|SRV|_kerberos._tcp.dc._msdcs.``| -|KdcAtSite|SRV|_kerberos._tcp.``._sites.dc._msdcs.| -|KdcAtSite|SRV|_kerberos._tcp.``._sites.dc._msdcs.``| -|Dc|SRV|_ldap._tcp.dc._msdcs.``| -|DcAtSite|SRV|_ldap._tcp.``._sites.dc._msdcs.``| -|Rfc1510Kdc|SRV|_kerberos._tcp.``| -|Rfc1510KdcAtSite|SRV|_kerberos._tcp.``._sites.``| -|GenericGc|SRV|_gc._tcp.``| -|GenericGcAtSite|SRV|_gc._tcp.``._sites.``| -|Rfc1510UdpKdc|SRV|_kerberos._udp.``| -|Rfc1510Kpwd|SRV|_kpasswd._tcp.``| -|Rfc1510UdpKpwd|SRV|_kpasswd._udp.``| +LdapIpAddress A `` +Ldap SRV _ldap._tcp.`` +LdapAtSite SRV _ldap._tcp.``._sites.`` +Pdc SRV _ldap._tcp.pdc._msdcs.`` +Gc SRV _ldap._tcp.gc._msdcs.`` +GcAtSite SRV _ldap._tcp.``._sites.gc._msdcs.`` +DcByGuid SRV _ldap._tcp.``.domains._msdcs.`` +GcIpAddress A gc._msdcs.`` +DsaCname CNAME ``._msdcs.`` +Kdc SRV _kerberos._tcp.dc._msdcs.`` +KdcAtSite SRV _kerberos._tcp.``._sites.dc._msdcs.`` +Dc SRV _ldap._tcp.dc._msdcs.`` +DcAtSite SRV _ldap._tcp.``._sites.dc._msdcs.`` +Rfc1510Kdc SRV _kerberos._tcp.`` +Rfc1510KdcAtSite SRV _kerberos._tcp.``._sites.`` +GenericGc SRV _gc._tcp.`` +GenericGcAtSite SRV _gc._tcp.``._sites.`` +Rfc1510UdpKdc SRV _kerberos._udp.`` +Rfc1510Kpwd SRV _kpasswd._tcp.`` +Rfc1510UdpKpwd SRV _kpasswd._udp.`` If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records. -If you don't configure this policy setting, DCs use their local configuration. +If you do not configure this policy setting, DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify DC Locator DNS records not registered by the DCs* -- GP name: *Netlogon_DnsAvoidRegisterRecords* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_DnsRefreshInterval** +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsAvoidRegisterRecords | +| Friendly Name | Specify DC Locator DNS records not registered by the DCs | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_DnsRefreshInterval - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsRefreshInterval +``` + -
    - - - + + This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. -DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data hasn't changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. +DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. -> [!WARNING] -> If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records. +Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records. To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes). -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify Refresh Interval of the DC Locator DNS records* -- GP name: *Netlogon_DnsRefreshInterval* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames** +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsRefreshInterval | +| Friendly Name | Specify Refresh Interval of the DC Locator DNS records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_DnsSrvRecordUseLowerCaseHostNames - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames +``` + -
    - - - + + This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records. If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below. @@ -989,873 +1019,1047 @@ If not configured, domain controllers will default to using their local configur The default local configuration is enabled. -A reboot isn't required for changes to this setting to take effect. - +A reboot is not required for changes to this setting to take effect. +More information is available at + - -ADMX Info: -- GP Friendly name: *Use lowercase DNS host names when registering domain controller SRV records* -- GP name: *Netlogon_DnsSrvRecordUseLowerCaseHostNames* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* + + + - - -
    + +**Description framework properties**: -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_Netlogon/Netlogon_DnsTtl** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsSrvRecordUseLowerCaseHostNames | +| Friendly Name | Use lowercase DNS host names when registering domain controller SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | DnsSrvRecordUseLowerCaseHostNames | +| ADMX File Name | Netlogon.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Netlogon_DnsTtl -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they're used to locate the domain controller (DC). + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsTtl +``` + + + + +This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. - +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + + + + - -ADMX Info: -- GP Friendly name: *Set TTL in the DC Locator DNS Records* -- GP name: *Netlogon_DnsTtl* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_Netlogon/Netlogon_ExpectedDialupDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_DnsTtl | +| Friendly Name | Set TTL in the DC Locator DNS Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Netlogon_ExpectedDialupDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ExpectedDialupDelay +``` + - - -This policy setting specifies the extra time for the computer to wait for the domain controller’s (DC) response when logging on to the network. + + +This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. -To specify the expected dial-up delay at sign-in, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). +To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify expected dial-up delay on logon* -- GP name: *Netlogon_ExpectedDialupDelay* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_ForceRediscoveryInterval** +| Name | Value | +|:--|:--| +| Name | Netlogon_ExpectedDialupDelay | +| Friendly Name | Specify expected dial-up delay on logon | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_ForceRediscoveryInterval - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ForceRediscoveryInterval +``` + -
    - - - + + This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator. -The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions, DC Locator will, by default, carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. +The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. -If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4,294,967,200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity. +If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity. If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval. -If you don't configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. +If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Force Rediscovery Interval* -- GP name: *Netlogon_ForceRediscoveryInterval* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_GcSiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_ForceRediscoveryInterval | +| Friendly Name | Force Rediscovery Interval | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_GcSiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_GcSiteCoverage +``` + -
    + + +This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. - - -This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. The records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it. - -The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. +The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory. To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format. -If you don't configure this policy setting, it isn't applied to any GCs, and GCs use their local configuration. +If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify sites covered by the GC Locator DNS SRV Records* -- GP name: *Netlogon_GcSiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages** +| Name | Value | +|:--|:--| +| Name | Netlogon_GcSiteCoverage | +| Friendly Name | Specify sites covered by the GC Locator DNS SRV Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_IgnoreIncomingMailslotMessages - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages +``` + -
    - - - + + This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). -> [!NOTE] -> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. +Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. -This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name isn't required. This policy setting doesn't affect DC location based on DNS names. +This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names. -If you enable this policy setting, this DC doesn't process incoming mailslot messages that are used for NetBIOS domain name based DC location. +If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location. -If you disable or don't configure this policy setting, this DC processes incoming mailslot messages. This hevaior is the default behavior of DC Locator. +If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names* -- GP name: *Netlogon_IgnoreIncomingMailslotMessages* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_LdapSrvPriority** +| Name | Value | +|:--|:--| +| Name | Netlogon_IgnoreIncomingMailslotMessages | +| Friendly Name | Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | IgnoreIncomingMailslotMessages | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_LdapSrvPriority - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_LdapSrvPriority +``` + -
    - - - + + This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Priority in the DC Locator DNS SRV records* -- GP name: *Netlogon_LdapSrvPriority* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_LdapSrvWeight** +| Name | Value | +|:--|:--| +| Name | Netlogon_LdapSrvPriority | +| Friendly Name | Set Priority in the DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_LdapSrvWeight - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_LdapSrvWeight +``` + -
    - - - -This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. + + +This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record. To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Weight in the DC Locator DNS SRV records* -- GP name: *Netlogon_LdapSrvWeight* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_MaximumLogFileSize** +| Name | Value | +|:--|:--| +| Name | Netlogon_LdapSrvWeight | +| Friendly Name | Set Weight in the DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_MaximumLogFileSize - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_MaximumLogFileSize +``` + -
    - - - + + This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. -By default, the maximum size of the log file is 20 MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached, the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. +By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. -If you disable or don't configure this policy setting, the default behavior occurs as indicated above. +If you disable or do not configure this policy setting, the default behavior occurs as indicated above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify maximum log file size* -- GP name: *Netlogon_MaximumLogFileSize* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NdncSiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_MaximumLogFileSize | +| Friendly Name | Specify maximum log file size | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NdncSiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NdncSiteCoverage +``` + -
    - - - + + This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. -The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. +The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify sites covered by the application directory partition DC Locator DNS SRV records* -- GP name: *Netlogon_NdncSiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NegativeCachePeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_NdncSiteCoverage | +| Friendly Name | Specify sites covered by the application directory partition DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NegativeCachePeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NegativeCachePeriod +``` + -
    + + +This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. - - -This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) couldn't be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC. +The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. -The default value for this setting is 45 seconds. The maximum value for this setting is seven days (7*24*60*60). The minimum value for this setting is 0. +Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. + -> [!WARNING] -> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify negative DC Discovery cache setting* -- GP name: *Netlogon_NegativeCachePeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_NegativeCachePeriod | +| Friendly Name | Specify negative DC Discovery cache setting | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - -**ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Netlogon_NetlogonShareCompatibilityMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. -If you disable or don't configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. +If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested. -> [!NOTE] -> The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased. +Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased. -If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator. +If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set Netlogon share compatibility* -- GP name: *Netlogon_NetlogonShareCompatibilityMode* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod** +| Name | Value | +|:--|:--| +| Name | Netlogon_NetlogonShareCompatibilityMode | +| Friendly Name | Set Netlogon share compatibility | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowExclusiveScriptsShareAccess | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_NonBackgroundSuccessfulRefreshPeriod - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod +``` + -
    + + +This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag. - - -This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that don't periodically attempt to locate DCs, and it's applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that haven't specified the DS_BACKGROUND_ONLY flag. +The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). + -The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0). + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify positive periodic DC Cache refresh for non-background callers* -- GP name: *Netlogon_NonBackgroundSuccessfulRefreshPeriod* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | Netlogon_NonBackgroundSuccessfulRefreshPeriod | +| Friendly Name | Specify positive periodic DC Cache refresh for non-background callers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - -**ADMX_Netlogon/Netlogon_PingUrgencyMode** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## Netlogon_PingUrgencyMode - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_PingUrgencyMode +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). -When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in more network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. +When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version. The allowable values for this setting result in the following behaviors: -- 1 - Computers will ping DCs at the normal frequency. -- 2 - Computers will ping DCs at the higher frequency. +1 - Computers will ping DCs at the normal frequency. +2 - Computers will ping DCs at the higher frequency. To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2. -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Use urgent mode when pinging domain controllers* -- GP name: *Netlogon_PingUrgencyMode* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_ScavengeInterval** +| Name | Value | +|:--|:--| +| Name | Netlogon_PingUrgencyMode | +| Friendly Name | Use urgent mode when pinging domain controllers | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_ScavengeInterval - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ScavengeInterval +``` + -
    - - - + + This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. -- On the domain controllers (DC), discovers a DC that hasn't been discovered. +- On the domain controllers (DC), discovers a DC that has not been discovered. - On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn’t already been successfully added. -None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (for example, ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. +None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. To enable the setting, click Enabled, and then specify the interval in seconds. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set scavenge interval* -- GP name: *Netlogon_ScavengeInterval* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_SiteCoverage** +| Name | Value | +|:--|:--| +| Name | Netlogon_ScavengeInterval | +| Friendly Name | Set scavenge interval | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_SiteCoverage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SiteCoverage +``` + -
    - - - + + This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it. -The DC Locator DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. +The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify sites covered by the DC Locator DNS SRV records* -- GP name: *Netlogon_SiteCoverage* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_SiteName** +| Name | Value | +|:--|:--| +| Name | Netlogon_SiteCoverage | +| Friendly Name | Specify sites covered by the DC Locator DNS SRV records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_SiteName - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SiteName +``` + -
    - - - + + This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. -To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs isn't specified, the computer automatically discovers its site from Active Directory. +To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory. -If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration. +If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify site name* -- GP name: *Netlogon_SiteName* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode** +| Name | Value | +|:--|:--| +| Name | Netlogon_SiteName | +| Friendly Name | Specify site name | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_SysvolShareCompatibilityMode - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode +``` + -
    - - - + + This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. @@ -1864,132 +2068,179 @@ When this setting is disabled or not configured, the SYSVOL share will grant sha By default, the SYSVOL share will grant shared read access to files on the share when exclusive access is requested. -> [!NOTE] -> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased. +Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased. -If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator. +If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Set SYSVOL share compatibility* -- GP name: *Netlogon_SysvolShareCompatibilityMode* -- GP path: *System\Net Logon* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_TryNextClosestSite** +| Name | Value | +|:--|:--| +| Name | Netlogon_SysvolShareCompatibilityMode | +| Friendly Name | Set SYSVOL share compatibility | +| Location | Computer Configuration | +| Path | System > Net Logon | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | AllowExclusiveSysvolShareAccess | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_TryNextClosestSite - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_TryNextClosestSite +``` + -
    + + +This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. - - -This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site isn't found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively. - -The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none is found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. +The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer. -If you disable this policy setting, Try Next Closest Site DC Location won't be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. +If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. -If you don't configure this policy setting, Try Next Closest Site DC Location won't be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. +If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Try Next Closest Site* -- GP name: *Netlogon_TryNextClosestSite* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_Netlogon/Netlogon_UseDynamicDns** +| Name | Value | +|:--|:--| +| Name | Netlogon_TryNextClosestSite | +| Friendly Name | Try Next Closest Site | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | TryNextClosestSite | +| ADMX File Name | Netlogon.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Netlogon_UseDynamicDns - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_UseDynamicDns +``` + -
    - - - + + This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. -If you disable this policy setting, DCs won't register DC Locator DNS resource records. +If you disable this policy setting, DCs will not register DC Locator DNS resource records. -If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration. +If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify dynamic registration of the DC Locator DNS Records* -- GP name: *Netlogon_UseDynamicDns* -- GP path: *System\Net Logon\DC Locator DNS Records* -- GP ADMX file name: *Netlogon.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Netlogon_UseDynamicDns | +| Friendly Name | Specify dynamic registration of the DC Locator DNS Records | +| Location | Computer Configuration | +| Path | System > Net Logon > DC Locator DNS Records | +| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters | +| Registry Value Name | UseDynamicDns | +| ADMX File Name | Netlogon.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 7ff74ddc6ce604f65ec6fa2f5d1e2037f6516747 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 6 Jan 2023 08:58:47 -0500 Subject: [PATCH 118/152] msi msifilerecovery mss-legacy --- .../mdm/policy-csp-admx-msi.md | 2152 +++++++++-------- .../mdm/policy-csp-admx-msifilerecovery.md | 146 +- .../mdm/policy-csp-admx-mss-legacy.md | 92 +- 3 files changed, 1331 insertions(+), 1059 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index bb0ca20459..029cad0fa5 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,1340 +1,1550 @@ --- -title: Policy CSP - ADMX_MSI -description: Learn about Policy CSP - ADMX_MSI. +title: ADMX_MSI Policy CSP +description: Learn more about the ADMX_MSI Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/16/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MSI ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MSI policies + +## AllowLockdownBrowse -
    -
    - ADMX_MSI/AllowLockdownBrowse -
    -
    - ADMX_MSI/AllowLockdownMedia -
    -
    - ADMX_MSI/AllowLockdownPatch -
    -
    - ADMX_MSI/DisableAutomaticApplicationShutdown -
    -
    - ADMX_MSI/DisableBrowse -
    -
    - ADMX_MSI/DisableFlyweightPatching -
    -
    - ADMX_MSI/DisableLoggingFromPackage -
    -
    - ADMX_MSI/DisableMSI -
    -
    - ADMX_MSI/DisableMedia -
    -
    - ADMX_MSI/DisablePatch -
    -
    - ADMX_MSI/DisableRollback_1 -
    -
    - ADMX_MSI/DisableRollback_2 -
    -
    - ADMX_MSI/DisableSharedComponent -
    -
    - ADMX_MSI/MSILogging -
    -
    - ADMX_MSI/MSI_DisableLUAPatching -
    -
    - ADMX_MSI/MSI_DisablePatchUninstall -
    -
    - ADMX_MSI/MSI_DisableSRCheckPoints -
    -
    - ADMX_MSI/MSI_DisableUserInstalls -
    -
    - ADMX_MSI/MSI_EnforceUpgradeComponentRules -
    -
    - ADMX_MSI/MSI_MaxPatchCacheSize -
    -
    - ADMX_MSI/MsiDisableEmbeddedUI -
    -
    - ADMX_MSI/SafeForScripting -
    -
    - ADMX_MSI/SearchOrder -
    -
    - ADMX_MSI/TransformsSecure -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownBrowse +``` + - -**ADMX_MSI/AllowLockdownBrowse** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. -Because the installation is running with elevated system privileges, users can browse through directories that their own permissions wouldn't allow. +Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow. -This policy setting doesn't affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. +This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. -If you disable or don't configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. +If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow users to browse for source while elevated* -- GP name: *AllowLockdownBrowse* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/AllowLockdownMedia** +| Name | Value | +|:--|:--| +| Name | AllowLockdownBrowse | +| Friendly Name | Allow users to browse for source while elevated | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AllowLockdownBrowse | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowLockdownMedia - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownMedia +``` + -
    - - - + + This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. -This policy setting doesn't affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. +This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. -If you disable or don't configure this policy setting, users can install programs from removable media by default, only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. +If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. Also, see the "Prevent removable media source for any install" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow users to use media source while elevated* -- GP name: *AllowLockdownMedia* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/AllowLockdownPatch** +| Name | Value | +|:--|:--| +| Name | AllowLockdownMedia | +| Friendly Name | Allow users to use media source while elevated | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AllowLockdownMedia | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## AllowLockdownPatch - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/AllowLockdownPatch +``` + -
    - - - + + This policy setting allows users to patch elevated products. If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. -If you disable or don't configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. +If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. -This policy setting doesn't affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. - +This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. + + + + - -ADMX Info: -- GP Friendly name: *Allow users to patch elevated products* -- GP name: *AllowLockdownPatch* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MSI/DisableAutomaticApplicationShutdown** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowLockdownPatch | +| Friendly Name | Allow users to patch elevated products | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | AllowLockdownPatch | +| ADMX File Name | MSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAutomaticApplicationShutdown -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableAutomaticApplicationShutdown +``` + - - + + This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. -- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. +-- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. -- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. +-- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. -- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. +-- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. -If you disable or don't configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. +If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. + - + + + + +**Description framework properties**: - -ADMX Info: -- GGP Friendly name: *Prohibit use of Restart Manager* -- GP name: *DisableAutomaticApplicationShutdown* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableBrowse** +| Name | Value | +|:--|:--| +| Name | DisableAutomaticApplicationShutdown | +| Friendly Name | Prohibit use of Restart Manager | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableBrowse - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableBrowse +``` + -
    - - - + + This policy setting prevents users from searching for installation files when they add features or components to an installed program. If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. This policy setting applies even when the installation is running in the user's security context. -If you disable or don't configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. +If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. -This policy setting affects Windows Installer only. It doesn't prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. +This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. Also, see the "Enable user to browse for source while elevated" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Remove browse dialog box for new source* -- GP name: *DisableBrowse* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableFlyweightPatching** +| Name | Value | +|:--|:--| +| Name | DisableBrowse | +| Friendly Name | Remove browse dialog box for new source | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableBrowse | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableFlyweightPatching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableFlyweightPatching +``` + -
    - - - + + This policy setting controls the ability to turn off all patch optimizations. If you enable this policy setting, all Patch Optimization options are turned off during the installation. -If you disable or don't configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. +If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit flyweight patching* -- GP name: *DisableFlyweightPatching* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableLoggingFromPackage** +| Name | Value | +|:--|:--| +| Name | DisableFlyweightPatching | +| Friendly Name | Prohibit flyweight patching | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableLoggingFromPackage - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableLoggingFromPackage +``` + -
    - - - + + This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. -- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. +-- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. -- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. +-- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. -If you disable or don't configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. +If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off logging via package settings* -- GP name: *DisableLoggingFromPackage* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableMSI** +| Name | Value | +|:--|:--| +| Name | DisableLoggingFromPackage | +| Friendly Name | Turn off logging via package settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableMSI - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMSI +``` + -
    - - - + + This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. -- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. +-- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. -- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This option's induced behavior is the default behavior of Windows Installer on Windows Server 2003 family when the policy isn't configured. +-- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. -- The "Always" option indicates that Windows Installer is disabled. +-- The "Always" option indicates that Windows Installer is disabled. -This policy setting affects Windows Installer only. It doesn't prevent users from using other methods to install and upgrade programs. +This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows Installer* -- GP name: *DisableMSI* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableMedia** +| Name | Value | +|:--|:--| +| Name | DisableMSI | +| Friendly Name | Turn off Windows Installer | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisablePatch - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisablePatch +``` + -
    - - - -This policy setting prevents users from installing any programs from removable media. - -If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature can't be found. - -This policy setting applies even when the installation is running in the user's security context. - -If you disable or don't configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. - -Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. - - - - - -ADMX Info: -- GP Friendly name: *Prevent removable media source for any installation* -- GP name: *DisableMedia* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/DisablePatch** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. -> [!NOTE] -> This policy setting applies only to installations that run in the user's security context. +Note: This policy setting applies only to installations that run in the user's security context. -If you disable or don't configure this policy setting, by default, users who aren't system administrators can't apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. +If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to patch elevated products" policy setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent users from using Windows Installer to install updates and upgrades* -- GP name: *DisablePatch* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/DisableRollback_1** +| Name | Value | +|:--|:--| +| Name | DisablePatch | +| Friendly Name | Prevent users from using Windows Installer to install updates and upgrades | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisablePatch | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DisableRollback_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_2 +``` + -
    - - - + + This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. -If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete. +If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. -This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential. +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. -This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered to be enabled, even if it's explicitly disabled in the other folder. - +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + + + + - -ADMX Info: -- GP Friendly name: *Prohibit rollback* -- GP name: *DisableRollback_1* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MSI/DisableRollback_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRollback | +| Friendly Name | Prohibit rollback | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableRollback | +| ADMX File Name | MSI.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableSharedComponent -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableSharedComponent +``` + - - -This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. - -If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete. - -This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential. - -This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered to be enabled, even if it's explicitly disabled in the other folder. - - - - - -ADMX Info: -- GP Friendly name: *Prohibit rollback* -- GP name: *DisableRollback_2* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/DisableSharedComponent** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the ability to turn off shared components. If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. -If you disable or don't configure this policy setting, by default, the shared component functionality is allowed. +If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off shared components* -- GP name: *DisableSharedComponent* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/MSILogging** +| Name | Value | +|:--|:--| +| Name | DisableSharedComponent | +| Friendly Name | Turn off shared components | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableSharedComponent | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MSI_DisableLUAPatching - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableLUAPatching +``` + -
    - - - -Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. - -When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. - -To disable logging, delete all of the letters from the box. - -If you disable or don't configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." - - - - - -ADMX Info: -- GP Friendly name: *Specify the types of events Windows Installer records in its transaction log* -- GP name: *MSILogging* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - - -**ADMX_MSI/MSI_DisableLUAPatching** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. -If you disable or don't configure this policy setting, users without administrative privileges can install non-administrator updates. +If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit non-administrators from applying vendor signed updates* -- GP name: *MSI_DisableLUAPatching* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MSI_DisableLUAPatching | +| Friendly Name | Prohibit non-administrators from applying vendor signed updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableLUAPatching | +| ADMX File Name | MSI.admx | + -**ADMX_MSI/MSI_DisablePatchUninstall** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MSI_DisablePatchUninstall - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisablePatchUninstall +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the ability for users or administrators to remove Windows Installer based updates. -This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed can't be removed by users or administrators. +This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. -If you enable this policy setting, updates can't be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. +If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. -If you disable or don't configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This grant of privileges can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." +If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit removal of updates* -- GP name: *MSI_DisablePatchUninstall* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MSI_DisablePatchUninstall | +| Friendly Name | Prohibit removal of updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisablePatchUninstall | +| ADMX File Name | MSI.admx | + -**ADMX_MSI/MSI_DisableSRCheckPoints** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MSI_DisableSRCheckPoints - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableSRCheckPoints +``` + -> [!div class = "checklist"] -> * Device + + +This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. -
    +If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. - - -This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users - when a problem occurs - to restore their computers to a previous state without losing personal data files. +If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. + -If you enable this policy setting, the Windows Installer doesn't generate System Restore checkpoints when installing applications. + + + -If you disable or don't configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -ADMX Info: -- GP Friendly name: *Turn off creation of System Restore checkpoints* -- GP name: *MSI_DisableSRCheckPoints* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | MSI_DisableSRCheckPoints | +| Friendly Name | Turn off creation of System Restore checkpoints | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | LimitSystemRestoreCheckpointing | +| ADMX File Name | MSI.admx | + -
    + + + - + -**ADMX_MSI/MSI_DisableUserInstalls** + +## MSI_DisableUserInstalls - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_DisableUserInstalls +``` + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. -If you don't configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, the per-computer installation of that same product is hidden. +If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. -If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This behavior of the installer causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. +If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prohibit User Installs* -- GP name: *MSI_DisableUserInstalls* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MSI_DisableUserInstalls | +| Friendly Name | Prohibit User Installs | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + -**ADMX_MSI/MSI_EnforceUpgradeComponentRules** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## MSI_EnforceUpgradeComponentRules - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_EnforceUpgradeComponentRules +``` + -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting causes the Windows Installer to enforce strict rules for component upgrades. -If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer, which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following steps: +If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: (1) Remove a component from a feature. -This removal can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. +This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. (2) Add a new feature to the top or middle of an existing feature tree. The new feature must be added as a new leaf feature to an existing feature tree. -If you disable or don't configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. +If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enforce upgrade component rules* -- GP name: *MSI_EnforceUpgradeComponentRules* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/MSI_MaxPatchCacheSize** +| Name | Value | +|:--|:--| +| Name | MSI_EnforceUpgradeComponentRules | +| Friendly Name | Enforce upgrade component rules | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | EnforceUpgradeComponentRules | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MSI_MaxPatchCacheSize - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSI_MaxPatchCacheSize +``` + -
    - - - + + This policy controls the percentage of disk space available to the Windows Installer baseline file cache. The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. -If you enable this policy setting, you can modify the maximum size of the Windows Installer baseline file cache. +If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. -If you disable or don't configure this policy setting, the Windows Installer will use a default value of 10 percent for the baseline file cache maximum size. +If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Control maximum size of baseline file cache* -- GP name: *MSI_MaxPatchCacheSize* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/MsiDisableEmbeddedUI** +| Name | Value | +|:--|:--| +| Name | MSI_MaxPatchCacheSize | +| Friendly Name | Control maximum size of baseline file cache | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MsiDisableEmbeddedUI - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MsiDisableEmbeddedUI +``` + -
    - - - + + This policy setting controls the ability to prevent embedded UI. If you enable this policy setting, no packages on the system can run embedded UI. -If you disable or don't configure this policy setting, embedded UI is allowed to run. +If you disable or do not configure this policy setting, embedded UI is allowed to run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent embedded UI* -- GP name: *MsiDisableEmbeddedUI* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/SafeForScripting** +| Name | Value | +|:--|:--| +| Name | MsiDisableEmbeddedUI | +| Friendly Name | Prevent embedded UI | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | MsiDisableEmbeddedUI | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MSILogging - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/MSILogging +``` + -
    + + +Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. - - +When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. + +To disable logging, delete all of the letters from the box. + +If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MSILogging | +| Friendly Name | Specify the types of events Windows Installer records in its transaction log | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + + +## SafeForScripting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/SafeForScripting +``` + + + + This policy setting allows Web-based programs to install software on the computer without notifying the user. -If you disable or don't configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. +If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. If you enable this policy setting, the warning is suppressed and allows the installation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Prevent Internet Explorer security prompt for Windows Installer scripts* -- GP name: *SafeForScripting* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MSI/SearchOrder** +| Name | Value | +|:--|:--| +| Name | SafeForScripting | +| Friendly Name | Prevent Internet Explorer security prompt for Windows Installer scripts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | SafeForScripting | +| ADMX File Name | MSI.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## TransformsSecure - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSI/TransformsSecure +``` + -
    - - - -This policy setting specifies the order in which Windows Installer searches for installation files. - -If you disable or don't configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). - -If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: - -- "n" represents the network -- "m" represents media -- "u" represents URL, or the Internet - -To exclude a file source, omit or delete the letter representing that source type. - - - - - -ADMX Info: -- GP Friendly name: *Specify the order in which Windows Installer searches for installation files* -- GP name: *SearchOrder* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* - - - - -
    - - -**ADMX_MSI/TransformsSecure** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting saves copies of transform files in a secure location on the local computer. Transform files consist of instructions to modify or customize a program during installation. If you enable this policy setting, the transform file is saved in a secure location on the user's computer. -If you don't configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. +If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files. If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. - +If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. + + + + - -ADMX Info: -- GP Friendly name: *Save copies of transform files in a secure location on workstation* -- GP name: *TransformsSecure* -- GP path: *Windows Components\Windows Installer* -- GP ADMX file name: *MSI.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | TransformsSecure | +| Friendly Name | Save copies of transform files in a secure location on workstation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | TransformsSecure | +| ADMX File Name | MSI.admx | + + + + + + + + + +## DisableMedia + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMedia +``` + + + + +This policy setting prevents users from installing any programs from removable media. + +If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. + +This policy setting applies even when the installation is running in the user's security context. + +If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. + +Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableMedia | +| Friendly Name | Prevent removable media source for any installation | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableMedia | +| ADMX File Name | MSI.admx | + + + + + + + + + +## DisableRollback_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_1 +``` + + + + +This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. + +If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. + +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. + +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRollback | +| Friendly Name | Prohibit rollback | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableRollback | +| ADMX File Name | MSI.admx | + + + + + + + + + +## SearchOrder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/SearchOrder +``` + + + + +This policy setting specifies the order in which Windows Installer searches for installation files. + +If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). + +If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: + +-- "n" represents the network; + +-- "m" represents media; + +-- "u" represents URL, or the Internet. + +To exclude a file source, omit or delete the letter representing that source type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SearchOrder | +| Friendly Name | Specify the order in which Windows Installer searches for installation files | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 12ddc63f8c..f3654d208c 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,102 +1,110 @@ --- -title: Policy CSP - ADMX_MsiFileRecovery -description: Learn about Policy CSP - ADMX_MsiFileRecovery. +title: ADMX_MsiFileRecovery Policy CSP +description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MsiFileRecovery > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MsiFileRecovery policies + +## WdiScenarioExecutionPolicy -
    -
    - ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy +``` + - -**ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states: -- Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog-box when application reinstallation is required. -This behavior is the default recovery behavior on Windows client. +Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog box when application reinstallation is required. This is the default recovery behavior on Windows client. -- Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be reinstalled. This behavior is recommended for headless operation and is the default recovery behavior on Windows server. +Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery behavior on Windows server. -- Troubleshooting Only: Detection and verification of file corruption will be performed without UI. -Recovery isn't attempted. +Troubleshooting Only: Detection and verification of file corruption will be performed without UI. Recovery is not attempted. -- If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. +If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. -- If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. +If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. -If you don't configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. +If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. -> [!NOTE] -> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. - +Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + - -ADMX Info: -- GP Friendly name: *Configure MSI Corrupted File Recovery behavior* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery* -- GP ADMX file name: *MsiFileRecovery.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure MSI Corrupted File Recovery behavior | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > MSI Corrupted File Recovery | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{54077489-683b-4762-86c8-02cf87a33423} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | Msi-FileRecovery.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md index a22c707db1..d4feaa05d2 100644 --- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md +++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSS-legacy Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -43,7 +43,7 @@ ms.topic: reference - + @@ -61,6 +61,9 @@ Enable Automatic Logon (not recommended). +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -86,7 +89,7 @@ Enable Automatic Logon (not recommended). - + @@ -104,6 +107,9 @@ Allow Windows to automatically restart after a system crash (recommended except +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -129,7 +135,7 @@ Allow Windows to automatically restart after a system crash (recommended except - + @@ -147,6 +153,9 @@ Enable administrative shares on servers (recommended except for highly secure en +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -172,7 +181,7 @@ Enable administrative shares on servers (recommended except for highly secure en - + @@ -190,6 +199,9 @@ Enable administrative shares on workstations (recommended except for highly secu +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -215,7 +227,7 @@ Enable administrative shares on workstations (recommended except for highly secu - + @@ -232,6 +244,9 @@ Enable administrative shares on workstations (recommended except for highly secu +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -258,7 +273,7 @@ Prevent the dial-up password from being saved (recommended). - + @@ -276,6 +291,9 @@ Allow automatic detection of dead network gateways (could lead to DoS). +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -301,7 +319,7 @@ Allow automatic detection of dead network gateways (could lead to DoS). - + @@ -319,6 +337,9 @@ Hide Computer From the Browse List (not recommended except for highly secure env +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -344,7 +365,7 @@ Hide Computer From the Browse List (not recommended except for highly secure env - + @@ -362,6 +383,9 @@ Define how often keep-alive packets are sent in milliseconds. +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -387,7 +411,7 @@ Define how often keep-alive packets are sent in milliseconds. - + @@ -405,6 +429,9 @@ Configure IPSec exemptions for various types of network traffic. +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -430,7 +457,7 @@ Configure IPSec exemptions for various types of network traffic. - + @@ -448,6 +475,9 @@ Enable the computer to stop generating 8.3 style filenames. +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -473,7 +503,7 @@ Enable the computer to stop generating 8.3 style filenames. - + @@ -491,6 +521,9 @@ Enable the computer to stop generating 8.3 style filenames. +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -516,7 +549,7 @@ Enable the computer to stop generating 8.3 style filenames. - + @@ -534,6 +567,9 @@ Enable Safe DLL search mode (recommended). +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -559,7 +595,7 @@ Enable Safe DLL search mode (recommended). - + @@ -577,6 +613,9 @@ he time in seconds before the screen saver grace period expires (0 recommended). +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -602,7 +641,7 @@ he time in seconds before the screen saver grace period expires (0 recommended). - + @@ -620,6 +659,9 @@ Syn attack protection level (protects against DoS). +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -645,7 +687,7 @@ Syn attack protection level (protects against DoS). - + @@ -663,6 +705,9 @@ SYN-ACK retransmissions when a connection request is not acknowledged. +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -688,7 +733,7 @@ SYN-ACK retransmissions when a connection request is not acknowledged. - + @@ -706,6 +751,9 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -731,7 +779,7 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is - + @@ -749,6 +797,9 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + @@ -774,7 +825,7 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is - + @@ -792,6 +843,9 @@ Percentage threshold for the security event log at which the system will generat +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + From 0ac89d747be9e0a8a29c37fd0dd5d4292d538040 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 6 Jan 2023 09:06:45 -0500 Subject: [PATCH 119/152] msapolicy msched msdt --- .../mdm/policy-csp-admx-msapolicy.md | 133 +++---- .../mdm/policy-csp-admx-msched.md | 216 ++++++----- .../mdm/policy-csp-admx-msdt.md | 355 ++++++++++-------- 3 files changed, 378 insertions(+), 326 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 1c084d9952..4d46d934a5 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,90 +1,97 @@ --- -title: Policy CSP - ADMX_MSAPolicy -description: Learn about Policy CSP - ADMX_MSAPolicy. +title: ADMX_MSAPolicy Policy CSP +description: Learn more about the ADMX_MSAPolicy Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/14/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MSAPolicy ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MSAPolicy policies + +## MicrosoftAccount_DisableUserAuth -
    -
    - ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSAPolicy/MicrosoftAccount_DisableUserAuth +``` + -
    + + +This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. +It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. +By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. + - -**ADMX_MSAPolicy/MicrosoftAccount_DisableUserAuth** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | MicrosoftAccount_DisableUserAuth | +| Friendly Name | Block all consumer Microsoft account user authentication | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft account | +| Registry Key Name | Software\Policies\Microsoft\MicrosoftAccount | +| Registry Value Name | DisableUserAuth | +| ADMX File Name | MSAPolicy.admx | + -
    + + + - - -This policy setting controls whether users can provide Microsoft accounts for authentication, applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. + -This functionality applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user won't be affected by enabling this setting until the authentication cache expires. + + + -It's recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. + -By default, this setting is Disabled. This setting doesn't affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. +## Related articles - - - - -ADMX Info: -- GP Friendly name: *Block all consumer Microsoft account user authentication* -- GP name: *MicrosoftAccount_DisableUserAuth* -- GP path: *Windows Components\Microsoft account* -- GP ADMX file name: *MSAPolicy.admx* - - - -
    - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index 8376d30476..3ed691224f 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,143 +1,163 @@ --- -title: Policy CSP - ADMX_msched -description: Learn about Policy CSP - ADMX_msched. +title: ADMX_msched Policy CSP +description: Learn more about the ADMX_msched Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_msched ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_msched policies + +## ActivationBoundaryPolicy -
    -
    - ADMX_msched/ActivationBoundaryPolicy -
    -
    - ADMX_msched/RandomDelayPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_msched/ActivationBoundaryPolicy +``` + -
    + + +This policy setting allows you to configure Automatic Maintenance activation boundary. - -**ADMX_msched/ActivationBoundaryPolicy** +The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts - +If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts. +**ADMX mapping**: -If you enable this policy setting, this scheduled time will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. +| Name | Value | +|:--|:--| +| Name | ActivationBoundary | +| Friendly Name | Automatic Maintenance Activation Boundary | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| ADMX File Name | msched.admx | + -If you disable or don't configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + + - + + +## RandomDelayPolicy - -ADMX Info: -- GP Friendly name: *Automatic Maintenance Activation Boundary* -- GP name: *ActivationBoundaryPolicy* -- GP path: *Windows Components\Maintenance Scheduler* -- GP ADMX file name: *msched.admx* + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_msched/RandomDelayPolicy +``` + - -**ADMX_msched/RandomDelayPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. -If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by up to this time. +If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by upto this time. -If you don't configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. +If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. If you disable this policy setting, no random delay will be applied to Automatic Maintenance. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Automatic Maintenance Random Delay* -- GP name: *RandomDelayPolicy* -- GP path: *Windows Components\Maintenance Scheduler* -- GP ADMX file name: *msched.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -## Related topics +| Name | Value | +|:--|:--| +| Name | RandomDelay | +| Friendly Name | Automatic Maintenance Random Delay | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| Registry Value Name | Randomized | +| ADMX File Name | msched.admx | + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 4b04ef6231..0eec454b10 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,220 +1,245 @@ --- -title: Policy CSP - ADMX_MSDT -description: Learn about Policy CSP - ADMX_MSDT. +title: ADMX_MSDT Policy CSP +description: Learn more about the ADMX_MSDT Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/09/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MSDT ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MSDT policies + +## MsdtSupportProvider -
    -
    - ADMX_MSDT/MsdtSupportProvider -
    -
    - ADMX_MSDT/MsdtToolDownloadPolicy -
    -
    - ADMX_MSDT/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSDT/MsdtSupportProvider +``` + -
    - - -**ADMX_MSDT/MsdtSupportProvider** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is set to Microsoft Corporation. -If you disable this policy setting, MSDT can't run in support mode, and no data can be collected or sent to the support provider. +If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. -If you don't configure this policy setting, MSDT support mode is enabled by default. +If you do not configure this policy setting, MSDT support mode is enabled by default. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider* -- GP name: *MsdtSupportProvider* -- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MSDT/MsdtToolDownloadPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MsdtSupportProvider | +| Friendly Name | Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy | +| Registry Value Name | DisableQueryRemoteServer | +| ADMX File Name | MSDT.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MsdtToolDownloadPolicy -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSDT/MsdtToolDownloadPolicy +``` + - - + + This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool. -Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems, MSDT may prompt the user to download additional tools for troubleshooting. -For some problems, MSDT may prompt the user to download more tools for troubleshooting. These tools are required to completely troubleshoot the problem. +These tools are required to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem. -If tool download is restricted, it may not be possible to find the root cause of the problem. - -If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download more tools to diagnose problems on remote computers only. - -If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for more tool downloading. +If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. -If you don't configure this policy setting, MSDT prompts the user before downloading any extra tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. - -This policy setting will take effect only when MSDT is enabled. - -This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. - -When the service is stopped or disabled, diagnostic scenarios aren't executed. - -The DPS can be configured with the Services snap-in to the Microsoft Management Console. - - - - - -ADMX Info: -- GP Friendly name: *Microsoft Support Diagnostic Tool: Restrict tool download* -- GP name: *MsdtToolDownloadPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* - - - -
    - - -**ADMX_MSDT/WdiScenarioExecutionPolicy** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines the execution level for Microsoft Support Diagnostic Tool. - -Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. - -If you disable this policy setting, MSDT can't gather diagnostic data. If you don't configure this policy setting, MSDT is turned on by default. - -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. -This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +This policy setting will take effect only when MSDT is enabled. - +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + - -ADMX Info: -- GP Friendly name: *Microsoft Support Diagnostic Tool: Configure execution level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MsdtToolDownloadPolicy | +| Friendly Name | Microsoft Support Diagnostic Tool: Restrict tool download | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5} | +| Registry Value Name | DownloadToolsEnabled | +| ADMX File Name | MSDT.admx | + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + + +## WdiScenarioExecutionPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MSDT/WdiScenarioExecutionPolicy +``` + + + + +This policy setting determines the execution level for Microsoft Support Diagnostic Tool. + +Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. + +If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. + +If you disable this policy setting, MSDT cannot gather diagnostic data. + +If you do not configure this policy setting, MSDT is turned on by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. + +No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. + +This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Microsoft Support Diagnostic Tool: Configure execution level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Microsoft Support Diagnostic Tool | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5} | +| ADMX File Name | MSDT.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 00ab27a08a0d7578a5bd32bdc08c708cc91e3da0 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Fri, 6 Jan 2023 09:49:30 -0500 Subject: [PATCH 120/152] mmcsnapins mobilepcmobilitycenter mobilepcpresentationsettings --- .../mdm/policy-csp-admx-mmcsnapins.md | 9075 +++++++++-------- .../policy-csp-admx-mobilepcmobilitycenter.md | 220 +- ...y-csp-admx-mobilepcpresentationsettings.md | 225 +- 3 files changed, 5265 insertions(+), 4255 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index ccb7e6b2d6..29f52008eb 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,6137 +1,7112 @@ --- -title: Policy CSP - ADMX_MMCSnapins -description: Learn about Policy CSP - ADMX_MMCSnapins. +title: ADMX_MMCSnapins Policy CSP +description: Learn more about the ADMX_MMCSnapins Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/13/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MMCSnapins ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -
    - - -## ADMX_MMCSnapins policies - -
    -
    - ADMX_MMCSnapins/MMC_ADMComputers_1 -
    -
    - ADMX_MMCSnapins/MMC_ADMComputers_2 -
    -
    - ADMX_MMCSnapins/MMC_ADMUsers_1 -
    -
    - ADMX_MMCSnapins/MMC_ADMUsers_2 -
    -
    - ADMX_MMCSnapins/MMC_ADSI -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirDomTrusts -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirSitesServices -
    -
    - ADMX_MMCSnapins/MMC_ActiveDirUsersComp -
    -
    - ADMX_MMCSnapins/MMC_AppleTalkRouting -
    -
    - ADMX_MMCSnapins/MMC_AuthMan -
    -
    - ADMX_MMCSnapins/MMC_CertAuth -
    -
    - ADMX_MMCSnapins/MMC_CertAuthPolSet -
    -
    - ADMX_MMCSnapins/MMC_Certs -
    -
    - ADMX_MMCSnapins/MMC_CertsTemplate -
    -
    - ADMX_MMCSnapins/MMC_ComponentServices -
    -
    - ADMX_MMCSnapins/MMC_ComputerManagement -
    -
    - ADMX_MMCSnapins/MMC_ConnectionSharingNAT -
    -
    - ADMX_MMCSnapins/MMC_DCOMCFG -
    -
    - ADMX_MMCSnapins/MMC_DFS -
    -
    - ADMX_MMCSnapins/MMC_DHCPRelayMgmt -
    -
    - ADMX_MMCSnapins/MMC_DeviceManager_1 -
    -
    - ADMX_MMCSnapins/MMC_DeviceManager_2 -
    -
    - ADMX_MMCSnapins/MMC_DiskDefrag -
    -
    - ADMX_MMCSnapins/MMC_DiskMgmt -
    -
    - ADMX_MMCSnapins/MMC_EnterprisePKI -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_1 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_2 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_3 -
    -
    - ADMX_MMCSnapins/MMC_EventViewer_4 -
    -
    - ADMX_MMCSnapins/MMC_FAXService -
    -
    - ADMX_MMCSnapins/MMC_FailoverClusters -
    -
    - ADMX_MMCSnapins/MMC_FolderRedirection_1 -
    -
    - ADMX_MMCSnapins/MMC_FolderRedirection_2 -
    -
    - ADMX_MMCSnapins/MMC_FrontPageExt -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicySnapIn -
    -
    - ADMX_MMCSnapins/MMC_GroupPolicyTab -
    -
    - ADMX_MMCSnapins/MMC_HRA -
    -
    - ADMX_MMCSnapins/MMC_IAS -
    -
    - ADMX_MMCSnapins/MMC_IASLogging -
    -
    - ADMX_MMCSnapins/MMC_IEMaintenance_1 -
    -
    - ADMX_MMCSnapins/MMC_IEMaintenance_2 -
    -
    - ADMX_MMCSnapins/MMC_IGMPRouting -
    -
    - ADMX_MMCSnapins/MMC_IIS -
    -
    - ADMX_MMCSnapins/MMC_IPRouting -
    -
    - ADMX_MMCSnapins/MMC_IPSecManage_GP -
    -
    - ADMX_MMCSnapins/MMC_IPXRIPRouting -
    -
    - ADMX_MMCSnapins/MMC_IPXRouting -
    -
    - ADMX_MMCSnapins/MMC_IPXSAPRouting -
    -
    - ADMX_MMCSnapins/MMC_IndexingService -
    -
    - ADMX_MMCSnapins/MMC_IpSecManage -
    -
    - ADMX_MMCSnapins/MMC_IpSecMonitor -
    -
    - ADMX_MMCSnapins/MMC_LocalUsersGroups -
    -
    - ADMX_MMCSnapins/MMC_LogicalMappedDrives -
    -
    - ADMX_MMCSnapins/MMC_NPSUI -
    -
    - ADMX_MMCSnapins/MMC_NapSnap -
    -
    - ADMX_MMCSnapins/MMC_NapSnap_GP -
    -
    - ADMX_MMCSnapins/MMC_Net_Framework -
    -
    - ADMX_MMCSnapins/MMC_OCSP -
    -
    - ADMX_MMCSnapins/MMC_OSPFRouting -
    -
    - ADMX_MMCSnapins/MMC_PerfLogsAlerts -
    -
    - ADMX_MMCSnapins/MMC_PublicKey -
    -
    - ADMX_MMCSnapins/MMC_QoSAdmission -
    -
    - ADMX_MMCSnapins/MMC_RAS_DialinUser -
    -
    - ADMX_MMCSnapins/MMC_RIPRouting -
    -
    - ADMX_MMCSnapins/MMC_RIS -
    -
    - ADMX_MMCSnapins/MMC_RRA -
    -
    - ADMX_MMCSnapins/MMC_RSM -
    -
    - ADMX_MMCSnapins/MMC_RemStore -
    -
    - ADMX_MMCSnapins/MMC_RemoteAccess -
    -
    - ADMX_MMCSnapins/MMC_RemoteDesktop -
    -
    - ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn -
    -
    - ADMX_MMCSnapins/MMC_Routing -
    -
    - ADMX_MMCSnapins/MMC_SCA -
    -
    - ADMX_MMCSnapins/MMC_SMTPProtocol -
    -
    - ADMX_MMCSnapins/MMC_SNMP -
    -
    - ADMX_MMCSnapins/MMC_ScriptsMachine_1 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsMachine_2 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsUser_1 -
    -
    - ADMX_MMCSnapins/MMC_ScriptsUser_2 -
    -
    - ADMX_MMCSnapins/MMC_SecuritySettings_1 -
    -
    - ADMX_MMCSnapins/MMC_SecuritySettings_2 -
    -
    - ADMX_MMCSnapins/MMC_SecurityTemplates -
    -
    - ADMX_MMCSnapins/MMC_SendConsoleMessage -
    -
    - ADMX_MMCSnapins/MMC_ServerManager -
    -
    - ADMX_MMCSnapins/MMC_ServiceDependencies -
    -
    - ADMX_MMCSnapins/MMC_Services -
    -
    - ADMX_MMCSnapins/MMC_SharedFolders -
    -
    - ADMX_MMCSnapins/MMC_SharedFolders_Ext -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 -
    -
    - ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 -
    -
    - ADMX_MMCSnapins/MMC_SysInfo -
    -
    - ADMX_MMCSnapins/MMC_SysProp -
    -
    - ADMX_MMCSnapins/MMC_TPMManagement -
    -
    - ADMX_MMCSnapins/MMC_Telephony -
    -
    - ADMX_MMCSnapins/MMC_TerminalServices -
    -
    - ADMX_MMCSnapins/MMC_WMI -
    -
    - ADMX_MMCSnapins/MMC_WindowsFirewall -
    -
    - ADMX_MMCSnapins/MMC_WindowsFirewall_GP -
    -
    - ADMX_MMCSnapins/MMC_WiredNetworkPolicy -
    -
    - ADMX_MMCSnapins/MMC_WirelessMon -
    -
    - ADMX_MMCSnapins/MMC_WirelessNetworkPolicy -
    -
    - - -
    - - -**ADMX_MMCSnapins/MMC_ADMComputers_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting permits or prohibits the use of this snap-in. - -If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. - -If you disable this policy setting, the snap-in is prohibited. It can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. - -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. - -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. - -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. - -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - - +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + - -ADMX Info: -- GP Friendly name: *Administrative Templates (Computers)* -- GP name: *MMC_ADMComputers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +## MMC_ActiveDirDomTrusts - - -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_MMCSnapins/MMC_ADMComputers_2** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ActiveDirDomTrusts +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. - -If you disable this policy setting, the snap-in is prohibited. It can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Administrative Templates (Computers)* -- GP name: *MMC_ADMComputers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ADMUsers_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ActiveDirDomTrusts | +| Friendly Name | Active Directory Domains and Trusts | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ActiveDirSitesServices -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ActiveDirSitesServices +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Administrative Templates (Users)* -- GP name: *MMC_ADMUsers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ADMUsers_2** +| Name | Value | +|:--|:--| +| Name | MMC_ActiveDirSitesServices | +| Friendly Name | Active Directory Sites and Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ActiveDirUsersComp - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ActiveDirUsersComp +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. - -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Administrative Templates (Users)* -- GP name: *MMC_ADMUsers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ADSI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ActiveDirUsersComp | +| Friendly Name | Active Directory Users and Computers | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ADMComputers_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMComputers_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *ADSI Edit* -- GP name: *MMC_ADSI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ActiveDirDomTrusts** +| Name | Value | +|:--|:--| +| Name | MMC_ADMComputers | +| Friendly Name | Administrative Templates (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADMComputers_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMComputers_2 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. - -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Active Directory Domains and Trusts* -- GP name: *MMC_ActiveDirDomTrusts* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ActiveDirSitesServices** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ADMComputers | +| Friendly Name | Administrative Templates (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ADMUsers_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMUsers_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Active Directory Sites and Services* -- GP name: *MMC_ActiveDirSitesServices* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_ActiveDirUsersComp** +| Name | Value | +|:--|:--| +| Name | MMC_ADMUsers | +| Friendly Name | Administrative Templates (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_ADMUsers_2 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADMUsers_2 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted. It can be added into the Microsoft Management Console or run from the command line as a standalone console. - -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Active Directory Users and Computers* -- GP name: *MMC_ActiveDirUsersComp* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_AppleTalkRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ADMUsers | +| Friendly Name | Administrative Templates (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ADSI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ADSI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. - -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *AppleTalk Routing* -- GP name: *MMC_AppleTalkRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_AuthMan** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ADSI | +| Friendly Name | ADSI Edit | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_AppleTalkRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_AppleTalkRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Authorization Manager* -- GP name: *MMC_AuthMan* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_CertAuth** +| Name | Value | +|:--|:--| +| Name | MMC_AppleTalkRouting | +| Friendly Name | AppleTalk Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_AuthMan - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_AuthMan +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. - -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certification Authority* -- GP name: *MMC_CertAuth* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_CertAuthPolSet** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_AuthMan | +| Friendly Name | Authorization Manager | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1F5EEC01-1214-4D94-80C5-4BDCD2014DDD} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_CertAuth -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_CertAuth +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certification Authority Policy Settings* -- GP name: *MMC_CertAuthPolSet* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_Certs** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_CertAuth | +| Friendly Name | Certification Authority | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_CertAuthPolSet -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_CertAuthPolSet +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certificates* -- GP name: *MMC_Certs* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_CertsTemplate** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_CertAuthPolSet | +| Friendly Name | Certification Authority Policy Settings | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3F276EB4-70EE-11D1-8A0F-00C04FB93753} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Certs -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Certs +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Certificate Templates* -- GP name: *MMC_CertsTemplate* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ComponentServices** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Certs | +| Friendly Name | Certificates | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{53D6AB1D-2488-11D1-A28C-00C04FB94F17} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_CertsTemplate -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_CertsTemplate +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Component Services* -- GP name: *MMC_ComponentServices* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ComputerManagement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_CertsTemplate | +| Friendly Name | Certificate Templates | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{A994E107-6854-4F3D-917C-E6F01670F6D3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ComponentServices -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ComponentServices +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Computer Management* -- GP name: *MMC_ComputerManagement* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ConnectionSharingNAT** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ComponentServices | +| Friendly Name | Component Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ComputerManagement -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ComputerManagement +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Connection Sharing (NAT)* -- GP name: *MMC_ConnectionSharingNAT* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DCOMCFG** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ComputerManagement | +| Friendly Name | Computer Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ConnectionSharingNAT -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ConnectionSharingNAT +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *DCOM Configuration Extension* -- GP name: *MMC_DCOMCFG* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DFS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ConnectionSharingNAT | +| Friendly Name | Connection Sharing (NAT) | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DCOMCFG -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DCOMCFG +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Distributed File System* -- GP name: *MMC_DFS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DHCPRelayMgmt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DCOMCFG | +| Friendly Name | DCOM Configuration Extension | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{9EC88934-C774-11d1-87F4-00C04FC2C17B} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DeviceManager_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DeviceManager_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *DHCP Relay Management* -- GP name: *MMC_DHCPRelayMgmt* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DeviceManager_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DeviceManager | +| Friendly Name | Device Manager | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DeviceManager_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DeviceManager_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Device Manager* -- GP name: *MMC_DeviceManager_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DeviceManager_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DeviceManager | +| Friendly Name | Device Manager | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DFS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DFS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Device Manager* -- GP name: *MMC_DeviceManager_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DiskDefrag** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DFS | +| Friendly Name | Distributed File System | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DHCPRelayMgmt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DHCPRelayMgmt +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Disk Defragmenter* -- GP name: *MMC_DiskDefrag* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_DiskMgmt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DHCPRelayMgmt | +| Friendly Name | DHCP Relay Management | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DiskDefrag -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DiskDefrag +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Disk Management* -- GP name: *MMC_DiskMgmt* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_EnterprisePKI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DiskDefrag | +| Friendly Name | Disk Defragmenter | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{43668E21-2636-11D1-A1CE-0080C88593A5} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_DiskMgmt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_DiskMgmt +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Enterprise PKI* -- GP name: *MMC_EnterprisePKI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_EventViewer_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_DiskMgmt | +| Friendly Name | Disk Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EnterprisePKI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EnterprisePKI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer* -- GP name: *MMC_EventViewer_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_EventViewer_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EnterprisePKI | +| Friendly Name | Enterprise PKI | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{634BDE40-E5E1-49A1-B2CD-140FFFC830F9} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer (Windows Vista)* -- GP name: *MMC_EventViewer_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_EventViewer_3** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer | +| Friendly Name | Event Viewer | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer* -- GP name: *MMC_EventViewer_3* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_EventViewer_4** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer_2 | +| Friendly Name | Event Viewer (Windows Vista) | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_EventViewer_3 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_3 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer (Windows Vista)* -- GP name: *MMC_EventViewer_4* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -
    +**ADMX mapping**: - -**ADMX_MMCSnapins/MMC_EventViewer_2** +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer | +| Friendly Name | Event Viewer | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## MMC_EventViewer_4 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_EventViewer_4 +``` + -
    - - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Event Viewer (Windows Vista)* -- GP name: *MMC_EventViewer_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_FAXService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_EventViewer_2 | +| Friendly Name | Event Viewer (Windows Vista) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FailoverClusters -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FailoverClusters +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *FAX Service* -- GP name: *MMC_FAXService* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_FailoverClusters** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FailoverClusters | +| Friendly Name | Failover Clusters Manager | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{D2779945-405B-4ACE-8618-508F3E3054AC} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FAXService -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FAXService +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Failover Clusters Manager* -- GP name: *MMC_FailoverClusters* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_FolderRedirection_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FAXService | +| Friendly Name | FAX Service | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{753EDB4D-2E1B-11D1-9064-00A0C90AB504} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FolderRedirection_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FolderRedirection_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Folder Redirection* -- GP name: *MMC_FolderRedirection_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_FolderRedirection_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FolderRedirection | +| Friendly Name | Folder Redirection | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FolderRedirection_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FolderRedirection_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Folder Redirection* -- GP name: *MMC_FolderRedirection_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_FrontPageExt** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FolderRedirection | +| Friendly Name | Folder Redirection | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_FrontPageExt -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_FrontPageExt +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *FrontPage Server Extensions* -- GP name: *MMC_FrontPageExt* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_FrontPageExt | +| Friendly Name | FrontPage Server Extensions | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_GroupPolicyManagementSnapIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Group Policy Management* -- GP name: *MMC_GroupPolicyManagementSnapIn* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_GroupPolicySnapIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_GroupPolicyManagementSnapIn | +| Friendly Name | Group Policy Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_GroupPolicySnapIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_GroupPolicySnapIn +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Group Policy Object Editor* -- GP name: *MMC_GroupPolicySnapIn* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_GroupPolicyTab** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_GroupPolicySnapIn | +| Friendly Name | Group Policy Object Editor | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_GroupPolicyTab -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_GroupPolicyTab +``` + - - -This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. + + +Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. -If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab isn't displayed in those snap-ins. +If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed. +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed. -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab. +-- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab. -To explicitly permit use of the Group Policy tab, enable this setting. If this setting isn't configured (or disabled), the Group Policy tab is inaccessible. +To explicitly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Group Policy tab is inaccessible. -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab. +-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab. -To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting isn't configured (or enabled), the Group Policy tab is accessible. +To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting is not configured (or enabled), the Group Policy tab is accessible. -When the Group Policy tab is inaccessible, it doesn't appear in the site, domain, or organizational unit property sheets. - +When the Group Policy tab is inaccessible, it does not appear in the site, domain, or organizational unit property sheets. + + + + - -ADMX Info: -- GP Friendly name: *Group Policy tab for Active Directory Tools* -- GP name: *MMC_GroupPolicyTab* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_HRA** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_GroupPolicyTab | +| Friendly Name | Group Policy tab for Active Directory Tools | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_HRA -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_HRA +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Health Registration Authority (HRA)* -- GP name: *MMC_HRA* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IAS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_HRA | +| Friendly Name | Health Registration Authority (HRA) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{89cc9588-7628-4d29-8e4a-6550d0087059} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IAS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IAS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Authentication Service (IAS)* -- GP name: *MMC_IAS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IASLogging** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IAS | +| Friendly Name | Internet Authentication Service (IAS) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IASLogging -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IASLogging +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IAS Logging* -- GP name: *MMC_IASLogging* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IEMaintenance_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IASLogging | +| Friendly Name | IAS Logging | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{2E19B602-48EB-11d2-83CA-00104BCA42CF} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IEMaintenance_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IEMaintenance_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Maintenance* -- GP name: *MMC_IEMaintenance_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IEMaintenance_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IEMaintenance | +| Friendly Name | Internet Explorer Maintenance | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IEMaintenance_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IEMaintenance_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Explorer Maintenance* -- GP name: *MMC_IEMaintenance_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IGMPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IEMaintenance | +| Friendly Name | Internet Explorer Maintenance | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IGMPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IGMPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IGMP Routing* -- GP name: *MMC_IGMPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IIS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IGMPRouting | +| Friendly Name | IGMP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4508-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IIS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IIS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Internet Information Services* -- GP name: *MMC_IIS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IIS | +| Friendly Name | Internet Information Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IndexingService -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IndexingService +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Routing* -- GP name: *MMC_IPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IPSecManage_GP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IndexingService | +| Friendly Name | Indexing Service | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{95AD72F0-44CE-11D0-AE29-00AA004B9986} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Security Policy Management* -- GP name: *MMC_IPSecManage_GP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IPXRIPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPRouting | +| Friendly Name | IP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4500-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IpSecManage -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IpSecManage +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IPX RIP Routing* -- GP name: *MMC_IPXRIPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IPXRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IpSecManage | +| Friendly Name | IP Security Policy Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{DEA8AFA2-CC85-11d0-9CE2-0080C7221EBD} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPSecManage_GP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPSecManage_GP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IPX Routing* -- GP name: *MMC_IPXRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IPXSAPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IpSecManage | +| Friendly Name | IP Security Policy Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IpSecMonitor -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IpSecMonitor +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IPX SAP Routing* -- GP name: *MMC_IPXSAPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IndexingService** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IpSecMonitor | +| Friendly Name | IP Security Monitor | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{57C596D0-9370-40C0-BA0D-AB491B63255D} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPXRIPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPXRIPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Indexing Service* -- GP name: *MMC_IndexingService* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IpSecManage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPXRIPRouting | +| Friendly Name | IPX RIP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90810502-38F1-11D1-9345-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPXRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPXRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Security Policy Management* -- GP name: *MMC_IpSecManage* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_IpSecMonitor** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPXRouting | +| Friendly Name | IPX Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90810500-38F1-11D1-9345-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_IPXSAPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_IPXSAPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *IP Security Monitor* -- GP name: *MMC_IpSecMonitor* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_LocalUsersGroups** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_IPXSAPRouting | +| Friendly Name | IPX SAP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{90810504-38F1-11D1-9345-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_LocalUsersGroups -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_LocalUsersGroups +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Local Users and Groups* -- GP name: *MMC_LocalUsersGroups* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_LogicalMappedDrives** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_LocalUsersGroups | +| Friendly Name | Local Users and Groups | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_LogicalMappedDrives -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_LogicalMappedDrives +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Logical and Mapped Drives* -- GP name: *MMC_LogicalMappedDrives* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_NPSUI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_LogicalMappedDrives | +| Friendly Name | Logical and Mapped Drives | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{6E8E0081-19CD-11D1-AD91-00AA00B8E05A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_NapSnap -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_NapSnap +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Network Policy Server (NPS)* -- GP name: *MMC_NPSUI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_NapSnap** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_NapSnap | +| Friendly Name | NAP Client Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{a1bc4eca-66b2-44e8-9915-be02e84438ba} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_NapSnap_GP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_NapSnap_GP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *NAP Client Configuration* -- GP name: *MMC_NapSnap* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_NapSnap_GP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_NapSnap | +| Friendly Name | NAP Client Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{a1bc4ecb-66b2-44e8-9915-be02e84438ba} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Net_Framework -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Net_Framework +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *NAP Client Configuration* -- GP name: *MMC_NapSnap_GP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_Net_Framework** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Net_Framework | +| Friendly Name | .Net Framework Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{18BA7139-D98B-43c2-94DA-2604E34E175D} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_NPSUI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_NPSUI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *.Net Framework Configuration* -- GP name: *MMC_Net_Framework* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_OCSP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_NPSUI | +| Friendly Name | Network Policy Server (NPS) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{6630f2d7-bd52-4072-bfa7-863f3d0c5da0} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_OCSP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_OCSP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Online Responder* -- GP name: *MMC_OCSP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_OSPFRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_OCSP | +| Friendly Name | Online Responder | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{6d8880af-e518-43a8-986c-1ad21c4c976e} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_OSPFRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_OSPFRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *OSPF Routing* -- GP name: *MMC_OSPFRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_PerfLogsAlerts** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_OSPFRouting | +| Friendly Name | OSPF Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4506-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_PerfLogsAlerts -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_PerfLogsAlerts +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Performance Logs and Alerts* -- GP name: *MMC_PerfLogsAlerts* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_PublicKey** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_PerfLogsAlerts | +| Friendly Name | Performance Logs and Alerts | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{7478EF61-8C46-11d1-8D99-00A0C913CAD4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_PublicKey -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_PublicKey +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Public Key Policies* -- GP name: *MMC_PublicKey* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_QoSAdmission** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_PublicKey | +| Friendly Name | Public Key Policies | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_QoSAdmission -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_QoSAdmission +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *QoS Admission Control* -- GP name: *MMC_QoSAdmission* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RAS_DialinUser** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_QoSAdmission | +| Friendly Name | QoS Admission Control | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{FD57D297-4FD9-11D1-854E-00C04FC31FD3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RAS_DialinUser -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RAS_DialinUser +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *RAS Dialin - User Node* -- GP name: *MMC_RAS_DialinUser* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RIPRouting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RAS_DialinUser | +| Friendly Name | RAS Dialin - User Node | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RemoteAccess -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RemoteAccess +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *RIP Routing* -- GP name: *MMC_RIPRouting* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RIS** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RemoteAccess | +| Friendly Name | Remote Access | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RemoteDesktop -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RemoteDesktop +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Installation Services* -- GP name: *MMC_RIS* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RRA** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RemoteDesktop | +| Friendly Name | Remote Desktops | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3D5D035E-7721-4B83-A645-6C07A3D403B7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RemStore -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RemStore +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Routing and Remote Access* -- GP name: *MMC_RRA* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RSM** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RemStore | +| Friendly Name | Removable Storage | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{243E20B0-48ED-11D2-97DA-00A024D77700} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ResultantSetOfPolicySnapIn -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Removable Storage Management* -- GP name: *MMC_RSM* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RemStore** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ResultantSetOfPolicySnapIn | +| Friendly Name | Resultant Set of Policy snap-in | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RIPRouting -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RIPRouting +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Removable Storage* -- GP name: *MMC_RemStore* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RemoteAccess** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RIPRouting | +| Friendly Name | RIP Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C2FE4504-D6C2-11D0-A37B-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RIS -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RIS +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Access* -- GP name: *MMC_RemoteAccess* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_RemoteDesktop** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RIS | +| Friendly Name | Remote Installation Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Routing -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Routing +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Desktops* -- GP name: *MMC_RemoteDesktop* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Routing | +| Friendly Name | Routing | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{DAB1A262-4FD7-11D1-842C-00C04FB6C218} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RRA -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RRA +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Resultant Set of Policy snap-in* -- GP name: *MMC_ResultantSetOfPolicySnapIn* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_Routing** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RRA | +| Friendly Name | Routing and Remote Access | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_RSM -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_RSM +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Routing* -- GP name: *MMC_Routing* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SCA** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_RSM | +| Friendly Name | Removable Storage Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{3CB6973D-3E6F-11D0-95DB-00A024D77700} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SCA -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SCA +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Configuration and Analysis* -- GP name: *MMC_SCA* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SMTPProtocol** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SCA | +| Friendly Name | Security Configuration and Analysis | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsMachine_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsMachine_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *SMTP Protocol* -- GP name: *MMC_SMTPProtocol* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SNMP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsMachine | +| Friendly Name | Scripts (Startup/Shutdown) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsMachine_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsMachine_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *SNMP* -- GP name: *MMC_SNMP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ScriptsMachine_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsMachine | +| Friendly Name | Scripts (Startup/Shutdown) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsUser_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsUser_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Startup/Shutdown)* -- GP name: *MMC_ScriptsMachine_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ScriptsMachine_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsUser | +| Friendly Name | Scripts (Logon/Logoff) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ScriptsUser_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ScriptsUser_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Startup/Shutdown)* -- GP name: *MMC_ScriptsMachine_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ScriptsUser_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ScriptsUser | +| Friendly Name | Scripts (Logon/Logoff) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SecuritySettings_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SecuritySettings_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Logon/Logoff)* -- GP name: *MMC_ScriptsUser_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ScriptsUser_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SecuritySettings | +| Friendly Name | Security Settings | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SecuritySettings_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SecuritySettings_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Scripts (Logon/Logoff)* -- GP name: *MMC_ScriptsUser_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SecuritySettings_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SecuritySettings | +| Friendly Name | Security Settings | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SecurityTemplates -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SecurityTemplates +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Settings* -- GP name: *MMC_SecuritySettings_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SecuritySettings_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SecurityTemplates | +| Friendly Name | Security Templates | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SendConsoleMessage -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SendConsoleMessage +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Settings* -- GP name: *MMC_SecuritySettings_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SecurityTemplates** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SendConsoleMessage | +| Friendly Name | Send Console Message | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ServerManager -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ServerManager +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Security Templates* -- GP name: *MMC_SecurityTemplates* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SendConsoleMessage** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ServerManager | +| Friendly Name | Server Manager | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{18ea3f92-d6aa-41d9-a205-2023400c8fbb} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_ServiceDependencies -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_ServiceDependencies +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Send Console Message* -- GP name: *MMC_SendConsoleMessage* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ServerManager** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_ServiceDependencies | +| Friendly Name | Service Dependencies | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Services -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Services +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Server Manager* -- GP name: *MMC_ServerManager* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_ServiceDependencies** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Services | +| Friendly Name | Services | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C66-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SharedFolders -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SharedFolders +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Service Dependencies* -- GP name: *MMC_ServiceDependencies* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_Services** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SharedFolders | +| Friendly Name | Shared Folders | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C65-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SharedFolders_Ext -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SharedFolders_Ext +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Services* -- GP name: *MMC_Services* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SharedFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SharedFolders_Ext | +| Friendly Name | Shared Folders Ext | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{58221C69-EA27-11CF-ADCF-00AA00A80033} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SMTPProtocol -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SMTPProtocol +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Shared Folders* -- GP name: *MMC_SharedFolders* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SharedFolders_Ext** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SMTPProtocol | +| Friendly Name | SMTP Protocol | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{03f1f940-a0f2-11d0-bb77-00aa00a1eab7} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SNMP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SNMP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Shared Folders Ext* -- GP name: *MMC_SharedFolders_Ext* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SNMP | +| Friendly Name | SNMP | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{7AF60DD3-4979-11D1-8A6C-00C04FC33566} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstalationComputers_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Computers)* -- GP name: *MMC_SoftwareInstalationComputers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstalationComputers | +| Friendly Name | Software Installation (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstalationComputers_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Computers)* -- GP name: *MMC_SoftwareInstalationComputers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstalationComputers | +| Friendly Name | Software Installation (Computers) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstallationUsers_1 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Users)* -- GP name: *MMC_SoftwareInstallationUsers_1* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstallationUsers | +| Friendly Name | Software Installation (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SoftwareInstallationUsers_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Software Installation (Users)* -- GP name: *MMC_SoftwareInstallationUsers_2* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SysInfo** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SoftwareInstallationUsers | +| Friendly Name | Software Installation (Users) | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SysInfo -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SysInfo +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *System Information* -- GP name: *MMC_SysInfo* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_SysProp** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SysInfo | +| Friendly Name | System Information | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{45ac8c63-23e2-11d1-a696-00c04fd58bc3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_SysProp -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_SysProp +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *System Properties* -- GP name: *MMC_SysProp* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_TPMManagement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_SysProp | +| Friendly Name | System Properties | +| Location | User Configuration | +| Path | MMC_RESTRICT > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Telephony -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_Telephony +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *TPM Management* -- GP name: *MMC_TPMManagement* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_Telephony** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Telephony | +| Friendly Name | Telephony | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_TerminalServices -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_TerminalServices +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Telephony* -- GP name: *MMC_Telephony* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_TerminalServices** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_TerminalServices | +| Friendly Name | Remote Desktop Services Configuration | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B91B6008-32D2-11D2-9888-00A0C925F917} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_TPMManagement -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_TPMManagement +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Remote Desktop Services Configuration* -- GP name: *MMC_TerminalServices* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_WMI** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_TPMManagement | +| Friendly Name | TPM Management | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WindowsFirewall -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WindowsFirewall +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *WMI Control* -- GP name: *MMC_WMI* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_WindowsFirewall** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WindowsFirewall | +| Friendly Name | Windows Firewall with Advanced Security | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WindowsFirewall_GP -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WindowsFirewall_GP +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Windows Firewall with Advanced Security* -- GP name: *MMC_WindowsFirewall* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_WindowsFirewall_GP** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WindowsFirewall | +| Friendly Name | Windows Firewall with Advanced Security | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WiredNetworkPolicy -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WiredNetworkPolicy +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Windows Firewall with Advanced Security* -- GP name: *MMC_WindowsFirewall_GP* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_WiredNetworkPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WiredNetworkPolicy | +| Friendly Name | Wired Network (IEEE 802.3) Policies | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{06993B16-A5C7-47EB-B61C-B1CB7EE600AC} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WirelessMon -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WirelessMon +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Wired Network (IEEE 802.3) Policies* -- GP name: *MMC_WiredNetworkPolicy* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_WirelessMon** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WirelessMon | +| Friendly Name | Wireless Monitor | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{23DC5869-BD9F-46fd-AADD-1F869BA64FC3} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WirelessNetworkPolicy -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WirelessNetworkPolicy +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + - -ADMX Info: -- GP Friendly name: *Wireless Monitor* -- GP name: *MMC_WirelessMon* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMCSnapins.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX_MMCSnapins/MMC_WirelessNetworkPolicy** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_WirelessNetworkPolicy | +| Friendly Name | Wireless Network (IEEE 802.11) Policies | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | +| Registry Key Name | Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_WMI -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMCSnapins/MMC_WMI +``` + - - + + This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and can't be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. + +If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. + +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. + +-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. + +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + + + + + -If this policy setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. + +**Description framework properties**: -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting isn't configured or disabled, this snap-in is prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting isn't configured or enabled, the snap-in is permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. - +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | MMC_WMI | +| Friendly Name | WMI Control | +| Location | User Configuration | +| Path | MMC > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMCSnapins.admx | + - -ADMX Info: -- GP Friendly name: *Wireless Network (IEEE 802.11) Policies* -- GP name: *MMC_WirelessNetworkPolicy* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions* -- GP ADMX file name: *MMCSnapins.admx* + + + - - + + + + - + -## Related topics +## Related articles -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index a6dc221389..7729557364 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,140 +1,162 @@ --- -title: Policy CSP - ADMX_MobilePCMobilityCenter -description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter. +title: ADMX_MobilePCMobilityCenter Policy CSP +description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MobilePCMobilityCenter > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MobilePCMobilityCenter policies + +## MobilityCenterEnable_2 -
    -
    - ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 -
    -
    - ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 +``` + -
    - - -**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off Windows Mobility Center. -- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file doesn't launch it. -- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. +If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. -If you don't configure this policy setting, Windows Mobility Center is on by default. +If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. - +If you do not configure this policy setting, Windows Mobility Center is on by default. + + + + - -ADMX Info: -- GP Friendly name: *Turn off Windows Mobility Center* -- GP name: *MobilityCenterEnable_1* -- GP path: *Windows Components\Windows Mobility Center* -- GP ADMX file name: *MobilePCMobilityCenter.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | MobilityCenterEnable | +| Friendly Name | Turn off Windows Mobility Center | +| Location | Computer Configuration | +| Path | Windows Components > Windows Mobility Center | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter | +| Registry Value Name | NoMobilityCenter | +| ADMX File Name | MobilePCMobilityCenter.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## MobilityCenterEnable_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1 +``` + + + + This policy setting turns off Windows Mobility Center. -- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file doesn't launch it. -- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. +If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. -If you don't configure this policy setting, Windows Mobility Center is on by default. +If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. - +If you do not configure this policy setting, Windows Mobility Center is on by default. + + + + - -ADMX Info: -- GP Friendly name: *Turn off Windows Mobility Center* -- GP name: *MobilityCenterEnable_2* -- GP path: *Windows Components\Windows Mobility Center* -- GP ADMX file name: *MobilePCMobilityCenter.admx* - - -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MobilityCenterEnable | +| Friendly Name | Turn off Windows Mobility Center | +| Location | User Configuration | +| Path | Windows Components > Windows Mobility Center | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter | +| Registry Value Name | NoMobilityCenter | +| ADMX File Name | MobilePCMobilityCenter.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index 1fefcaa209..5b7f75dc59 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,153 +1,166 @@ --- -title: Policy CSP - ADMX_MobilePCPresentationSettings -description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings. +title: ADMX_MobilePCPresentationSettings Policy CSP +description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/06/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/20/2021 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MobilePCPresentationSettings > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MobilePCPresentationSettings policies + +## PresentationSettingsEnable_2 -
    -
    - ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 -
    -
    - ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 +``` + - - -**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1** - - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting turns off Windows presentation settings. -If you enable this policy setting, Windows presentation settings can't be invoked. +If you enable this policy setting, Windows presentation settings cannot be invoked. -If you disable this policy setting, Windows presentation settings can be invoked. +If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. -The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. +Note: Users will be able to customize their system settings for presentations in Windows Mobility Center. -> [!NOTE] -> Users will be able to customize their system settings for presentations in Windows Mobility Center. If you do not configure this policy setting, Windows presentation settings can be invoked. + + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Turn off Windows presentation settings* -- GP name: *PresentationSettingsEnable_1* -- GP path: *Windows Components\Presentation Settings* -- GP ADMX file name: *MobilePCPresentationSettings.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - - -
    +**ADMX mapping**: - -**ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2** +| Name | Value | +|:--|:--| +| Name | PresentationSettingsEnable | +| Friendly Name | Turn off Windows presentation settings | +| Location | Computer Configuration | +| Path | Windows Components > Presentation Settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings | +| Registry Value Name | NoPresentationSettings | +| ADMX File Name | MobilePCPresentationSettings.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## PresentationSettingsEnable_1 - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * User + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1 +``` + -
    - - - + + This policy setting turns off Windows presentation settings. -If you enable this policy setting, Windows presentation settings can't be invoked. +If you enable this policy setting, Windows presentation settings cannot be invoked. -If you disable this policy setting, Windows presentation settings can be invoked. +If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. -The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. - -> [!NOTE] -> Users will be able to customize their system settings for presentations in Windows Mobility Center. +Note: Users will be able to customize their system settings for presentations in Windows Mobility Center. If you do not configure this policy setting, Windows presentation settings can be invoked. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Windows presentation settings* -- GP name: *PresentationSettingsEnable_2* -- GP path: *Windows Components\Presentation Settings* -- GP ADMX file name: *MobilePCPresentationSettings.admx* - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +| Name | Value | +|:--|:--| +| Name | PresentationSettingsEnable | +| Friendly Name | Turn off Windows presentation settings | +| Location | User Configuration | +| Path | Windows Components > Presentation Settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings | +| Registry Value Name | NoPresentationSettings | +| ADMX File Name | MobilePCPresentationSettings.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 95c02cb6b78296b2fca99e67528c6f824513e3fe Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 6 Jan 2023 16:26:48 -0500 Subject: [PATCH 121/152] Changes per feedback #2 --- .../mdm/policy-csp-admx-appcompat.md | 124 +- .../mdm/policy-csp-admx-terminalserver.md | 2184 +++++++++-------- .../mdm/policy-csp-admx-userprofiles.md | 182 +- .../mdm/policy-csp-applicationmanagement.md | 31 +- .../mdm/policy-csp-appruntime.md | 8 +- .../mdm/policy-csp-bitlocker.md | 8 + .../client-management/mdm/policy-csp-bits.md | 8 +- .../mdm/policy-csp-browser.md | 26 +- .../mdm/policy-csp-connectivity.md | 42 +- .../mdm/policy-csp-dataprotection.md | 4 +- .../mdm/policy-csp-datausage.md | 2 + .../mdm/policy-csp-deliveryoptimization.md | 117 +- .../mdm/policy-csp-desktopappinstaller.md | 83 +- .../mdm/policy-csp-deviceinstallation.md | 58 +- .../mdm/policy-csp-devicelock.md | 260 +- .../mdm/policy-csp-eventlogservice.md | 24 +- .../mdm/policy-csp-experience.md | 1540 ++++++------ .../mdm/policy-csp-exploitguard.md | 51 +- .../mdm/policy-csp-handwriting.md | 3 + .../mdm/policy-csp-internetexplorer.md | 1319 +++++----- .../mdm/policy-csp-kerberos.md | 74 +- ...policy-csp-localpoliciessecurityoptions.md | 108 +- 22 files changed, 3118 insertions(+), 3138 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 6f07ebd2bc..e1cc857151 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppCompat Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -54,7 +54,7 @@ If the status is set to Disabled, the MS-DOS subsystem runs for all users on thi If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to run. -Note: This setting appears in only Computer Configuration. +**Note**: This setting appears in only Computer Configuration. @@ -242,7 +242,7 @@ The Windows Resource Protection and User Account Control features of Windows use This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. -NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. +**Note**: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. @@ -281,6 +281,62 @@ NOTE: Many system processes cache the value of this setting for performance reas + +## AppCompatTurnOffProgramCompatibilityAssistant_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 +``` + + + + +This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppCompatTurnOffProgramCompatibilityAssistant_1 | +| Friendly Name | Turn off Program Compatibility Assistant | +| Location | User Configuration | +| Path | Windows Components > Application Compatibility | +| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | +| Registry Value Name | DisablePCA | +| ADMX File Name | AppCompat.admx | + + + + + + + + ## AppCompatTurnOffProgramCompatibilityAssistant_2 @@ -306,7 +362,7 @@ If you enable this policy setting, the PCA will be turned off. The user will not If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. -Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. +**Note**: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. @@ -330,7 +386,7 @@ Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Se | Name | Value | |:--|:--| -| Name | AppCompatTurnOffProgramCompatibilityAssistant | +| Name | AppCompatTurnOffProgramCompatibilityAssistant_2 | | Friendly Name | Turn off Program Compatibility Assistant | | Location | Computer Configuration | | Path | Windows Components > Application Compatibility | @@ -370,7 +426,7 @@ If you enable this policy setting, the Inventory Collector will be turned off an If you disable or do not configure this policy setting, the Inventory Collector will be turned on. -Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. +**Note**: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. @@ -537,62 +593,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e - -## AppCompatTurnOffProgramCompatibilityAssistant_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 -``` - - - - -This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AppCompatTurnOffProgramCompatibilityAssistant | -| Friendly Name | Turn off Program Compatibility Assistant | -| Location | User Configuration | -| Path | Windows Components > Application Compatibility | -| Registry Key Name | Software\Policies\Microsoft\Windows\AppCompat | -| Registry Value Name | DisablePCA | -| ADMX File Name | AppCompat.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index ac9e54106c..47389ccf0a 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_TerminalServer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -68,7 +66,7 @@ If the status is set to Not Configured, automatic reconnection is not specified > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, users can redirect their > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -178,7 +176,8 @@ If no certificate can be found that was created with the specified certificate t If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. -Note: If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. +> [!NOTE] +> If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. @@ -196,7 +195,7 @@ Note: If you select a specific certificate to be used to authenticate the RD Ses > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -216,6 +215,69 @@ Note: If you select a specific certificate to be used to authenticate the RD Ses + +## TS_CLIENT_ALLOW_SIGNED_FILES_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 +``` + + + + +This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). + +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_SIGNED_FILES_1 | +| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowSignedFiles | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_CLIENT_ALLOW_SIGNED_FILES_2 @@ -239,7 +301,8 @@ If you enable or do not configure this policy setting, users can run .rdp files If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. -Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. @@ -257,13 +320,13 @@ Note: You can define this policy setting in the Computer Configuration node or i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_CLIENT_ALLOW_SIGNED_FILES | +| Name | TS_CLIENT_ALLOW_SIGNED_FILES_2 | | Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | @@ -278,6 +341,66 @@ Note: You can define this policy setting in the Computer Configuration node or i + +## TS_CLIENT_ALLOW_UNSIGNED_FILES_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 +``` + + + + +This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. + +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES_1 | +| Friendly Name | Allow .rdp files from unknown publishers | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | AllowUnsignedFiles | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_CLIENT_ALLOW_UNSIGNED_FILES_2 @@ -317,13 +440,13 @@ If you disable this policy setting, users cannot run unsigned .rdp files and .rd > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES | +| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES_2 | | Friendly Name | Allow .rdp files from unknown publishers | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | @@ -382,7 +505,7 @@ If you do not configure this policy setting audio and video playback redirection > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -447,7 +570,7 @@ If you do not configure this policy setting, Audio recording redirection is not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -511,7 +634,7 @@ If you disable or do not configure this policy setting, audio playback quality w > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -574,7 +697,7 @@ If you do not configure this policy setting, Clipboard redirection is not specif > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -638,7 +761,7 @@ If you do not configure this policy setting, COM port redirection is not specifi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -702,7 +825,7 @@ If you do not configure this policy setting, the default printer is not specifie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -758,7 +881,7 @@ This policy setting specifies whether the Remote Desktop Connection can use hard > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -779,6 +902,66 @@ This policy setting specifies whether the Remote Desktop Connection can use hard + +## TS_CLIENT_DISABLE_PASSWORD_SAVING_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 +``` + + + + +Controls whether a user can save passwords using Remote Desktop Connection. + +If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_1 | +| Friendly Name | Do not allow passwords to be saved | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | DisablePasswordSaving | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_CLIENT_LPT @@ -822,7 +1005,7 @@ If you do not configure this policy setting, LPT port redirection is not specifi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -866,9 +1049,10 @@ By default, Remote Desktop Services does not allow redirection of supported Plug If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. -If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. +If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. -Note: You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. +> [!NOTE] +> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. @@ -886,7 +1070,7 @@ Note: You can disable redirection of specific types of supported Plug and Play d > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -950,7 +1134,7 @@ If you do not configure this policy setting, client printer mapping is not speci > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -994,7 +1178,7 @@ If you enable this policy setting, any certificate with an SHA1 thumbprint that If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. -Notes: +**Note**: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. @@ -1018,13 +1202,13 @@ If the list contains a string that is not a certificate thumbprint, it is ignore > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS | +| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 | | Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | @@ -1038,6 +1222,73 @@ If the list contains a string that is not a certificate thumbprint, it is ignore + +## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 +``` + + + + +This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. + +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. + +If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. + +**Note**: + +You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. + +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. + +If the list contains a string that is not a certificate thumbprint, it is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 | +| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_CLIENT_TURN_OFF_UDP @@ -1077,7 +1328,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1123,9 +1374,11 @@ If you enable this policy setting, the color depth that you specify is the maxim If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. -Note: +**Note**: + 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. 2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. + 3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: a. Value specified by this policy setting b. Maximum color depth supported by the client @@ -1149,7 +1402,7 @@ If the client does not support at least 16 bits, the connection is terminated. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1188,13 +1441,15 @@ If the client does not support at least 16 bits, the connection is terminated. This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. -Note: If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. +> [!NOTE] +> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. -Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. +> [!NOTE] +> This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. @@ -1212,7 +1467,7 @@ Note: This policy setting is ignored if the "Prevent Roaming Profile changes fro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1276,7 +1531,7 @@ If the status is set to Not Configured, the default behavior applies. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1340,7 +1595,7 @@ NOTE: The policy setting enables load-balancing of graphics processing units (GP > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1384,7 +1639,8 @@ If you enable or do not configure this policy setting, the RD Session Host serve If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. -Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. +> [!NOTE] +> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. @@ -1402,7 +1658,7 @@ Note: If the "Do not allow client printer redirection" policy setting is enabled > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1423,6 +1679,69 @@ Note: If the "Do not allow client printer redirection" policy setting is enabled + +## TS_EASY_PRINT_User + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT_User +``` + + + + +This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. + +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. + +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. + +> [!NOTE] +> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_EASY_PRINT_User | +| Friendly Name | Use Remote Desktop Easy Print printer driver first | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseUniversalPrinterDriverFirst | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_EnableVirtualGraphics @@ -1468,7 +1787,7 @@ If you do not configure this policy setting, the default behavior will be used. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1524,7 +1843,8 @@ If you disable this policy setting, the RD Session Host server fallback driver i If you do not configure this policy setting, the fallback printer driver behavior is off by default. -Note: If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. +> [!NOTE] +> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. @@ -1542,7 +1862,7 @@ Note: If the "Do not allow client printer redirection" setting is enabled, this > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1588,7 +1908,8 @@ If you enable this policy setting, logging off the connected administrator is no If you disable or do not configure this policy setting, logging off the connected administrator is allowed. -Note: The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. +> [!NOTE] +> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. @@ -1606,7 +1927,7 @@ Note: The console session is also known as Session 0. Console access can be obta > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1627,6 +1948,193 @@ Note: The console session is also known as Session 0. Console access can be obta + +## TS_GATEWAY_POLICY_AUTH_METHOD + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +``` + + + + +Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_AUTH_METHOD | +| Friendly Name | Set RD Gateway authentication method | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_ENABLE + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +``` + + + + +If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. + +You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +> [!NOTE] +> To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_ENABLE | +| Friendly Name | Enable connection through RD Gateway | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | UseProxy | +| ADMX File Name | TerminalServer.admx | + + + + + + + + + +## TS_GATEWAY_POLICY_SERVER + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER +``` + + + + +Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +> [!NOTE] +> It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. + +> [!NOTE] +> If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_GATEWAY_POLICY_SERVER | +| Friendly Name | Set RD Gateway server address | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RD Gateway | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_JOIN_SESSION_DIRECTORY @@ -1652,7 +2160,7 @@ If you disable this policy setting, the server does not join a farm in RD Connec If the policy setting is not configured, the policy setting is not specified at the Group Policy level. -Notes: +**Note**: 1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. @@ -1674,7 +2182,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1736,7 +2244,7 @@ If you disable or do not configure this policy setting, a keep-alive interval is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1784,7 +2292,8 @@ By default, the RDS Endpoint Servers group is empty. If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. -Note: You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. +> [!NOTE] +> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. @@ -1802,7 +2311,7 @@ Note: You should only enable this policy setting when the license server is a me > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1866,7 +2375,7 @@ If you disable or do not configure this policy setting, the RD Session Host serv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1927,7 +2436,7 @@ If you disable or do not configure this policy setting, these notifications will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1992,7 +2501,7 @@ If you disable or do not configure this policy setting, the licensing mode is no > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2039,7 +2548,8 @@ If the status is set to Enabled, the maximum number of connections is limited to If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. -Note: This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). +> [!NOTE] +> This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). @@ -2057,7 +2567,7 @@ Note: This setting is designed to be used on RD Session Host servers (that is, o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2116,7 +2626,7 @@ If you disable or do not configure this policy setting, the maximum resolution t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2175,7 +2685,7 @@ If you disable or do not configure this policy setting, the number of monitors t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2220,7 +2730,8 @@ If you enable this policy setting, "Disconnect" does not appear as an option in If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. -Note: This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. +> [!NOTE] +> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. @@ -2238,7 +2749,7 @@ Note: This policy setting affects only the Shut Down Windows dialog box. It does > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2298,7 +2809,7 @@ If the status is set to Disabled or Not Configured, Windows Security remains in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2365,7 +2876,7 @@ If you disable or do not configure this policy setting, the license server will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2407,7 +2918,8 @@ This policy setting determines whether a user will be prompted on the client com If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. -Note: If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. +> [!NOTE] +> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. @@ -2427,7 +2939,7 @@ If you disable or do not configure this policy setting, the version of the opera > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2448,6 +2960,70 @@ If you disable or do not configure this policy setting, the version of the opera + +## TS_RADC_DefaultConnection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RADC_DefaultConnection +``` + + + + +This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. + +The default connection URL must be configured in the form of . + +If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. + +If you disable or do not configure this policy setting, the user has no default connection URL. + +> [!NOTE] +> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RADC_DefaultConnection | +| Friendly Name | Specify default connection URL | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Workspaces | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_RDSAppX_WaitForRegistration @@ -2489,7 +3065,7 @@ If you disable or do not configure this policy setting, the Start screen is show > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2510,6 +3086,71 @@ If you disable or do not configure this policy setting, the Start screen is show + +## TS_RemoteControl_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_1 +``` + + + + +If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. + +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. + +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. + +If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_RemoteControl_1 | +| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_RemoteControl_2 @@ -2531,8 +3172,10 @@ If you enable this policy setting, administrators can interact with a user's Rem 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. + 3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. 4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. + 5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. @@ -2553,13 +3196,13 @@ If you disable this policy setting, administrators can interact with a user's Re > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_RemoteControl | +| Name | TS_RemoteControl_2 | | Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | @@ -2614,7 +3257,7 @@ By default, Remote Desktop Connection sessions that use RemoteFX are optimized f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2659,7 +3302,7 @@ If you enable this policy setting, you must specify the name of a farm in RD Con If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. -Notes: +**Note**: 1. This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. @@ -2681,7 +3324,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2726,7 +3369,7 @@ If you disable this policy setting, the IP address of the RD Session Host server If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. -Notes: +**Note**: 1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -2746,7 +3389,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2790,7 +3433,7 @@ If you enable this policy setting, you must specify the RD Connection Broker ser If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. -Notes: +**Note**: 1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -2814,7 +3457,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2879,7 +3522,7 @@ If you disable or do not configure this policy setting, the security method to b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2944,7 +3587,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3009,7 +3652,7 @@ If you disable or do not configure this policy setting, RDP will choose the opti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3068,7 +3711,7 @@ If you disable this policy setting, RemoteApp programs published from this RD Se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3134,7 +3777,7 @@ If you disable or do not configure this policy setting, the authentication setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3189,7 +3832,7 @@ This policy setting lets you enable H.264/AVC hardware encoding support for Remo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3245,7 +3888,7 @@ This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3309,7 +3952,7 @@ If you disable or do not configure this policy setting, the default RDP compress > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3369,7 +4012,7 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3406,7 +4049,7 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi -This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. +This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. @@ -3424,7 +4067,7 @@ This policy setting allows you to configure graphics encoding to use the RemoteF > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3465,8 +4108,10 @@ This policy setting allows you to configure graphics encoding to use the RemoteF This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. If you enable this policy setting, the RemoteFX experience could be set to one of the following options: + 1. Let the system choose the experience for the network condition 2. Optimize for server scalability + 3. Optimize for minimum bandwidth usage If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." @@ -3487,7 +4132,7 @@ If you disable or do not configure this policy setting, the RemoteFX experience > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3548,7 +4193,7 @@ If you disable or do not configure this policy setting, Remote Desktop Services > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3609,7 +4254,7 @@ For this change to take effect, you must restart Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3630,6 +4275,75 @@ For this change to take effect, you must restart Windows. + +## TS_Session_End_On_Limit_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_1 +``` + + + + +This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. + +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. + +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. + +If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. + +If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. + +If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. + +> [!NOTE] +> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_Session_End_On_Limit_1 | +| Friendly Name | End session when time limits are reached | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fResetBroken | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_Session_End_On_Limit_2 @@ -3659,7 +4373,8 @@ If you disable this policy setting, Remote Desktop Services always disconnects a If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. -Note: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. +> [!NOTE] +> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. @@ -3677,13 +4392,13 @@ Note: This policy setting only applies to time-out limits that are explicitly se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_Session_End_On_Limit | +| Name | TS_Session_End_On_Limit_2 | | Friendly Name | End session when time limits are reached | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | @@ -3698,6 +4413,72 @@ Note: This policy setting only applies to time-out limits that are explicitly se + +## TS_SESSIONS_Disconnected_Timeout_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 +``` + + + + +This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. + +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. + +When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + +If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Disconnected_Timeout_1 | +| Friendly Name | Set time limit for disconnected sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_SESSIONS_Disconnected_Timeout_2 @@ -3723,10 +4504,10 @@ When a session is in a disconnected state, running programs are kept active even If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. - If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. -Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -3744,13 +4525,13 @@ Note: This policy setting appears in both Computer Configuration and User Config > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_SESSIONS_Disconnected_Timeout | +| Name | TS_SESSIONS_Disconnected_Timeout_2 | | Friendly Name | Set time limit for disconnected sessions | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | @@ -3764,6 +4545,70 @@ Note: This policy setting appears in both Computer Configuration and User Config + +## TS_SESSIONS_Idle_Limit_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 +``` + + + + +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. + +If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Idle_Limit_1 | +| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_SESSIONS_Idle_Limit_2 @@ -3789,7 +4634,8 @@ If you disable or do not configure this policy setting, the time limit is not sp If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. -Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -3807,13 +4653,13 @@ Note: This policy setting appears in both Computer Configuration and User Config > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_SESSIONS_Idle_Limit | +| Name | TS_SESSIONS_Idle_Limit_2 | | Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | @@ -3827,6 +4673,70 @@ Note: This policy setting appears in both Computer Configuration and User Config + +## TS_SESSIONS_Limits_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_1 +``` + + + + +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_SESSIONS_Limits_1 | +| Friendly Name | Set time limit for active Remote Desktop Services sessions | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_SESSIONS_Limits_2 @@ -3852,7 +4762,8 @@ If you disable or do not configure this policy setting, this policy setting is n If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. -Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -3870,13 +4781,13 @@ Note: This policy setting appears in both Computer Configuration and User Config > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_SESSIONS_Limits | +| Name | TS_SESSIONS_Limits_2 | | Friendly Name | Set time limit for active Remote Desktop Services sessions | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | @@ -3931,7 +4842,7 @@ If you do not configure this policy setting, this policy setting is not specifie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3975,7 +4886,8 @@ If you enable this policy setting, Remote Desktop Services users cannot use a sm If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. -Note: The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. +> [!NOTE] +> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. @@ -3993,7 +4905,7 @@ Note: The client computer must be running at least Microsoft Windows 2000 Server > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4014,6 +4926,75 @@ Note: The client computer must be running at least Microsoft Windows 2000 Server + +## TS_START_PROGRAM_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_1 +``` + + + + +Configures Remote Desktop Services to run a specified program automatically upon connection. + +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. + +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. + +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. + +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +> [!NOTE] +> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TS_START_PROGRAM_1 | +| Friendly Name | Start a program on connection | +| Location | User Configuration | +| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | +| Registry Value Name | fInheritInitialProgram | +| ADMX File Name | TerminalServer.admx | + + + + + + + + ## TS_START_PROGRAM_2 @@ -4043,7 +5024,8 @@ If the status is set to Enabled, Remote Desktop Services sessions automatically If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) -Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. +> [!NOTE] +> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. @@ -4061,13 +5043,13 @@ Note: This setting appears in both Computer Configuration and User Configuration > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_START_PROGRAM | +| Name | TS_START_PROGRAM_2 | | Friendly Name | Start a program on connection | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | @@ -4108,7 +5090,8 @@ If you disable this policy setting, temporary folders are deleted when a user lo If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. -Note: This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. +> [!NOTE] +> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. @@ -4126,7 +5109,7 @@ Note: This setting only takes effect if per-session temporary folders are in use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4190,7 +5173,7 @@ If you do not configure this policy setting, per-session temporary folders are c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4234,7 +5217,8 @@ If you enable this policy setting, clients that are capable of time zone redirec If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. -Note: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later. +> [!NOTE] +> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later. @@ -4252,7 +5236,7 @@ Note: Time zone redirection is possible only when connecting to at least a Micro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4298,7 +5282,8 @@ If you enable this policy setting the default security descriptors for existing If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. -Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group. +> [!NOTE] +> The preferred method of managing user access is by adding a user to the Remote Desktop Users group. @@ -4316,7 +5301,7 @@ Note: The preferred method of managing user access is by adding a user to the Re > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4360,7 +5345,8 @@ If you enable this policy setting, the desktop is always displayed when a client If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. -Note: If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. +> [!NOTE] +> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. @@ -4378,7 +5364,7 @@ Note: If this policy setting is enabled, then the "Start a program on connection > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4442,7 +5428,7 @@ If you disable this policy setting, UI Automation clients running on your local > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4504,7 +5490,7 @@ For this change to take effect, you must restart Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4551,7 +5537,8 @@ If you disable this policy setting, Network Level Authentication is not required If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. -Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. +> [!IMPORTANT] +> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. @@ -4569,7 +5556,7 @@ Important: Disabling this policy setting provides less security because user aut > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4613,7 +5600,8 @@ To use this setting, select the location for the home directory (network or loca If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends this at logon. -Note: The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location. +> [!NOTE] +> The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location. If the status is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias. @@ -4635,7 +5623,7 @@ If the status is set to Disabled or Not Configured, the user's home directory is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4678,7 +5666,7 @@ If you enable this policy setting, Remote Desktop Services uses the path specifi If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. -Note: +**Note**: For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. @@ -4698,7 +5686,7 @@ For this policy setting to take effect, you must also enable and configure the " > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4746,7 +5734,8 @@ To configure this policy setting, type the path to the network share in the form If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. -Notes: +**Note**: + 1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. 2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. @@ -4766,7 +5755,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4786,955 +5775,6 @@ Notes: - -## TS_CLIENT_ALLOW_SIGNED_FILES_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 -``` - - - - -This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). - -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - -Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_CLIENT_ALLOW_SIGNED_FILES | -| Friendly Name | Allow .rdp files from valid publishers and user's default .rdp settings | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | AllowSignedFiles | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_CLIENT_ALLOW_UNSIGNED_FILES_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 -``` - - - - -This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. - -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. - -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_CLIENT_ALLOW_UNSIGNED_FILES | -| Friendly Name | Allow .rdp files from unknown publishers | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | AllowUnsignedFiles | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_CLIENT_DISABLE_PASSWORD_SAVING_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 -``` - - - - -Controls whether a user can save passwords using Remote Desktop Connection. - -If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. - -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING | -| Friendly Name | Do not allow passwords to be saved | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | DisablePasswordSaving | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -``` - - - - -This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. - -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. - -If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. - -Note: - -You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. - -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. - -If the list contains a string that is not a certificate thumbprint, it is ignored. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS | -| Friendly Name | Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_EASY_PRINT_User - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_EASY_PRINT_User -``` - - - - -This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. - -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. - -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. - -Note: If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_EASY_PRINT | -| Friendly Name | Use Remote Desktop Easy Print printer driver first | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | UseUniversalPrinterDriverFirst | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_GATEWAY_POLICY_AUTH_METHOD - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD -``` - - - - -Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. - -If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_GATEWAY_POLICY_AUTH_METHOD | -| Friendly Name | Set RD Gateway authentication method | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > RD Gateway | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_GATEWAY_POLICY_ENABLE - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE -``` - - - - -If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. - -You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. - -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. - -If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_GATEWAY_POLICY_ENABLE | -| Friendly Name | Enable connection through RD Gateway | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > RD Gateway | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | UseProxy | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_GATEWAY_POLICY_SERVER - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -``` - - - - -Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. - -To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. - -Note: If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_GATEWAY_POLICY_SERVER | -| Friendly Name | Set RD Gateway server address | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > RD Gateway | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_RADC_DefaultConnection - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RADC_DefaultConnection -``` - - - - -This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. - -The default connection URL must be configured in the form of . - -If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. - -If you disable or do not configure this policy setting, the user has no default connection URL. - -Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_RADC_DefaultDesktop | -| Friendly Name | Specify default connection URL | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > RemoteApp and Desktop Connections | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Workspaces | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_RemoteControl_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_RemoteControl_1 -``` - - - - -If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: - -1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. -2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. -3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. -4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. -5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. - -If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_RemoteControl | -| Friendly Name | Set rules for remote control of Remote Desktop Services user sessions | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_Session_End_On_Limit_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_Session_End_On_Limit_1 -``` - - - - -This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. - -You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. - -Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. - -If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. - -If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. - -If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. - -Note: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_Session_End_On_Limit | -| Friendly Name | End session when time limits are reached | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | fResetBroken | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_SESSIONS_Disconnected_Timeout_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 -``` - - - - -This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. - -You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. - -When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. - -If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. - - -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. - -Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_SESSIONS_Disconnected_Timeout | -| Friendly Name | Set time limit for disconnected sessions | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_SESSIONS_Idle_Limit_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 -``` - - - - -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. - -If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. - -If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - -Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_SESSIONS_Idle_Limit | -| Friendly Name | Set time limit for active but idle Remote Desktop Services sessions | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_SESSIONS_Limits_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_SESSIONS_Limits_1 -``` - - - - -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. - -If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. - -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - -Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_SESSIONS_Limits | -| Friendly Name | Set time limit for active Remote Desktop Services sessions | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| ADMX File Name | TerminalServer.admx | - - - - - - - - - -## TS_START_PROGRAM_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_TerminalServer/TS_START_PROGRAM_1 -``` - - - - -Configures Remote Desktop Services to run a specified program automatically upon connection. - -You can use this setting to specify a program to run automatically when a user logs on to a remote computer. - -By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. - -To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. - -If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. - -If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) - -Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TS_START_PROGRAM | -| Friendly Name | Start a program on connection | -| Location | User Configuration | -| Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services | -| Registry Value Name | fInheritInitialProgram | -| ADMX File Name | TerminalServer.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 9b8a21444a..76aa3acf58 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_UserProfiles Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_UserProfiles > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,9 +42,10 @@ ms.topic: reference -This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. +This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days -**Note**: One day is interpreted as 24 hours after a specific user profile was accessed. +> [!NOTE] +> One day is interpreted as 24 hours after a specific user profile was accessed. If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. @@ -68,7 +67,7 @@ If you disable or do not configure this policy setting, User Profile Service wil > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -107,7 +106,8 @@ If you disable or do not configure this policy setting, User Profile Service wil This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. -Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. +> [!NOTE] +> This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. @@ -129,7 +129,7 @@ If you disable or do not configure this policy setting, Windows will always unlo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -175,7 +175,8 @@ If you enable this policy setting, Windows will not delete Windows Installer or If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. -Note: If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. +> [!NOTE] +> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. @@ -193,7 +194,7 @@ Note: If this policy setting is enabled for a machine, local administrator actio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -214,6 +215,75 @@ Note: If this policy setting is enabled for a machine, local administrator actio + +## LimitSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize +``` + + + + +This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. + +If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. + +If you enable this policy setting, you can: + +- Set a maximum permitted user profile size. +- Determine whether the registry files are included in the calculation of the profile size. +- Determine whether users are notified when the profile exceeds the permitted maximum size. +- Specify a customized message notifying users of the oversized profile. +- Determine how often the customized message is displayed. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LimitSize | +| Friendly Name | Limit profile size | +| Location | User Configuration | +| Path | System > User Profiles | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | EnableProfileQuota | +| ADMX File Name | UserProfiles.admx | + + + + + + + + ## ProfileErrorAction @@ -257,7 +327,7 @@ Also, see the "Delete cached copies of roaming profiles" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -303,9 +373,10 @@ This policy setting and related policy settings in this folder together define t If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. -If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections. +If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections -**Important**: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. +> [!IMPORTANT] +> If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. @@ -323,7 +394,7 @@ If you disable or do not configure this policy setting, Windows considers the ne > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -364,15 +435,16 @@ This policy setting allows you to specify the location and root (file share or l If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. -To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. +To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box. Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. -Note: The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. +> [!NOTE] +> The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. -If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. +If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect. @@ -390,7 +462,7 @@ If the "Set Remote Desktop Services User Home Directory" policy setting is enabl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -453,13 +525,13 @@ If you do not configure or disable this policy the user will have full control o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | UserInfoAccessAction_Name | +| Name | UserInfoAccessAction | | Friendly Name | User management of sharing user name, account picture, and domain information with apps (not desktop apps) | | Location | Computer Configuration | | Path | System > User Profiles | @@ -474,74 +546,6 @@ If you do not configure or disable this policy the user will have full control o - -## LimitSize - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_UserProfiles/LimitSize -``` - - - - -This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. - -If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. - -If you enable this policy setting, you can: - --- Set a maximum permitted user profile size. --- Determine whether the registry files are included in the calculation of the profile size. --- Determine whether users are notified when the profile exceeds the permitted maximum size. --- Specify a customized message notifying users of the oversized profile. --- Determine how often the customized message is displayed. - -Note: In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LimitSize | -| Friendly Name | Limit profile size | -| Location | User Configuration | -| Path | System > User Profiles | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | EnableProfileQuota | -| ADMX File Name | UserProfiles.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1f070e5704..804f8c66c6 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -4,7 +4,7 @@ description: Learn more about the ApplicationManagement Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/04/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -674,6 +674,8 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window This policy allows the IT admin to specify a list of applications that users can run after logging on to the device. +> [!NOTE] +> This policy only works on modern apps. @@ -688,18 +690,15 @@ This policy allows the IT admin to specify a list of applications that users can -For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. -Example of the declaration here: +For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. **Example**: + ```xml ``` - -> [!NOTE] -> This policy only works on modern apps. @@ -802,9 +801,10 @@ If you enable this policy setting, privileges are extended to all programs. Thes If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. -Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. +**Note**: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. -Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. +> [!CAUTION] +> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. **Note** that the User Configuration version of this policy setting is not guaranteed to be secure. @@ -1091,7 +1091,7 @@ To ensure apps are up-to-date, this policy allows the admins to set a recurring -https://github.com/vinaypamnani-msft/windows-docs-pr +**Allowed values**:
    @@ -1136,15 +1136,7 @@ https://github.com/vinaypamnani-msft/windows-docs-pr -> [!NOTE] -> The check for recurrence is done in a case sensitive manner. For instance the value needs to be “Daily” instead of “daily”. The wrong case will cause SmartRetry to fail to execute. - - - - -**Examples**: - -Sample SyncML: +**Example**: ```xml @@ -1171,6 +1163,9 @@ Sample SyncML: ``` + +> [!NOTE] +> The check for recurrence is done in a case sensitive manner. For instance the value needs to be "Daily" instead of "daily". The wrong case will cause SmartRetry to fail to execute. diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 512ee46ca4..422008fc22 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -4,7 +4,7 @@ description: Learn more about the AppRuntime Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/12/2022 +ms.date: 01/04/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - AppRuntime > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, users will need to sign > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 18b0deb48c..f8268a6402 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -18,6 +18,8 @@ ms.topic: reference +> [!NOTE] +> To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md). @@ -42,6 +44,12 @@ This policy specifies the BitLocker Drive Encryption method and cipher strength. +The following list shows the supported values: + +- 3 - AES-CBC 128-bit +- 4 - AES-CBC 256-bit +- 6 - XTS-AES 128-bit +- 7 - XTS-AES 256-bit diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index d7d50fe51a..d69ea99b66 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -4,7 +4,7 @@ description: Learn more about the BITS Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/24/2022 +ms.date: 01/04/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,7 @@ ms.topic: reference -This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. +This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. **Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -94,7 +94,7 @@ This policy specifies the bandwidth throttling end time that Background Intellig -This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. +This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. **Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -342,7 +342,7 @@ This policy setting defines the default behavior that the foreground Intelligent This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. -**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. +**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index d522163ea8..81ae975132 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/24/2022 +ms.date: 01/04/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -18,6 +18,8 @@ ms.topic: reference +> [!NOTE] +> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm). @@ -43,7 +45,7 @@ ms.topic: reference This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. -Note: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. +**Note**: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge. @@ -165,10 +167,10 @@ If you don't configure this setting, employees can choose whether to use Autofil **Verify**: To verify AllowAutofill is set to 0 (not allowed): -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. -4. Verify the setting **Save form entries** is grayed out. +1. Open Microsoft Edge. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the dropdown list, and select **View Advanced Settings**. +4. Verify the setting **Save form entries** is grayed out. @@ -1323,7 +1325,7 @@ If disabled, the browsing history stops saving and is not visible in the History This policy setting lets you decide whether users can change their search engine. If you disable this setting, users can't add new search engines or change the default used in the address bar. -Important +**Important**: This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. @@ -2118,7 +2120,7 @@ The Home button loads either the default Start page, the New tab page, or a URL -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. @@ -2586,7 +2588,7 @@ This setting lets you configure whether your company uses Enterprise Mode and th -Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead. +**Important**: . Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead. @@ -2673,7 +2675,7 @@ Configure first run URL. -When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages +When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages @@ -2734,7 +2736,7 @@ This policy setting lets you decide whether employees can add, import, sort, or If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. -Important +**Important**: Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -3230,7 +3232,7 @@ If you disable or don't configure this setting, employees can ignore Windows Def -You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune ( +You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8. wekyb3. d8. bbwe;Microsoft.OfficeOnline_8. wekyb3. d8. bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune ( diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index c13152ace1..0b979ddd9f 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/04/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Connectivity > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -194,13 +192,12 @@ If this policy setting is not configured or is disabled, clients are allowed to **Validate**: -To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. -To validate on devices, perform the following steps: +To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate on a device, perform the following steps: -1. Go to Cellular & SIM. -2. Click on the SIM (next to the signal strength icon) and select **Properties**. -3. On the Properties page, select **Data roaming options**. +1. Go to Cellular & SIM. +2. Click on the SIM (next to the signal strength icon) and select **Properties**. +3. On the Properties page, select **Data roaming options**. @@ -222,7 +219,7 @@ To validate on devices, perform the following steps: -Note This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. +**Note**: This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. @@ -373,7 +370,6 @@ If you do not configure this policy setting, the default behavior depends on the **Validate**: - If the Connectivity/AllowPhonePCLinking policy is configured to value 0, add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number. Device that has previously opt-in to MMX will also stop showing on the device list. @@ -398,7 +394,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li -NoteCurrently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. +**Note**: Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. @@ -549,7 +545,7 @@ This policy setting specifies whether to allow printing over HTTP from this clie Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. -Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. +**Note**: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. @@ -573,13 +569,13 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableHTTPPrinting | +| Name | DisableHTTPPrinting_2 | | Friendly Name | Turn off printing over HTTP | | Location | Computer Configuration | | Path | InternetManagement > Internet Communication settings | @@ -615,7 +611,7 @@ This policy setting specifies whether to allow this client to download print dri To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. -Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. +**Note**: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. If you enable this policy setting, print drivers cannot be downloaded over HTTP. @@ -637,13 +633,13 @@ If you disable or do not configure this policy setting, users can download print > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableWebPnPDownload | +| Name | DisableWebPnPDownload_2 | | Friendly Name | Turn off downloading of print drivers over HTTP | | Location | Computer Configuration | | Path | InternetManagement > Internet Communication settings | @@ -701,13 +697,13 @@ See the documentation for the web publishing and online ordering wizards for mor > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellPreventWPWDownload | +| Name | ShellPreventWPWDownload_2 | | Friendly Name | Turn off Internet download for Web publishing and online ordering wizards | | Location | Computer Configuration | | Path | InternetManagement > Internet Communication settings | @@ -828,7 +824,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -867,7 +863,7 @@ If you enable this policy, Windows only allows access to the specified UNC paths Determines whether a user can install and configure the Network Bridge. -Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. +**Important**: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder. @@ -889,7 +885,7 @@ If you disable this setting or do not configure it, the user will be able to cre > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 8407ea5f13..a6e7b49ac7 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -4,7 +4,7 @@ description: Learn more about the DataProtection Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,7 @@ ms.topic: reference -This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker Device Encryption is enabled. Most restricted value is 0. +This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled. Most restricted value is 0. diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 66ecdcc47e..9443821da7 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -59,6 +59,8 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti +> [!NOTE] +> This policy is deprecated. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 82f614f2ec..bf672dd0df 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/05/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - DeliveryOptimization > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -102,10 +100,8 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the - -Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. - -This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + +Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. @@ -239,6 +235,8 @@ If this policy is not configured, the client will attempt to automatically find +> [!NOTE] +> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#docachehost) policy value if that value has been set. @@ -293,7 +291,7 @@ This policy allows you to delay the use of an HTTP source in a background downlo After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. -Note that a download that is waiting for peer sources, will appear to be stuck for the end user. +**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 hour (3600). @@ -349,10 +347,10 @@ The recommended value is 1 hour (3600). - -Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds. + +Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. -Note: if you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). +**Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. @@ -406,10 +404,10 @@ Note: if you set the policy to delay background download from http, it will appl - -Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds. + +Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. -Note: if you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). +**Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. @@ -468,7 +466,7 @@ This policy allows you to delay the use of an HTTP source in a foreground (inter After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that could not be downloaded from Peers. -Note that a download that is waiting for peer sources, will appear to be stuck for the end user. +**Note** that a download that is waiting for peer sources, will appear to be stuck for the end user. The recommended value is 1 minute (60). @@ -583,22 +581,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec - -Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. - -The following list shows the supported values: - -0 = HTTP only, no peering. - -1 = HTTP blended with peering behind the same NAT. - -2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - -3 = HTTP blended with Internet Peering. - -99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. - -100 = Bypass mode. Windows 10: Do not use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. + +Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1. @@ -669,7 +653,7 @@ Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. -Note: this is a best effort optimization and should not be relied on for an authentication of identity. +**Note** this is a best effort optimization and should not be relied on for an authentication of identity. @@ -721,30 +705,14 @@ Note: this is a best effort optimization and should not be relied on for an auth - -Set this policy to restrict peer selection to a specific source. - -Options available are: - -1 = AD Site. - -2 = Authenticated domain SID. - -3 = DHCP Option ID. - -4 = DNS Suffix. - -5 = AAD Tenant ID. - -When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. - -The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. - -For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. + +Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5. +> [!NOTE] +> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. @@ -863,10 +831,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts - -Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. - -The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. + +Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days). @@ -920,8 +886,8 @@ The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files - -Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size (1-100). + +Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20. @@ -1032,10 +998,8 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts - -Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloBytes/second. - -This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from HTTP source to achieve the specified minimum QoS value. + +Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s). @@ -1207,10 +1171,8 @@ Note: If the DOModifyCacheDrive policy is set, the disk size check will apply to - -Specifies the minimum content file size in MB enabled to use Peer Caching. - -Recommended values: 1 MB to 100000 MB. + +Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB. @@ -1264,12 +1226,8 @@ Recommended values: 1 MB to 100000 MB. - -Specifies the minimum RAM size in GB required to use Peer Caching. - -For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. - -Recommended values: 1 GB to 4 GB. + +Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB. @@ -1378,10 +1336,8 @@ By default, %SystemDrive% is used to store the cache. The drive location can be - -Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. - -The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. + +Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit is applied if 0 is set. The default value is 5120 (5 TB). @@ -1566,6 +1522,9 @@ These options apply to both Download Mode LAN (1) and Group (2). +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). + +In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. The default value in Windows 11 is set to 'Local Peer Discovery'. The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. @@ -1643,7 +1602,7 @@ Specifies the maximum background download bandwidth that Delivery Optimization u > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1703,7 +1662,7 @@ This policy allows an IT Admin to define the following details: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md index bb9af56415..c8b7f8f8f7 100644 --- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - DesktopAppInstaller > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy controls additional sources provided by the enterprise IT administrator. -If you do not configure this policy, no additional sources will be configured for the Windows Package Manager. +If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/). -If you enable this policy, the additional sources will be added to the Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using 'winget source export'. +If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. -If you disable this policy, no additional sources can be configured for the Windows Package Manager. +If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). @@ -68,7 +66,7 @@ If you disable this policy, no additional sources can be configured for the Wind > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,9 +108,9 @@ This policy controls additional sources allowed by the enterprise IT administrat If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. -If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using 'winget source export'. +If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. -If you disable this policy, no additional sources can be configured for the Windows Package Manager. +If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). @@ -130,7 +128,7 @@ If you disable this policy, no additional sources can be configured for the Wind > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -168,11 +166,11 @@ If you disable this policy, no additional sources can be configured for the Wind -This policy controls whether the Windows Package Manager can be used by users. +This policy controls whether the [Windows Package Manager](/windows/package-manager/) can be used by users. -If you enable or do not configure this setting, users will be able to use the Windows Package Manager. +If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to use the Windows Package Manager. +If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/). @@ -191,7 +189,7 @@ Users will still be able to execute the *winget* command. The default help will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -229,13 +227,13 @@ Users will still be able to execute the *winget* command. The default help will -This policy controls the default source included with the Windows Package Manager. +This policy controls the default source included with the [Windows Package Manager](/windows/package-manager/). -If you do not configure this setting, the default source for the Windows Package Manager will be available and can be removed. +If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed. -If you enable this setting, the default source for the Windows Package Manager will be available and cannot be removed. +If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. -If you disable this setting the default source for the Windows Package Manager will not be available. +If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available. @@ -253,7 +251,7 @@ If you disable this setting the default source for the Windows Package Manager w > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -291,11 +289,11 @@ If you disable this setting the default source for the Windows Package Manager w -This policy controls whether users can enable experimental features in the Windows Package Manager. +This policy controls whether users can enable experimental features in the [Windows Package Manager](/windows/package-manager/). -If you enable or do not configure this setting, users will be able to enable experimental features for the Windows Package Manager. +If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to enable experimental features for the Windows Package Manager. +If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). @@ -314,7 +312,7 @@ Experimental features are used during Windows Package Manager development cycle > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -352,11 +350,11 @@ Experimental features are used during Windows Package Manager development cycle -This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings. +This policy controls whether or not the [Windows Package Manager](/windows/package-manager/) can be configured to enable the ability override the SHA256 security validation in settings. -If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings. +If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. -If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings. +If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. @@ -374,7 +372,7 @@ If you disable this policy, users will not be able to enable the ability overrid > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -414,9 +412,9 @@ If you disable this policy, users will not be able to enable the ability overrid This policy controls whether users can install packages with local manifest files. -If you enable or do not configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. +If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to install packages with local manifests using the Windows Package Manager. +If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). @@ -434,7 +432,7 @@ If you disable this setting, users will not be able to install packages with loc > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -472,13 +470,13 @@ If you disable this setting, users will not be able to install packages with loc -This policy controls the Microsoft Store source included with the Windows Package Manager. +This policy controls the Microsoft Store source included with the [Windows Package Manager](/windows/package-manager/). If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. -If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and cannot be removed. +If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. -If you disable this setting the Microsoft Store source for the Windows Package Manager will not be available. +If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available. @@ -496,7 +494,7 @@ If you disable this setting the Microsoft Store source for the Windows Package M > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -556,7 +554,7 @@ If you disable this setting, users will not be able to install packages from web > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -596,9 +594,9 @@ If you disable this setting, users will not be able to install packages from web This policy controls whether users can change their settings. -If you enable or do not configure this setting, users will be able to change settings for the Windows Package Manager. +If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to change settings for the Windows Package Manager. +If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/). @@ -617,7 +615,7 @@ The settings are stored inside of a .json file on the user’s system. It may be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -657,13 +655,14 @@ The settings are stored inside of a .json file on the user’s system. It may be This policy controls the auto update interval for package-based sources. -If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the Windows Package Manager. +If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/). -If you enable this setting, the number of minutes specified will be used by the Windows Package Manager. +If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/). +The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. @@ -677,7 +676,7 @@ If you enable this setting, the number of minutes specified will be used by the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ea11b5d336..7eb40161d8 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/05/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - DeviceInstallation > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -76,7 +74,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -176,7 +174,7 @@ Peripherals can be specified by their [device instance ID](/windows-hardware/dri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -215,7 +213,11 @@ To enable this policy, use the following SyncML. ``` + +**Verify**: + To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: + ``` txt >>> [Device Installation Restrictions Policy Check] >>> Section start 2018/11/15 12:26:41.659 @@ -276,7 +278,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -303,7 +305,6 @@ To enable this policy, use the following SyncML. This example allows Windows to Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. - ```xml @@ -322,11 +323,11 @@ Enclose the class GUID within curly brackets {}. To configure multiple classes, ``` + **Verify**: To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: - ```txt >>> [Device Installation Restrictions Policy Check] >>> Section start 2018/11/15 12:26:41.659 @@ -359,18 +360,22 @@ This policy setting will change the evaluation order in which Allow and Prevent Device instance IDs > Device IDs > Device setup class > Removable devices Device instance IDs + 1. Prevent installation of devices using drivers that match these device instance IDs 2. Allow installation of devices using drivers that match these device instance IDs Device IDs + 3. Prevent installation of devices using drivers that match these device IDs 4. Allow installation of devices using drivers that match these device IDs Device setup class + 5. Prevent installation of devices using drivers that match these device setup classes 6. Allow installation of devices using drivers that match these device setup classes Removable devices + 7. Prevent installation of removable devices NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. @@ -393,7 +398,7 @@ If you disable or do not configure this policy setting, the default evaluation i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -430,6 +435,7 @@ If you disable or do not configure this policy setting, the default evaluation i ``` + **Verify**: To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: @@ -444,8 +450,6 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and You can also change the evaluation order of device installation policy settings by using a custom profile in Intune. :::image type="content" source="images/edit-row.png" alt-text="This image is an edit row image."::: - - @@ -489,7 +493,7 @@ If you disable or do not configure this policy setting, the setting in the Devic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -551,7 +555,7 @@ If you disable or do not configure this policy setting, Windows is allowed to in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -651,7 +655,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -670,8 +674,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv **Example**: -To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use &#xF000; as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. - +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. ```xml @@ -752,7 +755,7 @@ Peripherals can be specified by their [device instance ID](/windows-hardware/dri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -792,7 +795,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f ``` -**Verify** +**Verify**: To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following details are listed near the end of the log: @@ -812,15 +815,12 @@ For example, this custom profile prevents installation of devices with matching To prevent installation of devices with matching device instance IDs by using custom profile in Intune: 1. Locate the device instance ID. -2. Replace `&` in the device instance IDs with `&`. -For example: -Replace -```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` -with -```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` - > [!Note] - > don't use spaces in the value. -3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. +1. Replace `&` in the device instance IDs with `&`. For example: Replace `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0` with `USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0`. + + > [!NOTE] + > Don't use spaces in the value. + +1. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. @@ -868,7 +868,7 @@ Peripherals can be specified by their [hardware identity](/windows-hardware/driv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index bc7b915aea..a4d1b7fa2a 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,15 +17,13 @@ ms.topic: reference # Policy CSP - DeviceLock > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -[!Important] +> [!IMPORTANT] > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). @@ -156,10 +154,10 @@ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the de +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + > [!NOTE] > This policy must be wrapped in an Atomic command. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -211,16 +209,11 @@ Determines the type of PIN or password required. This policy only applies if the > [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). - - +> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. +> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. > [!NOTE] -> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. -> -> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). @@ -246,48 +239,6 @@ Determines the type of PIN or password required. This policy only applies if the -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. - - - -Max policy value is the most restricted. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - -The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6. -- Not enforced. -- The default value is 4 for client devices. - - - -The following example shows how to set the minimum password length to 4 characters. - -```xml - - - - $CmdID$ - - - ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength - - - int - - 4 - - - - - -``` @@ -309,7 +260,8 @@ The following example shows how to set the minimum password length to 4 characte -Store passwords using reversible encryption This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). +Store passwords using reversible encryption +This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). @@ -365,43 +317,38 @@ Specifies whether device lock is enabled. > [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions. > [!IMPORTANT] > The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: > -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock -> - MinDevicePasswordComplexCharacters -  - -> [!IMPORTANT] +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordComplexCharacters +> > If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: > -> - MinDevicePasswordLength is set to 4 -> - MinDevicePasswordComplexCharacters is set to 1 +> - MinDevicePasswordLength is set to 4 +> - MinDevicePasswordComplexCharacters is set to 1 > > If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: > -> - MinDevicePasswordLength -> - MinDevicePasswordComplexCharacters - -> [!Important] -> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: -> - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters -> - DevicePasswordExpiration -> - DevicePasswordHistory -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordLength +> - MinDevicePasswordComplexCharacters +> +> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for backward compatibility with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1), it should be the only policy set from the DeviceLock group of policies listed below: +> +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters +> - DevicePasswordExpiration +> - DevicePasswordHistory +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock @@ -452,6 +399,10 @@ Specifies when the password expires (in days). +If all policy values = 0, then 0; otherwise, Min policy value is the most secure value. + +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). + > [!NOTE] > This policy must be wrapped in an Atomic command. @@ -470,20 +421,6 @@ Specifies when the password expires (in days). -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -If all policy values = 0, then 0; otherwise, Min policy value is the most secure value. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 730. -- 0 (default) - Passwords don't expire. @@ -510,21 +447,14 @@ Specifies how many passwords can be stored in the history that can’t be used. -> [!NOTE] -> This policy must be wrapped in an Atomic command. - The value includes the user's current password. This value denotes that with a setting of 1, the user can't reuse their current password when choosing a new password, while a setting of 5 means that a user can't set their new password to their current password or any of their previous four passwords. Max policy value is the most restricted. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). - - -The following list shows the supported values: - -- An integer X where 0 <= X <= 50. -- 0 (default) +> [!NOTE] +> This policy must be wrapped in an Atomic command. @@ -641,15 +571,11 @@ Specifies the default lock screen and logon image shown when no user is signed i The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. -**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see Exchange ActiveSync Policy Engine Overview. +**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). -The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for client devices. -- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. @@ -687,9 +613,7 @@ The following list shows the supported values: -This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. - -**Note**: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. +This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. @@ -744,6 +668,12 @@ The number of authentication failures allowed before the device will be wiped. A +Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. + +On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. @@ -827,45 +757,32 @@ The number of complex element types (uppercase and lowercase letters, numbers, a -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. - -PIN enforces the following behavior for client devices: - -- 1 - Digits only -- 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. - -The default value is 1. The following list shows the supported values and actual enforced values: - -|Account Type|Supported Values|Actual Enforced Values| -|--- |--- |--- | -|Local Accounts|1,2,3|3| -|Microsoft Accounts|1,2|<p2| -|Domain Accounts|Not supported|Not supported| +The following list shows the supported values and actual enforced values: +| Account Type | Supported Values | Actual Enforced Values | +|--------------------|------------------|------------------------| +| Local Accounts | 1,2,3 | 3 | +| Microsoft Accounts | 1,2 | <p2 | +| Domain Accounts | Not supported | Not supported | Enforced values for Local and Microsoft Accounts: -- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. -- Passwords for local accounts must meet the following minimum requirements: - - - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - - Be at least six characters in length - - Contain characters from three of the following four categories: - - - English uppercase characters (A through Z) - - English lowercase characters (a through z) - - Base 10 digits (0 through 9) - - Special characters (!, $, \#, %, etc.) +- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. +- Passwords for local accounts must meet the following minimum requirements: + - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters + - Be at least six characters in length + - Contain characters from three of the following four categories: + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Special characters (!, $, \#, %, etc.) The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). +> [!NOTE] +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -918,7 +835,12 @@ Specifies the minimum number or characters required in the PIN or password. +Max policy value is the most restricted. +For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + +> [!NOTE] +> This policy must be wrapped in an Atomic command. Always use the Replace command instead of Add for this policy in Windows for desktop editions. @@ -935,27 +857,6 @@ Specifies the minimum number or characters required in the PIN or password. -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows for desktop editions. - - - -Max policy value is the most restricted. - -For more information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - -The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for client devices. However, local accounts will always enforce a minimum password length of 6. -- Not enforced. -- The default value is 4 for client devices. - - - **Example**: The following example shows how to set the minimum password length to 4 characters. @@ -1050,11 +951,23 @@ This security setting determines the period of time (in days) that a password mu -Password must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. +Password must meet complexity requirements +This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. +Password must meet complexity requirements. This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: + +- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters +- Be at least six characters in length +- Contain characters from three of the following four categories: + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Non-alphabetic characters (for example, !, $, #, %) + +Complexity requirements are enforced when passwords are changed or created. @@ -1100,9 +1013,8 @@ Password must meet complexity requirements This security setting determines whet -Minimum password length This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. - -**Note**: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. +Minimum password length +This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. Note: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. @@ -1174,7 +1086,7 @@ If you enable this setting, users will no longer be able to enable or disable lo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1234,7 +1146,7 @@ If you enable this setting, users will no longer be able to modify slide show se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 56f1f619a0..44c3dc7d33 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -4,7 +4,7 @@ description: Learn more about the EventLogService Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - EventLogService > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,7 +48,7 @@ If you enable this policy setting and a log file reaches its maximum size, new e If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +**Note**: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -68,13 +66,13 @@ Note: Old events may or may not be retained according to the "Backup log automat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_Retention | +| Name | Channel_Log_Retention_1 | | Friendly Name | Control Event Log behavior when the log file reaches its maximum size | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Application | @@ -128,13 +126,13 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogMaxSize | +| Name | Channel_LogMaxSize_1 | | Friendly Name | Specify the maximum log file size (KB) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Application | @@ -187,13 +185,13 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogMaxSize | +| Name | Channel_LogMaxSize_2 | | Friendly Name | Specify the maximum log file size (KB) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Security | @@ -246,13 +244,13 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogMaxSize | +| Name | Channel_LogMaxSize_4 | | Friendly Name | Specify the maximum log file size (KB) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > System | diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 56af7d7e93..beec4bf3cb 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -84,11 +84,11 @@ Policy change takes effect immediately. **Validate**: -1. Configure Experiences/AllowClipboardHistory to 0. +1. Configure Experience/AllowClipboardHistory to 0. 1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. 1. Press Win+V to open the clipboard history UI. 1. You shouldn't see any clipboard item including current item you copied. -1. The setting under Settings App->System->Clipboard should be grayed out with policy warning. +1. The setting under Settings App -> System -> Clipboard should be grayed out with policy warning. @@ -282,7 +282,7 @@ This policy turns on Find My Device. When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. On devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. -When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work.The user will also not be able to view the location of the last use of their active digitizer on their device. +When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. The user will also not be able to view the location of the last use of their active digitizer on their device. @@ -546,7 +546,7 @@ This policy is deprecated. -Allow SIM error diaglog prompts when no SIM is inserted. +Allow SIM error dialog prompts when no SIM is inserted. @@ -578,6 +578,65 @@ Allow SIM error diaglog prompts when no SIM is inserted. + +## AllowSpotlightCollection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection +``` + + + + +Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. If you disable this policy setting, Spotlight collection will not show as an option in Personalization Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop. + + + + +The following list shows the supported values: + +- When set to 0, Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop. +- When set to 1 (default), Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1]` | +| Default Value | 1 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSpotlightCollectionOnDesktop | +| Friendly Name | Turn off Spotlight collection on Desktop | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableSpotlightCollectionOnDesktop | +| ADMX File Name | CloudContent.admx | + + + + + + + + ## AllowSyncMySettings @@ -595,7 +654,7 @@ Allow SIM error diaglog prompts when no SIM is inserted. -Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see About sync setting on Windows 10 devices. +Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -627,6 +686,72 @@ Allows or disallows all Windows sync settings on the device. For information abo + +## AllowTailoredExperiencesWithDiagnosticData + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowTailoredExperiencesWithDiagnosticData +``` + + + + +This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value. + +**Note**: This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowTailoredExperiencesWithDiagnosticData_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableTailoredExperiencesWithDiagnosticData | +| Friendly Name | Do not use diagnostic data for tailored experiences | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableTailoredExperiencesWithDiagnosticData | +| ADMX File Name | CloudContent.admx | + + + + + + + + ## AllowTaskSwitcher @@ -679,6 +804,70 @@ This policy is deprecated. + +## AllowThirdPartySuggestionsInWindowsSpotlight + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowThirdPartySuggestionsInWindowsSpotlight +``` + + + + +Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowThirdPartySuggestionsInWindowsSpotlight_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Third-party suggestions not allowed. | +| 1 (Default) | Third-party suggestions allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableThirdPartySuggestions | +| Friendly Name | Do not suggest third-party content in Windows spotlight | +| Location | User Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableThirdPartySuggestions | +| ADMX File Name | CloudContent.admx | + + + + + + + + ## AllowVoiceRecording @@ -795,766 +984,6 @@ Prior to Windows 10, version 1803, this policy had User scope. This policy allow - -## AllowWindowsTips - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips -``` - - - - -Enables or disables Windows Tips / soft landing. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | -| Dependency [Experience_AllowWindowsTips_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableSoftLanding | -| Friendly Name | Do not show Windows tips | -| Location | Computer Configuration | -| Path | Windows Components > Cloud Content | -| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | -| Registry Value Name | DisableSoftLanding | -| ADMX File Name | CloudContent.admx | - - - - - - - - - -## ConfigureChatIcon - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon -``` - - - - -Configures the Chat icon on the taskbar - - - - -> [!NOTE] -> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Not Configured | -| 1 | Show | -| 2 | Hide | -| 3 | Disabled | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureChatIcon | -| Friendly Name | Configures the Chat icon on the taskbar | -| Element Name | State | -| Location | Computer Configuration | -| Path | Windows Components > Chat | -| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Chat | -| ADMX File Name | Taskbar.admx | - - - - - - - - - -## DisableCloudOptimizedContent - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/DisableCloudOptimizedContent -``` - - - - -This policy setting lets you turn off cloud optimized content in all Windows experiences. - -If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. - -If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableCloudOptimizedContent | -| Friendly Name | Turn off cloud optimized content | -| Location | Computer Configuration | -| Path | Windows Components > Cloud Content | -| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | -| Registry Value Name | DisableCloudOptimizedContent | -| ADMX File Name | CloudContent.admx | - - - - - - - - - -## DisableConsumerAccountStateContent - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/DisableConsumerAccountStateContent -``` - - - - -This policy setting lets you turn off cloud consumer account state content in all Windows experiences. - -If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. - -If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableConsumerAccountStateContent | -| Friendly Name | Turn off cloud consumer account state content | -| Location | Computer Configuration | -| Path | Windows Components > Cloud Content | -| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | -| Registry Value Name | DisableConsumerAccountStateContent | -| ADMX File Name | CloudContent.admx | - - - - - - - - - -## DoNotShowFeedbackNotifications - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications -``` - - - - -This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. - -If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. - -If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. - -Note: If you disable or do not configure this policy setting, users can control how often they receive feedback questions. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. | -| 1 | Feedback notifications are disabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DoNotShowFeedbackNotifications | -| Friendly Name | Do not show feedback notifications | -| Location | Computer Configuration | -| Path | WindowsComponents > Data Collection and Preview Builds | -| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | -| Registry Value Name | DoNotShowFeedbackNotifications | -| ADMX File Name | FeedbackNotifications.admx | - - - - - - - - - -## DoNotSyncBrowserSettings - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings -``` - - - - -Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. - -If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced. - -Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled. - -If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable by the user. - - - - -Related policy: - [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing) - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 2 | Disable Syncing | -| 0 (Default) | Allow syncing | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableWebBrowserSettingSync | -| Friendly Name | Do not sync browser settings | -| Location | Computer Configuration | -| Path | Windows Components > Sync your settings | -| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | -| Registry Value Name | DisableWebBrowserSettingSync | -| ADMX File Name | SettingSync.admx | - - - - -_**Sync the browser settings automatically**_ - - Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). - -_**Prevent syncing of browser settings and prevent users from turning it on**_ - -1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). -2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). - -_**Prevent syncing of browser settings and let users turn on syncing**_ - -1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). -2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). - -_**Turn syncing off by default but don’t disable**_ - - Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option. - - - - - -## PreventUsersFromTurningOnBrowserSyncing - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing -``` - - - - -You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - -Related policy: - [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting) - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Allowed/turned on. Users can sync the browser settings. | -| 1 (Default) | Prevented/turned off. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableWebBrowserSettingSync | -| Friendly Name | Do not sync browser settings | -| Element Name | Allow users to turn "browser" syncing on. | -| Location | Computer Configuration | -| Path | Windows Components > Sync your settings | -| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | -| ADMX File Name | SettingSync.admx | - - - - -**Examples**: - -_**Sync the browser settings automatically**_ - - Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). - -_**Prevent syncing of browser settings and prevent users from turning it on**_ - -1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). -2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). - -_**Prevent syncing of browser settings and let users turn on syncing**_ - -1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). -2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). - -**Validate**: - -1. Select **More > Settings**. -1. See, if the setting is enabled or disabled based on your selection. - - - - - -## ShowLockOnUserTile - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Experience/ShowLockOnUserTile -``` - - - - -Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | The lock option is not displayed in the User Tile menu. | -| 1 (Default) | The lock option is displayed in the User Tile menu. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ShowLockOption | -| Friendly Name | Show lock in the user tile menu | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | ShowLockOption | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## AllowSpotlightCollection - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Experience/AllowSpotlightCollection -``` - - - - -Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. If you disable this policy setting, Spotlight collection will not show as an option in Personliazation Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-1]` | -| Default Value | 1 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableSpotlightCollectionOnDesktop | -| Friendly Name | Turn off Spotlight collection on Desktop | -| Location | User Configuration | -| Path | Windows Components > Cloud Content | -| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | -| Registry Value Name | DisableSpotlightCollectionOnDesktop | -| ADMX File Name | CloudContent.admx | - - - - - - - - - -## AllowTailoredExperiencesWithDiagnosticData - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Experience/AllowTailoredExperiencesWithDiagnosticData -``` - - - - -This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value. - -**Note**: This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | -| Dependency [Experience_AllowTailoredExperiencesWithDiagnosticData_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Not allowed. | -| 1 (Default) | Allowed. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableTailoredExperiencesWithDiagnosticData | -| Friendly Name | Do not use diagnostic data for tailored experiences | -| Location | User Configuration | -| Path | Windows Components > Cloud Content | -| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | -| Registry Value Name | DisableTailoredExperiencesWithDiagnosticData | -| ADMX File Name | CloudContent.admx | - - - - - - - - - -## AllowThirdPartySuggestionsInWindowsSpotlight - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Experience/AllowThirdPartySuggestionsInWindowsSpotlight -``` - - - - -Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | -| Dependency [Experience_AllowThirdPartySuggestionsInWindowsSpotlight_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Third-party suggestions not allowed. | -| 1 (Default) | Third-party suggestions allowed. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableThirdPartySuggestions | -| Friendly Name | Do not suggest third-party content in Windows spotlight | -| Location | User Configuration | -| Path | Windows Components > Cloud Content | -| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | -| Registry Value Name | DisableThirdPartySuggestions | -| ADMX File Name | CloudContent.admx | - - - - - - - - ## AllowWindowsSpotlight @@ -1809,6 +1238,137 @@ This policy setting lets you turn off the Windows spotlight Windows welcome expe + +## AllowWindowsTips + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/AllowWindowsTips +``` + + + + +Enables or disables Windows Tips / soft landing. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | +| Dependency [Experience_AllowWindowsTips_DependencyGroup] | Dependency Type: `DependsOn`
    Dependency URI: `User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsSpotlight`
    Dependency Allowed Value: `[1]`
    Dependency Allowed Value Type: `Range`
    | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSoftLanding | +| Friendly Name | Do not show Windows tips | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableSoftLanding | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## ConfigureChatIcon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon +``` + + + + +Configures the Chat icon on the taskbar + + + + +> [!NOTE] +> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not Configured | +| 1 | Show | +| 2 | Hide | +| 3 | Disabled | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureChatIcon | +| Friendly Name | Configures the Chat icon on the taskbar | +| Element Name | State | +| Location | Computer Configuration | +| Path | Windows Components > Chat | +| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Chat | +| ADMX File Name | Taskbar.admx | + + + + + + + + ## ConfigureWindowsSpotlightOnLockScreen @@ -1836,7 +1396,8 @@ If you disable this policy setting, Windows spotlight will be turned off and use If you do not configure this policy, Windows spotlight will be available on the lock screen and will be selected by default, unless you have configured another default lock screen image using the "Force a specific default lock screen and logon image" policy. -Note: This policy is only available for Enterprise SKUs +> [!NOTE] +> This policy is only available for Enterprise SKUs @@ -1885,6 +1446,297 @@ Note: This policy is only available for Enterprise SKUs + +## DisableCloudOptimizedContent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DisableCloudOptimizedContent +``` + + + + +This policy setting lets you turn off cloud optimized content in all Windows experiences. + +If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. + +If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableCloudOptimizedContent | +| Friendly Name | Turn off cloud optimized content | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableCloudOptimizedContent | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## DisableConsumerAccountStateContent + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DisableConsumerAccountStateContent +``` + + + + +This policy setting lets you turn off cloud consumer account state content in all Windows experiences. + +If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. + +If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableConsumerAccountStateContent | +| Friendly Name | Turn off cloud consumer account state content | +| Location | Computer Configuration | +| Path | Windows Components > Cloud Content | +| Registry Key Name | Software\Policies\Microsoft\Windows\CloudContent | +| Registry Value Name | DisableConsumerAccountStateContent | +| ADMX File Name | CloudContent.admx | + + + + + + + + + +## DoNotShowFeedbackNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications +``` + + + + +This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. + +If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. + +If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. + +> [!NOTE] +> If you disable or do not configure this policy setting, users can control how often they receive feedback questions. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. | +| 1 | Feedback notifications are disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DoNotShowFeedbackNotifications | +| Friendly Name | Do not show feedback notifications | +| Location | Computer Configuration | +| Path | WindowsComponents > Data Collection and Preview Builds | +| Registry Key Name | Software\Policies\Microsoft\Windows\DataCollection | +| Registry Value Name | DoNotShowFeedbackNotifications | +| ADMX File Name | FeedbackNotifications.admx | + + + + + + + + + +## DoNotSyncBrowserSettings + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings +``` + + + + +Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. + +If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced. + +Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "browser" group is on by default and configurable by the user. + + + + +Related policy: [PreventUsersFromTurningOnBrowserSyncing](#preventusersfromturningonbrowsersyncing) + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | Disable Syncing | +| 0 (Default) | Allow syncing | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebBrowserSettingSync | +| Friendly Name | Do not sync browser settings | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| Registry Value Name | DisableWebBrowserSettingSync | +| ADMX File Name | SettingSync.admx | + + + + +_**Sync the browser settings automatically**_ + + Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Prevent syncing of browser settings and prevent users from turning it on**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). + +_**Prevent syncing of browser settings and let users turn on syncing**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Turn syncing off by default but don’t disable**_ + + Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option. + + + + ## EnableOrganizationalMessages @@ -1934,6 +1786,160 @@ Organizational messages allow Administrators to deliver messages to their end us + +## PreventUsersFromTurningOnBrowserSyncing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +``` + + + + +You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. +Related policy: DoNotSyncBrowserSettings +1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + + + + +By default, the "browser" group syncs automatically between the user's devices, letting users make changes. With this policy though, you can prevent the "browser" group from syncing and prevent users from turning on the **Sync your Settings** toggle in Settings. If you want syncing turned off by default but not disabled, select the **Allow syncing** option in the [DoNotSyncBrowserSettings](#donotsyncbrowsersettings). For this policy to work correctly, you must enable the DoNotSyncBrowserSettings policy. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Allowed/turned on. Users can sync the browser settings. | +| 1 (Default) | Prevented/turned off. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebBrowserSettingSync | +| Friendly Name | Do not sync browser settings | +| Element Name | Allow users to turn "browser" syncing on. | +| Location | Computer Configuration | +| Path | Windows Components > Sync your settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync | +| ADMX File Name | SettingSync.admx | + + + + +**Examples**: + +_**Sync the browser settings automatically**_ + + Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Prevent syncing of browser settings and prevent users from turning it on**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). + +_**Prevent syncing of browser settings and let users turn on syncing**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +**Validate**: + +1. Select **More > Settings**. +1. See, if the setting is enabled or disabled based on your selection. + + + + + +## ShowLockOnUserTile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :x: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :x: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Experience/ShowLockOnUserTile +``` + + + + +Shows or hides lock from the user tile menu. +If you enable this policy setting, the lock option will be shown in the User Tile menu. + +If you disable this policy setting, the lock option will never be shown in the User Tile menu. + +If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The lock option is not displayed in the User Tile menu. | +| 1 (Default) | The lock option is displayed in the User Tile menu. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowLockOption | +| Friendly Name | Show lock in the user tile menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowLockOption | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 1b914b6115..1f4ded5adf 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -4,7 +4,7 @@ description: Learn more about the ExploitGuard Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/30/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,29 +36,8 @@ ms.topic: reference - -Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured. - -There are some prerequisites before you can enable this setting: -- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in Windows Security. -- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security. -- Place the generated XML file in a shared or local path. - -Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied. - -Enabled -Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following: -- C:\MitigationSettings\Config.XML -- \\Server\Share\Config.xml -- https://localhost:8080/Config.xml - -The settings in the XML file will be applied to the endpoint. - -Disabled -Common settings will not be applied, and the locally configured settings will be used instead. - -Not configured -Same as Disabled. + +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. @@ -90,6 +69,30 @@ Same as Disabled. +**Example**: + +```xml + + + + + $CmdId$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings + + ]]> + + + + + + +``` diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index d1e0e7494f..24fdb6341a 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -42,6 +42,9 @@ The handwriting panel has 2 modes - floats near the text box, or, attached to th +In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction. + +The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way. diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 14ee641a09..4c142d85e4 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/02/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - InternetExplorer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -72,7 +70,7 @@ If you disable or do not configure this policy setting, the user can configure t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -136,7 +134,7 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -206,7 +204,7 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -227,6 +225,68 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u + +## AllowAutoComplete + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete +``` + + + + +This AutoComplete feature can remember and suggest User names and passwords on Forms. + +If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". + +If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. + +If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictFormSuggestPW | +| Friendly Name | Turn on the auto-complete feature for user names and passwords on forms | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | +| Registry Value Name | FormSuggest Passwords | +| ADMX File Name | inetres.admx | + + + + + + + + ## AllowCertificateAddressMismatchWarning @@ -270,7 +330,7 @@ If you disable or do not configure this policy setting, the user can choose whet > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -338,7 +398,7 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -404,7 +464,7 @@ If you do not configure this policy, users will be able to turn on or turn off E > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -470,7 +530,7 @@ If you don't configure this policy setting, users can change the Suggestions set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -534,7 +594,7 @@ If you disable or don't configure this policy setting, the menu option won't app > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -597,7 +657,7 @@ If you disable or don't configure this policy setting, Internet Explorer opens a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -658,7 +718,7 @@ If you disable this policy, system defaults will be used. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -721,7 +781,7 @@ If you disable or do not configure this policy setting, the user can add and rem > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -786,7 +846,7 @@ If you do not configure this policy setting, Internet Explorer uses an Internet > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -856,7 +916,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -926,7 +986,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -996,7 +1056,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1066,7 +1126,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1136,7 +1196,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1206,7 +1266,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1276,7 +1336,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1340,7 +1400,7 @@ If you disable or do not configure this policy setting, Internet Explorer does n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1406,7 +1466,7 @@ For more information, see > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1492,7 +1552,7 @@ If you disable or do not configure this policy, users may choose their own site- > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1588,7 +1648,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1654,7 +1714,7 @@ If you do not configure this policy, users can choose to run or install files wi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1724,7 +1784,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1790,7 +1850,7 @@ If you do not configure this policy setting, the user can turn on and turn off t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1860,7 +1920,7 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1926,7 +1986,7 @@ If you do not configure this policy setting, Internet Explorer will not check se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1992,7 +2052,7 @@ If you do not configure this policy, Internet Explorer will not check the digita > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2071,7 +2131,7 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2345,13 +2405,13 @@ If you do not configure this policy setting, Internet Explorer requires consiste > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_5 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Consistent Mime Handling | @@ -2365,6 +2425,68 @@ If you do not configure this policy setting, Internet Explorer requires consiste + +## DisableActiveXVersionListAutoDownload + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload +``` + + + + +This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. + +If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. + +If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML. + +For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | VersionListAutomaticDownloadDisable | +| Friendly Name | Turn off automatic download of the ActiveX VersionList | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | +| Registry Key Name | Software\Microsoft\Internet Explorer\VersionManager | +| Registry Value Name | DownloadVersionList | +| ADMX File Name | inetres.admx | + + + + + + + + ## DisableBypassOfSmartScreenWarnings @@ -2408,7 +2530,7 @@ If you disable or do not configure this policy setting, the user can bypass Smar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2472,7 +2594,7 @@ If you disable or do not configure this policy setting, the user can bypass Smar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2536,7 +2658,7 @@ If you disable or do not configure this policy setting, the user can use the Com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2600,7 +2722,7 @@ If you disable or do not configure this policy setting, a user can set the numbe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2664,7 +2786,7 @@ If you disable or do not configure this policy setting, the crash detection feat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2730,7 +2852,7 @@ If you do not configure this policy setting, the user can choose to participate > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2798,7 +2920,7 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2862,7 +2984,7 @@ If you disable or do not configure this policy setting, the user can set the Fee > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2910,7 +3032,7 @@ If you enable this policy setting, the browser negotiates or does not negotiate If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. -Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. +**Note**: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. @@ -2928,7 +3050,7 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2991,7 +3113,7 @@ If you disable or do not configure this policy setting, the user can synchronize > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3059,7 +3181,7 @@ If you disable or do not configure this policy setting, Internet Explorer may ru > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3126,7 +3248,7 @@ If you don't configure this setting, users can turn this behavior on or off, usi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3192,7 +3314,7 @@ If you do not configure this policy setting, browser geolocation support can be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3213,6 +3335,66 @@ If you do not configure this policy setting, browser geolocation support can be + +## DisableHomePageChange + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange +``` + + + + +The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. + +If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. + +If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictHomePage | +| Friendly Name | Disable changing home page settings | +| Location | User Configuration | +| Path | Windows Components > Internet Explorer | +| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | +| Registry Value Name | HomePage | +| ADMX File Name | inetres.admx | + + + + + + + + ## DisableHTMLApplication @@ -3256,7 +3438,7 @@ If you disable or do not configure this policy setting, running the HTML Applica > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3320,7 +3502,7 @@ If you disable or do not configure this policy setting, the user can choose to i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3388,7 +3570,7 @@ If you do not configure this policy setting, InPrivate Browsing can be turned on > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3458,7 +3640,7 @@ If you disable, or don’t configure this policy, all sites are opened using the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3524,7 +3706,7 @@ If you disable, or don’t configure this policy, all sites are opened using the This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. -Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used. +**Important**: Some ActiveX controls and toolbars may not be available when 64-bit processes are used. If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. @@ -3548,7 +3730,7 @@ If you don't configure this policy setting, users can turn this feature on or of > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3612,7 +3794,7 @@ If you disable or do not configure this policy setting, the user can configure p > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3656,7 +3838,7 @@ If you disable or do not configure this policy setting, the user can configure p This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. -If you enable this policy setting, disableprocessesthe user cannot change the default search provider. +If you enable this policy setting, the user cannot change the default search provider. If you disable or do not configure this policy setting, the user can change the default search provider. @@ -3676,7 +3858,7 @@ If you disable or do not configure this policy setting, the user can change the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3724,7 +3906,7 @@ If you enable this policy setting, you can specify which default home pages shou If you disable or do not configure this policy setting, the user can add secondary home pages. -Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. +**Note**: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. @@ -3742,7 +3924,7 @@ Note: If the “Disable Changing Home Page Settings” policy is enabled, the us > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3805,7 +3987,7 @@ If you disable or do not configure this policy setting, the feature is turned on > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3867,7 +4049,7 @@ This policy is intended to help the administrator maintain version control for I > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3933,7 +4115,7 @@ If you do not configure this policy setting, a user will have the freedom to cho > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4001,7 +4183,7 @@ If you disable or do not configure this policy setting, Internet Explorer notifi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4047,7 +4229,7 @@ If you disable this policy or do not configure it, users can add Web sites to or This policy prevents users from changing site management settings for security zones established by the administrator. -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. +**Note**: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. @@ -4067,7 +4249,7 @@ Also, see the "Security zones: Use only machine settings" policy. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4113,7 +4295,7 @@ If you disable this policy or do not configure it, users can change the settings This policy prevents users from changing security zone settings established by the administrator. -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. +**Note**: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. @@ -4133,7 +4315,7 @@ Also, see the "Security zones: Use only machine settings" policy. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4199,7 +4381,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4245,8 +4427,9 @@ This policy setting allows you to manage a list of domains on which Internet Exp If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" 2. "hostname". For example, if you want to include https://example, use "example" + 3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. @@ -4269,7 +4452,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4335,7 +4518,7 @@ For more information, see > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4403,7 +4586,7 @@ To learn more about disabling Internet Explorer 11 as a standalone browser, see > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4469,7 +4652,7 @@ If you do not configure this policy setting, users choose whether to force local > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4535,7 +4718,7 @@ If you do not configure this policy setting, users choose whether network paths > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4601,13 +4784,13 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_1 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -4666,13 +4849,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_1 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -4729,13 +4912,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_1 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -4796,13 +4979,13 @@ If you do not configure this policy setting, a script can perform a clipboard op > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowPasteViaScript | +| Name | IZ_PolicyAllowPasteViaScript_1 | | Friendly Name | Allow cut, copy or paste operations from the clipboard via script | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -4861,13 +5044,13 @@ If you do not configure this policy setting, users can drag files or copy and pa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDropOrPasteFiles | +| Name | IZ_PolicyDropOrPasteFiles_1 | | Friendly Name | Allow drag and drop or copy and paste files | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -4926,13 +5109,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_1 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -4991,13 +5174,13 @@ If you do not configure this policy setting, Web sites from less privileged zone > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_1 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5056,13 +5239,13 @@ If you do not configure this policy setting, the user can decide whether to load > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_XAML | +| Name | IZ_Policy_XAML_1 | | Friendly Name | Allow loading of XAML files | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5097,7 +5280,7 @@ If you do not configure this policy setting, the user can decide whether to load -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -5121,13 +5304,13 @@ If you do not configure this policy setting, Internet Explorer will execute unsi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_1 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5184,13 +5367,13 @@ If you disable this policy setting, the user does not see the per-site ActiveX p > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt | +| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet | | Friendly Name | Allow only approved domains to use ActiveX controls without prompt | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5247,13 +5430,13 @@ If you disable this policy setting, the TDC Active X control will run from all s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowTDCControl | +| Name | IZ_PolicyAllowTDCControl_Both_Internet | | Friendly Name | Allow only approved domains to use the TDC ActiveX control | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5312,13 +5495,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_WebBrowserControl | +| Name | IZ_Policy_WebBrowserControl_1 | | Friendly Name | Allow scripting of Internet Explorer WebBrowser controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5377,13 +5560,13 @@ If you do not configure this policy setting, the possible harmful actions contai > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyWindowsRestrictionsURLaction | +| Name | IZ_PolicyWindowsRestrictionsURLaction_1 | | Friendly Name | Allow script-initiated windows without size or position constraints | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5442,13 +5625,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_1 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5491,7 +5674,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -5509,13 +5692,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_1 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5572,13 +5755,13 @@ If you disable or do not configure this policy setting, script is not allowed to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_ScriptStatusBar | +| Name | IZ_Policy_ScriptStatusBar_1 | | Friendly Name | Allow updates to status bar via script | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5637,13 +5820,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_1 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5704,13 +5887,13 @@ If you do not configure or disable this policy setting, VBScript is prevented fr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowVBScript | +| Name | IZ_PolicyAllowVBScript_1 | | Friendly Name | Allow VBScript to run in Internet Explorer | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5769,13 +5952,13 @@ If you don't configure this policy setting, Internet Explorer always checks with > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 | | Friendly Name | Don't run antimalware programs against ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5834,13 +6017,13 @@ If you do not configure this policy setting, users are queried whether to downlo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDownloadSignedActiveX | +| Name | IZ_PolicyDownloadSignedActiveX_1 | | Friendly Name | Download signed ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5899,13 +6082,13 @@ If you do not configure this policy setting, users cannot run unsigned controls. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDownloadUnsignedActiveX | +| Name | IZ_PolicyDownloadUnsignedActiveX_1 | | Friendly Name | Download unsigned ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -5962,13 +6145,13 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyTurnOnXSSFilter | +| Name | IZ_PolicyTurnOnXSSFilter_Both_Internet | | Friendly Name | Turn on Cross-Site Scripting Filter | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6029,13 +6212,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows | +| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet | | Friendly Name | Enable dragging of content from different domains across windows | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6096,13 +6279,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow | +| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet | | Friendly Name | Enable dragging of content from different domains within a window | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6161,13 +6344,13 @@ If you do not configure this policy setting, the MIME Sniffing Safety Feature wi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyMimeSniffingURLaction | +| Name | IZ_PolicyMimeSniffingURLaction_1 | | Friendly Name | Enable MIME Sniffing | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6226,13 +6409,13 @@ If you do not configure this policy setting, the user can turn on or turn off Pr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_TurnOnProtectedMode | +| Name | IZ_Policy_TurnOnProtectedMode_1 | | Friendly Name | Turn on Protected Mode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6291,13 +6474,13 @@ If you do not configure this policy setting, the user can choose whether path in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_LocalPathForUpload | +| Name | IZ_Policy_LocalPathForUpload_1 | | Friendly Name | Include local path when user is uploading files to a server | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6358,13 +6541,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_1 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6429,13 +6612,13 @@ If you do not configure this policy setting, the permission is set to High Safet > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_1 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6494,13 +6677,13 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME | +| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME_1 | | Friendly Name | Launching applications and files in an IFRAME | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6567,13 +6750,13 @@ If you do not configure this policy setting, logon is set to Automatic logon onl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyLogon | +| Name | IZ_PolicyLogon_1 | | Friendly Name | Logon options | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6632,13 +6815,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_1 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6673,7 +6856,7 @@ If you do not configure this policy setting, users can open windows and frames f -This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. @@ -6697,13 +6880,13 @@ If you do not configure this policy setting, Internet Explorer will execute sign > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicySignedFrameworkComponentsURLaction | +| Name | IZ_PolicySignedFrameworkComponentsURLaction_1 | | Friendly Name | Run .NET Framework-reliant components signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6762,13 +6945,13 @@ If you do not configure this policy setting, the user can configure how the comp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_UnsafeFiles | +| Name | IZ_Policy_UnsafeFiles_1 | | Friendly Name | Show security warning for potentially unsafe files | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6827,13 +7010,13 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyBlockPopupWindows | +| Name | IZ_PolicyBlockPopupWindows_1 | | Friendly Name | Use Pop-up Blocker | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone | @@ -6892,13 +7075,13 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_3 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -6957,13 +7140,13 @@ If you do not configure this policy setting, users will receive a prompt when a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_3 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7020,13 +7203,13 @@ If you disable or do not configure this setting, users will receive a file downl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_3 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7085,13 +7268,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_3 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7150,13 +7333,13 @@ If you do not configure this policy setting, Web sites from less privileged zone > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_3 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7191,7 +7374,7 @@ If you do not configure this policy setting, Web sites from less privileged zone -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -7215,13 +7398,13 @@ If you do not configure this policy setting, Internet Explorer will execute unsi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_3 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7280,13 +7463,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_3 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7329,7 +7512,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -7347,13 +7530,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_3 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7412,13 +7595,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_3 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7477,13 +7660,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 | | Friendly Name | Don't run antimalware programs against ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7544,13 +7727,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_3 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7615,13 +7798,13 @@ If you do not configure this policy setting, the permission is set to Medium Saf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_3 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7680,13 +7863,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_3 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone | @@ -7745,7 +7928,7 @@ If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSX > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7817,7 +8000,7 @@ For more info about how to use this policy together with other related policies > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7906,13 +8089,13 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_9 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -7971,13 +8154,13 @@ If you do not configure this policy setting, users will receive a prompt when a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_9 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8034,13 +8217,13 @@ If you disable or do not configure this setting, users will receive a file downl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_9 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8099,13 +8282,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_9 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8164,13 +8347,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_9 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8205,7 +8388,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -8229,13 +8412,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_9 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8294,13 +8477,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_9 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8343,7 +8526,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -8361,13 +8544,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_9 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8426,13 +8609,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_9 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8491,13 +8674,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 | | Friendly Name | Don't run antimalware programs against ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8558,13 +8741,13 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_9 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8629,13 +8812,13 @@ If you do not configure this policy setting, the permission is set to Medium Saf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_9 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8694,13 +8877,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_9 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone | @@ -8759,13 +8942,13 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_2 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -8824,13 +9007,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_2 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -8887,13 +9070,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_2 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -8952,13 +9135,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_2 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9017,13 +9200,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_2 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9058,7 +9241,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -9082,13 +9265,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_2 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9147,13 +9330,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_2 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9196,7 +9379,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -9214,13 +9397,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_2 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9279,13 +9462,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_2 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9346,13 +9529,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_2 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9417,13 +9600,13 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_2 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9482,13 +9665,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_2 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone | @@ -9553,13 +9736,13 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_4 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -9618,13 +9801,13 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_4 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -9683,13 +9866,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_4 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -9746,13 +9929,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_4 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -9811,13 +9994,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_4 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -9876,13 +10059,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_4 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -9917,7 +10100,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -9941,13 +10124,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_4 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -10006,13 +10189,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_4 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -10055,7 +10238,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -10073,13 +10256,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_4 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -10138,13 +10321,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_4 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -10205,13 +10388,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_4 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -10270,13 +10453,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_4 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone | @@ -10335,13 +10518,13 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_10 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10400,13 +10583,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_10 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10463,13 +10646,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_10 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10528,13 +10711,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_10 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10593,13 +10776,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_10 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10634,7 +10817,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -10658,13 +10841,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_10 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10723,13 +10906,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_10 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10772,7 +10955,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -10790,13 +10973,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_10 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10855,13 +11038,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_10 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10922,13 +11105,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_10 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -10993,13 +11176,13 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_10 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -11058,13 +11241,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_10 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone | @@ -11123,13 +11306,13 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_8 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11188,13 +11371,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_8 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11251,13 +11434,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_8 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11316,13 +11499,13 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_8 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11381,13 +11564,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_8 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11422,7 +11605,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -11446,13 +11629,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_8 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11511,13 +11694,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_8 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11560,7 +11743,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -11578,13 +11761,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_8 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11643,13 +11826,13 @@ If you do not configure this policy setting, users cannot preserve information i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_8 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11710,13 +11893,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_8 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11781,13 +11964,13 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_8 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11846,13 +12029,13 @@ If you do not configure this policy setting, users cannot open other windows and > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_8 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone | @@ -11911,13 +12094,13 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_6 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -11976,13 +12159,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_6 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12039,13 +12222,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_6 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12104,13 +12287,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_6 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12169,13 +12352,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_6 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12210,7 +12393,7 @@ If you do not configure this policy setting, the possibly harmful navigations ar -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -12234,13 +12417,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_6 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12299,13 +12482,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_6 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12348,7 +12531,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -12366,13 +12549,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_6 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12431,13 +12614,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_6 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12498,13 +12681,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_6 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12569,13 +12752,13 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_6 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12634,13 +12817,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_6 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone | @@ -12699,13 +12882,13 @@ If you do not configure this policy setting, MIME sniffing will never promote a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_6 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature | @@ -12764,13 +12947,13 @@ If you do not configure this policy setting, the MK Protocol is prevented for Fi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_3 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction | @@ -12827,7 +13010,7 @@ If you disable or do not configure this policy setting, the user can select his > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -12892,13 +13075,13 @@ If you do not configure this policy setting, the Notification bar will be displa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_10 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Notification bar | @@ -12955,7 +13138,7 @@ If you disable or do not configure this policy setting, the user is prompted to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -13018,7 +13201,7 @@ If you disable or do not configure this policy setting, ActiveX controls can be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -13084,13 +13267,13 @@ If you do not configure this policy setting, any zone can be protected from zone > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_9 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation | @@ -13149,7 +13332,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -13215,7 +13398,7 @@ For more information, see > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -13281,13 +13464,13 @@ If you do not configure this policy setting, the user's preference will be used > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_11 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install | @@ -13346,13 +13529,13 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_7 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13411,13 +13594,13 @@ If you do not configure this policy setting, script code on pages in the zone is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyActiveScripting | +| Name | IZ_PolicyActiveScripting_7 | | Friendly Name | Allow active scripting | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13476,13 +13659,13 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_7 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13539,13 +13722,13 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_7 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13604,13 +13787,13 @@ If you do not configure this policy setting, binary and script behaviors are not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyBinaryBehaviors | +| Name | IZ_PolicyBinaryBehaviors_7 | | Friendly Name | Allow binary and script behaviors | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13671,13 +13854,13 @@ If you do not configure this policy setting, a script cannot perform a clipboard > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowPasteViaScript | +| Name | IZ_PolicyAllowPasteViaScript_7 | | Friendly Name | Allow cut, copy or paste operations from the clipboard via script | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13736,13 +13919,13 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDropOrPasteFiles | +| Name | IZ_PolicyDropOrPasteFiles_7 | | Friendly Name | Allow drag and drop or copy and paste files | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13801,13 +13984,13 @@ If you do not configure this policy setting, files are prevented from being down > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFileDownload | +| Name | IZ_PolicyFileDownload_7 | | Friendly Name | Allow file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13866,13 +14049,13 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_7 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13931,13 +14114,13 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_7 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -13996,13 +14179,13 @@ If you do not configure this policy setting, the user can decide whether to load > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_XAML | +| Name | IZ_Policy_XAML_7 | | Friendly Name | Allow loading of XAML files | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14061,13 +14244,13 @@ If you do not configure this policy setting, a user's browser that loads a page > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowMETAREFRESH | +| Name | IZ_PolicyAllowMETAREFRESH_7 | | Friendly Name | Allow META REFRESH | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14102,7 +14285,7 @@ If you do not configure this policy setting, a user's browser that loads a page -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -14126,13 +14309,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_7 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14189,13 +14372,13 @@ If you disable this policy setting, the user does not see the per-site ActiveX p > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt | +| Name | IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted | | Friendly Name | Allow only approved domains to use ActiveX controls without prompt | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14252,13 +14435,13 @@ If you disable this policy setting, the TDC Active X control will run from all s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowTDCControl | +| Name | IZ_PolicyAllowTDCControl_Both_Restricted | | Friendly Name | Allow only approved domains to use the TDC ActiveX control | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14317,13 +14500,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_WebBrowserControl | +| Name | IZ_Policy_WebBrowserControl_7 | | Friendly Name | Allow scripting of Internet Explorer WebBrowser controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14382,13 +14565,13 @@ If you do not configure this policy setting, the possible harmful actions contai > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyWindowsRestrictionsURLaction | +| Name | IZ_PolicyWindowsRestrictionsURLaction_7 | | Friendly Name | Allow script-initiated windows without size or position constraints | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14447,13 +14630,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_7 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14496,7 +14679,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -14514,13 +14697,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_7 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14577,13 +14760,13 @@ If you disable or do not configure this policy setting, script is not allowed to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_ScriptStatusBar | +| Name | IZ_Policy_ScriptStatusBar_7 | | Friendly Name | Allow updates to status bar via script | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14642,13 +14825,13 @@ If you do not configure this policy setting, users cannot preserve information i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_7 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14709,13 +14892,13 @@ If you do not configure or disable this policy setting, VBScript is prevented fr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAllowVBScript | +| Name | IZ_PolicyAllowVBScript_7 | | Friendly Name | Allow VBScript to run in Internet Explorer | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14774,13 +14957,13 @@ If you don't configure this policy setting, Internet Explorer always checks with > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 | | Friendly Name | Don't run antimalware programs against ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14839,13 +15022,13 @@ If you do not configure this policy setting, signed controls cannot be downloade > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDownloadSignedActiveX | +| Name | IZ_PolicyDownloadSignedActiveX_7 | | Friendly Name | Download signed ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14904,13 +15087,13 @@ If you do not configure this policy setting, users cannot run unsigned controls. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDownloadUnsignedActiveX | +| Name | IZ_PolicyDownloadUnsignedActiveX_7 | | Friendly Name | Download unsigned ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -14967,13 +15150,13 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyTurnOnXSSFilter | +| Name | IZ_PolicyTurnOnXSSFilter_Both_Restricted | | Friendly Name | Turn on Cross-Site Scripting Filter | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15034,13 +15217,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows | +| Name | IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted | | Friendly Name | Enable dragging of content from different domains across windows | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15101,13 +15284,13 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow | +| Name | IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted | | Friendly Name | Enable dragging of content from different domains within a window | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15166,13 +15349,13 @@ If you do not configure this policy setting, the actions that may be harmful can > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyMimeSniffingURLaction | +| Name | IZ_PolicyMimeSniffingURLaction_7 | | Friendly Name | Enable MIME Sniffing | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15231,13 +15414,13 @@ If you do not configure this policy setting, the user can choose whether path in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_LocalPathForUpload | +| Name | IZ_Policy_LocalPathForUpload_7 | | Friendly Name | Include local path when user is uploading files to a server | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15298,13 +15481,13 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_7 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15369,13 +15552,13 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_7 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15434,13 +15617,13 @@ If you do not configure this policy setting, users are prevented from running ap > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME | +| Name | IZ_PolicyLaunchAppsAndFilesInIFRAME_7 | | Friendly Name | Launching applications and files in an IFRAME | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15507,13 +15690,13 @@ If you do not configure this policy setting, logon is set to Prompt for username > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyLogon | +| Name | IZ_PolicyLogon_7 | | Friendly Name | Logon options | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15572,13 +15755,13 @@ If you do not configure this policy setting, users cannot open other windows and > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_7 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15639,13 +15822,13 @@ If you do not configure this policy setting, controls and plug-ins are prevented > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyRunActiveXControls | +| Name | IZ_PolicyRunActiveXControls_7 | | Friendly Name | Run ActiveX controls and plugins | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15680,7 +15863,7 @@ If you do not configure this policy setting, controls and plug-ins are prevented -This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. @@ -15704,13 +15887,13 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicySignedFrameworkComponentsURLaction | +| Name | IZ_PolicySignedFrameworkComponentsURLaction_7 | | Friendly Name | Run .NET Framework-reliant components signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15771,13 +15954,13 @@ If you do not configure this policy setting, script interaction is prevented fro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXMarkedSafe | +| Name | IZ_PolicyScriptActiveXMarkedSafe_7 | | Friendly Name | Script ActiveX controls marked safe for scripting | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15838,13 +16021,13 @@ If you do not configure this policy setting, scripts are prevented from accessin > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptingOfJavaApplets | +| Name | IZ_PolicyScriptingOfJavaApplets_7 | | Friendly Name | Scripting of Java applets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15903,13 +16086,13 @@ If you do not configure this policy setting, the user can configure how the comp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_UnsafeFiles | +| Name | IZ_Policy_UnsafeFiles_7 | | Friendly Name | Show security warning for potentially unsafe files | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -15968,13 +16151,13 @@ If you do not configure this policy setting, the user can turn on or turn off Pr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_TurnOnProtectedMode | +| Name | IZ_Policy_TurnOnProtectedMode_7 | | Friendly Name | Turn on Protected Mode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -16033,13 +16216,13 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyBlockPopupWindows | +| Name | IZ_PolicyBlockPopupWindows_7 | | Friendly Name | Use Pop-up Blocker | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone | @@ -16098,13 +16281,13 @@ If you do not configure this policy setting, the user's preference determines wh > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_12 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Restrict File Download | @@ -16163,13 +16346,13 @@ If you do not configure this policy setting, popup windows and other restriction > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IESF_PolicyExplorerProcesses | +| Name | IESF_PolicyExplorerProcesses_8 | | Friendly Name | Internet Explorer Processes | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions | @@ -16228,7 +16411,7 @@ If you disable or do not configure this policy setting, the user can configure h > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -16292,7 +16475,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -16340,7 +16523,7 @@ Enabling this setting automatically opens all sites not included in the Enterpri Disabling, or not configuring this setting, opens all sites based on the currently active browser. -Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. +**Note**: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. @@ -16360,7 +16543,7 @@ Note: If you've also enabled the Administrative Templates\Windows Components\Mic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -16447,7 +16630,7 @@ If you disable or do not configure this policy setting, ActiveX controls, includ > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -16513,13 +16696,13 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAccessDataSourcesAcrossDomains | +| Name | IZ_PolicyAccessDataSourcesAcrossDomains_5 | | Friendly Name | Access data sources across domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16578,13 +16761,13 @@ If you do not configure this policy setting, users will receive a prompt when a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarActiveXURLaction | +| Name | IZ_PolicyNotificationBarActiveXURLaction_5 | | Friendly Name | Automatic prompting for ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16641,13 +16824,13 @@ If you disable or do not configure this setting, users will receive a file downl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNotificationBarDownloadURLaction | +| Name | IZ_PolicyNotificationBarDownloadURLaction_5 | | Friendly Name | Automatic prompting for file downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16706,13 +16889,13 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyFontDownload | +| Name | IZ_PolicyFontDownload_5 | | Friendly Name | Allow font downloads | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16771,13 +16954,13 @@ If you do not configure this policy setting, a warning is issued to the user tha > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyZoneElevationURLaction | +| Name | IZ_PolicyZoneElevationURLaction_5 | | Friendly Name | Web sites in less privileged Web content zones can navigate into this zone | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16812,7 +16995,7 @@ If you do not configure this policy setting, a warning is issued to the user tha -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. @@ -16836,13 +17019,13 @@ If you do not configure this policy setting, Internet Explorer will execute unsi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction | +| Name | IZ_PolicyUnsignedFrameworkComponentsURLaction_5 | | Friendly Name | Run .NET Framework-reliant components not signed with Authenticode | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16901,13 +17084,13 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_AllowScriptlets | +| Name | IZ_Policy_AllowScriptlets_5 | | Friendly Name | Allow scriptlets | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -16950,7 +17133,7 @@ If you disable this policy setting, SmartScreen Filter does not scan pages in th If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -16968,13 +17151,13 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_Policy_Phishing | +| Name | IZ_Policy_Phishing_5 | | Friendly Name | Turn on SmartScreen Filter scan | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -17033,13 +17216,13 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyUserdataPersistence | +| Name | IZ_PolicyUserdataPersistence_5 | | Friendly Name | Userdata persistence | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -17098,13 +17281,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls | +| Name | IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 | | Friendly Name | Don't run antimalware programs against ActiveX controls | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -17165,13 +17348,13 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyScriptActiveXNotMarkedSafe | +| Name | IZ_PolicyScriptActiveXNotMarkedSafe_5 | | Friendly Name | Initialize and script ActiveX controls not marked as safe | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -17236,13 +17419,13 @@ If you do not configure this policy setting, the permission is set to Low Safety > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyJavaPermissions | +| Name | IZ_PolicyJavaPermissions_5 | | Friendly Name | Java permissions | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -17301,13 +17484,13 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_PolicyNavigateSubframesAcrossDomains | +| Name | IZ_PolicyNavigateSubframesAcrossDomains_5 | | Friendly Name | Navigate windows and frames across different domains | | Location | Computer and User Configuration | | Path | Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone | @@ -17321,190 +17504,6 @@ If you do not configure this policy setting, users can open windows and frames f - -## AllowAutoComplete - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/InternetExplorer/AllowAutoComplete -``` - - - - -This AutoComplete feature can remember and suggest User names and passwords on Forms. - -If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". - -If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. - -If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RestrictFormSuggestPW | -| Friendly Name | Turn on the auto-complete feature for user names and passwords on forms | -| Location | User Configuration | -| Path | Windows Components > Internet Explorer | -| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Main | -| Registry Value Name | FormSuggest Passwords | -| ADMX File Name | inetres.admx | - - - - - - - - - -## DisableActiveXVersionListAutoDownload - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableActiveXVersionListAutoDownload -``` - - - - -This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. - -If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. - -If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML. - -For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | VersionListAutomaticDownloadDisable | -| Friendly Name | Turn off automatic download of the ActiveX VersionList | -| Location | User Configuration | -| Path | Windows Components > Internet Explorer > Security Features > Add-on Management | -| Registry Key Name | Software\Microsoft\Internet Explorer\VersionManager | -| Registry Value Name | DownloadVersionList | -| ADMX File Name | inetres.admx | - - - - - - - - - -## DisableHomePageChange - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange -``` - - - - -The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. - -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. - -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RestrictHomePage | -| Friendly Name | Disable changing home page settings | -| Location | User Configuration | -| Path | Windows Components > Internet Explorer | -| Registry Key Name | Software\Policies\Microsoft\Internet Explorer\Control Panel | -| Registry Value Name | HomePage | -| ADMX File Name | inetres.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 9fe15efb61..00c57f2f58 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/02/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Kerberos > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -66,13 +64,13 @@ If you disable or do not configure this policy setting, the Kerberos client does > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | forestsearch | +| Name | ForestSearch | | Friendly Name | Use forest search order | | Location | Computer Configuration | | Path | System > Kerberos | @@ -192,7 +190,7 @@ If you disable or do not configure this policy setting, the client devices will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -307,12 +305,19 @@ Events generated by this configuration: 205, 206, 207, 208. - -Configure SHA-1 hash algorithm for certificate logon + +This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA1 algorithm will assume the **Default** state. @@ -368,12 +373,19 @@ Configure SHA-1 hash algorithm for certificate logon - -Configure SHA-256 hash algorithm for certificate logon + +This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA256 algorithm will assume the **Default** state. @@ -429,12 +441,19 @@ Configure SHA-256 hash algorithm for certificate logon - -Configure SHA-384 hash algorithm for certificate logon + +This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA384 algorithm will assume the **Default** state. @@ -490,12 +509,19 @@ Configure SHA-384 hash algorithm for certificate logon - -Configure SHA-512 hash algorithm for certificate logon + +This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +- 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- 1 - **Default**: This state sets the algorithm to the recommended state. +- 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +- 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA512 algorithm will assume the **Default** state. @@ -554,11 +580,13 @@ Configure SHA-512 hash algorithm for certificate logon This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. +> [!WARNING] +> When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. +> [!NOTE] +> The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. @@ -578,7 +606,7 @@ If you disable or do not configure this policy setting, the client computers in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -638,7 +666,7 @@ If you disable or do not configure this policy setting, the Kerberos client requ > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -684,7 +712,8 @@ If you enable this policy setting, the Kerberos client or server uses the config If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. +> [!NOTE] +> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. @@ -702,7 +731,7 @@ Note: This policy setting configures the existing MaxTokenSize registry value in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -740,7 +769,8 @@ Note: This policy setting configures the existing MaxTokenSize registry value in -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. +This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index a3014db5d5..361f69d2b9 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -98,9 +98,10 @@ This policy setting prevents users from adding new Microsoft accounts on this co -This security setting determines whether the local Administrator account is enabled or disabled. +This security setting determines whether the local Administrator account is enabled or disabled -**Note** s If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled. +> [!NOTE] +> If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default Disabled. @@ -158,9 +159,10 @@ This security setting determines whether the local Administrator account is enab -This security setting determines if the Guest account is enabled or disabled. Default: Disabled. +This security setting determines if the Guest account is enabled or disabled. Default Disabled -**Note**: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. +> [!NOTE] +> If the Guest account is disabled and the security option Network Access Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. @@ -218,11 +220,13 @@ This security setting determines if the Guest account is enabled or disabled. De -Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. +Accounts Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default Enabled -**Warning**: Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. +> [!WARNING] +> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services -**Note** s This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. +> [!NOTE] +> This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. @@ -427,7 +431,10 @@ Devices: Allowed to format and eject removable media This security setting deter -Devices: Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. +Devices Allow undock without having to log on This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default Enabled + +> [!CAUTION] +> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. @@ -976,9 +983,10 @@ Interactive logon: Message title for users attempting to log on This security se -Interactive logon: Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. +Interactive logon Smart card removal behavior This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation -**Note**: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default This policy is not defined, which means that the system treats it as No action. On Windows Vista and above For this setting to work, the Smart Card Removal Policy service must be started. @@ -1038,11 +1046,13 @@ Interactive logon: Smart card removal behavior This security setting determines -Microsoft network client: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. +Microsoft network client Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default Disabled -**Important**: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). +> [!IMPORTANT] +> For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client Digitally sign communications (if server agrees) -**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: . +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference . @@ -1100,9 +1110,10 @@ Microsoft network client: Digitally sign communications (always) This security s -Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled. +Microsoft network client Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled -**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: . +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference . @@ -1218,11 +1229,13 @@ Microsoft network client: Send unencrypted password to connect to third-party SM -Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. +Microsoft network server Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default Disabled for member servers. Enabled for domain controllers -**Note** s All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors -**Important**: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: . +> [!IMPORTANT] +> For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy Microsoft network server Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference . @@ -1280,9 +1293,10 @@ Microsoft network server: Digitally sign communications (always) This security s -Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only. +Microsoft network server Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled on domain controllers only -**Important**: For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: . +> [!IMPORTANT] +> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000 HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference . @@ -1398,9 +1412,10 @@ Network access: Allow anonymous SID/name translation This policy setting determi -Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. +Network access Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows Enabled Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled No additional restrictions. Rely on default permissions. Default on workstations Enabled. Default on serverEnabled -**Important**: This policy has no impact on domain controllers. +> [!IMPORTANT] +> This policy has no impact on domain controllers. @@ -1622,13 +1637,16 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy -Network security: Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008. +Network security Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008 -**Note**: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. +> [!NOTE] +> Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. +- When a service connects with the device identity, signing and encryption are supported to provide data protection. +- When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed. @@ -1743,9 +1761,10 @@ Network security: Allow PKU2U authentication requests to this computer to use on -Network security: Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. +Network security Do not store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above Enabled Default on Windows XP Disabled -**Important**: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. +> [!IMPORTANT] +> Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. @@ -1803,9 +1822,10 @@ Network security: Do not store LAN Manager hash value on next password change Th -Network security: Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default: Enabled. +Network security Force logoff when logon hours expire This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default Enabled -**Note**: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers. +> [!NOTE] +> This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers. @@ -1863,9 +1883,10 @@ Network security: Force logoff when logon hours expire This security setting det -Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). +Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows Send LM and NTLM responses Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM and NTLM - use NTLMv2 session security if negotiated Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM and NTLM Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication) -**Important**: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only +> [!IMPORTANT] +> This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default Windows 2000 and windows XP send LM and NTLM responses Windows Server 2003 Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 Send NTLMv2 response only @@ -2096,9 +2117,10 @@ Network security: Restrict NTLM: Add remote server exceptions for NTLM authentic -Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. +Network security Restrict NTLM Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security Restrict NTLM Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2 -**Note**: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2157,9 +2179,10 @@ Network security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting -Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. +Network security Restrict NTLM Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2 -**Note**: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2218,9 +2241,10 @@ Network security: Restrict NTLM: Incoming NTLM traffic This policy setting allow -Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. +Network security Restrict NTLM Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security Restrict NTLM Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2 -**Note**: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. +> [!NOTE] +> Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. @@ -2453,9 +2477,10 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou -User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. +User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are • Elevate without prompting Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials -**Note**: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +> [!NOTE] +> Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -2750,9 +2775,10 @@ User Account Control: Only elevate UIAccess applications that are installed in s -User Account Control: Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. +User Account Control Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are • Enabled (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled Admin Approval Mode and all related UAC policy settings are disabled -**Note**: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. +> [!NOTE] +> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. From 3927b0e3319c6977b0a1b7af782494993ae22533 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 6 Jan 2023 18:15:07 -0500 Subject: [PATCH 122/152] More changes per feedback --- .../mdm/policy-csp-admx-globalization.md | 1089 ++++++------ .../mdm/policy-csp-admx-netlogon.md | 276 +-- .../mdm/policy-csp-admx-scripts.md | 780 +++++---- .../mdm/policy-csp-admx-startmenu.md | 1479 +++++++++-------- .../mdm/policy-csp-admx-taskbar.md | 265 ++- .../mdm/policy-csp-admx-terminalserver.md | 345 ++-- 6 files changed, 2137 insertions(+), 2097 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index c3bbfb3d75..bc42d298f5 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Globalization Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Globalization > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. -Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. +**Note** this does not affect the availability of user input methods on the lock screen or with the UAC prompt. -If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page. +- If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page. -If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. +- If the policy is disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. @@ -68,7 +66,7 @@ If the policy is Disabled or Not Configured, then the user will be able to use i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -89,466 +87,6 @@ If the policy is Disabled or Not Configured, then the user will be able to use i - -## CustomLocalesNoSelect_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_2 -``` - - - - -This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. - -This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. - -The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. - -If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. - -If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. - -If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. - -To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CustomLocalesNoSelect | -| Friendly Name | Disallow selection of Custom Locales | -| Location | Computer Configuration | -| Path | System > Locale Services | -| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | -| Registry Value Name | CustomLocalesNoSelect | -| ADMX File Name | Globalization.admx | - - - - - - - - - -## ImplicitDataCollectionOff_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_2 -``` - - - - -This policy setting turns off the automatic learning component of handwriting recognition personalization. - -Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. - -Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. - -Note: Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. - -If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. - -If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. - -If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. - -This policy setting is related to the "Turn off handwriting personalization" policy setting. - -Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. - -Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ImplicitDataCollectionOff | -| Friendly Name | Turn off automatic learning | -| Location | Computer Configuration | -| Path | Control Panel > Regional and Language Options > Handwriting personalization | -| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization | -| ADMX File Name | Globalization.admx | - - - - - - - - - -## LocaleSystemRestrict - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleSystemRestrict -``` - - - - -This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. - -The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). - -If you enable this policy setting, administrators can select a system locale only from the specified system locale list. - -If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LocaleSystemRestrict | -| Friendly Name | Restrict system locales | -| Location | Computer Configuration | -| Path | System > Locale Services | -| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | -| Registry Value Name | RestrictSystemLocales | -| ADMX File Name | Globalization.admx | - - - - - - - - - -## LocaleUserRestrict_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_2 -``` - - - - -This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. - -To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. - -The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). - -If you enable this policy setting, only locales in the specified locale list can be selected by users. - -If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - -If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LocaleUserRestrict | -| Friendly Name | Restrict user locales | -| Location | Computer Configuration | -| Path | System > Locale Services | -| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | -| Registry Value Name | RestrictUserLocales | -| ADMX File Name | Globalization.admx | - - - - - - - - - -## LockMachineUILanguage - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockMachineUILanguage -``` - - - - -This policy setting restricts the Windows UI language for all users. - -This is a policy setting for computers with more than one UI language installed. - -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages. - -If you disable or do not configure this policy setting, the user can specify which UI language is used. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LockMachineUILanguage | -| Friendly Name | Restricts the UI language Windows uses for all logged users | -| Location | Computer Configuration | -| Path | Control Panel > Regional and Language Options | -| Registry Key Name | Software\Policies\Microsoft\MUI\Settings | -| ADMX File Name | Globalization.admx | - - - - - - - - - -## PreventGeoIdChange_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_2 -``` - - - - -This policy setting prevents users from changing their user geographical location (GeoID). - -If you enable this policy setting, users cannot change their GeoID. - -If you disable or do not configure this policy setting, users may select any GeoID. - -If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. - -To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventGeoIdChange | -| Friendly Name | Disallow changing of geographic location | -| Location | Computer Configuration | -| Path | System > Locale Services | -| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | -| Registry Value Name | PreventGeoIdChange | -| ADMX File Name | Globalization.admx | - - - - - - - - - -## PreventUserOverrides_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_2 -``` - - - - -This policy setting prevents the user from customizing their locale by changing their user overrides. - -Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. - -When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. - -If this policy setting is disabled or not configured, then the user can customize their user locale overrides. - -If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. - -To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventUserOverrides | -| Friendly Name | Disallow user override of locale settings | -| Location | Computer Configuration | -| Path | System > Locale Services | -| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | -| Registry Value Name | PreventUserOverrides | -| ADMX File Name | Globalization.admx | - - - - - - - - ## CustomLocalesNoSelect_1 @@ -572,11 +110,12 @@ This does not affect the selection of replacement locales. To prevent the select The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. -If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. +- If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. -If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. +- If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. -If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. +- If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. +- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. @@ -596,13 +135,13 @@ To set this policy setting on a per-user basis, make sure that you do not config > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CustomLocalesNoSelect | +| Name | CustomLocalesNoSelect_1 | | Friendly Name | Disallow selection of Custom Locales | | Location | User Configuration | | Path | System > Locale Services | @@ -617,6 +156,75 @@ To set this policy setting on a per-user basis, make sure that you do not config + +## CustomLocalesNoSelect_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_2 +``` + + + + +This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. + +This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users. + +The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured. + +- If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed. + +- If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. + +- If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. +- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomLocalesNoSelect_2 | +| Friendly Name | Disallow selection of Custom Locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | CustomLocalesNoSelect | +| ADMX File Name | Globalization.admx | + + + + + + + + ## HideAdminOptions @@ -638,11 +246,12 @@ This policy setting removes the Administrative options from the Region settings This policy setting is used only to simplify the Regional Options control panel. -If you enable this policy setting, the user cannot see the Administrative options. +- If you enable this policy setting, the user cannot see the Administrative options. -If you disable or do not configure this policy setting, the user can see the Administrative options. +- If you disable or do not configure this policy setting, the user can see the Administrative options. -Note: Even if a user can see the Administrative options, other policies may prevent them from modifying the values. +> [!NOTE] +> Even if a user can see the Administrative options, other policies may prevent them from modifying the values. @@ -660,7 +269,7 @@ Note: Even if a user can see the Administrative options, other policies may prev > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -702,11 +311,12 @@ This policy setting removes the option to change the user's geographical locatio This policy setting is used only to simplify the Regional Options control panel. -If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically. +- If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically. -If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID). +- If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID). -Note: Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. +> [!NOTE] +> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location. @@ -724,7 +334,7 @@ Note: Even if a user can see the GeoID option, the "Disallow changing of geograp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -766,11 +376,12 @@ This policy setting removes the option to change the user's menus and dialogs (U This policy setting is used only to simplify the Regional Options control panel. -If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. +- If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. -If you disable or do not configure this policy setting, the user sees the option for changing the UI language. +- If you disable or do not configure this policy setting, the user sees the option for changing the UI language. -Note: Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. +> [!NOTE] +> Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language. @@ -788,7 +399,7 @@ Note: Even if a user can see the option to change the UI language, other policy > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -830,9 +441,9 @@ This policy setting removes the regional formats interface from the Region setti This policy setting is used only to simplify the Regional and Language Options control panel. -If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically. +- If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically. -If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. +- If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale. @@ -850,7 +461,7 @@ If you disable or do not configure this policy setting, the user sees the region > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -894,19 +505,22 @@ Automatic learning enables the collection and storage of text and ink written by Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. -Note: Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. -If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. +- If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. -If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. +- If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. -If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. +- If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. This policy setting is related to the "Turn off handwriting personalization" policy setting. -Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. +> [!NOTE] +> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. -Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. +> [!NOTE] +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. @@ -924,13 +538,13 @@ Note: Handwriting personalization works only for Microsoft handwriting recognize > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ImplicitDataCollectionOff | +| Name | ImplicitDataCollectionOff_1 | | Friendly Name | Turn off automatic learning | | Location | User Configuration | | Path | Control Panel > Regional and Language Options > Handwriting personalization | @@ -944,6 +558,144 @@ Note: Handwriting personalization works only for Microsoft handwriting recognize + +## ImplicitDataCollectionOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_2 +``` + + + + +This policy setting turns off the automatic learning component of handwriting recognition personalization. + +Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. + +Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored. + +> [!NOTE] +> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information. + +- If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel. + +- If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. + +- If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog. + +This policy setting is related to the "Turn off handwriting personalization" policy setting. + +> [!NOTE] +> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data. + +> [!NOTE] +> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ImplicitDataCollectionOff_2 | +| Friendly Name | Turn off automatic learning | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options > Handwriting personalization | +| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## LocaleSystemRestrict + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleSystemRestrict +``` + + + + +This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list. + +The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada). + +- If you enable this policy setting, administrators can select a system locale only from the specified system locale list. + +- If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LocaleSystemRestrict | +| Friendly Name | Restrict system locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictSystemLocales | +| ADMX File Name | Globalization.admx | + + + + + + + + ## LocaleUserRestrict_1 @@ -967,11 +719,12 @@ To set this policy setting on a per-user basis, make sure that you do not config The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). -If you enable this policy setting, only locales in the specified locale list can be selected by users. +- If you enable this policy setting, only locales in the specified locale list can be selected by users. -If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. +- If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. -If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. +- If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. +- If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. @@ -989,13 +742,13 @@ If this policy setting is enabled at the computer level, it cannot be disabled b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | LocaleUserRestrict | +| Name | LocaleUserRestrict_1 | | Friendly Name | Restrict user locales | | Location | User Configuration | | Path | System > Locale Services | @@ -1010,6 +763,134 @@ If this policy setting is enabled at the computer level, it cannot be disabled b + +## LocaleUserRestrict_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_2 +``` + + + + +This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list. + +To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting. + +The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada). + +- If you enable this policy setting, only locales in the specified locale list can be selected by users. + +- If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. + +- If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. +- If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LocaleUserRestrict_2 | +| Friendly Name | Restrict user locales | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | RestrictUserLocales | +| ADMX File Name | Globalization.admx | + + + + + + + + + +## LockMachineUILanguage + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockMachineUILanguage +``` + + + + +This policy setting restricts the Windows UI language for all users. + +This is a policy setting for computers with more than one UI language installed. + +- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages. + +- If you disable or do not configure this policy setting, the user can specify which UI language is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LockMachineUILanguage | +| Friendly Name | Restricts the UI language Windows uses for all logged users | +| Location | Computer Configuration | +| Path | Control Panel > Regional and Language Options | +| Registry Key Name | Software\Policies\Microsoft\MUI\Settings | +| ADMX File Name | Globalization.admx | + + + + + + + + ## LockUserUILanguage @@ -1031,9 +912,9 @@ This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. +- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user. -If you disable or do not configure this policy setting, there is no restriction on which language users should use. +- If you disable or do not configure this policy setting, there is no restriction on which language users should use. To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting. @@ -1053,7 +934,7 @@ To enable this policy setting in Windows Server 2003, Windows XP, or Windows 200 > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1092,11 +973,13 @@ To enable this policy setting in Windows Server 2003, Windows XP, or Windows 200 This policy setting prevents users from changing their user geographical location (GeoID). -If you enable this policy setting, users cannot change their GeoID. +- If you enable this policy setting, users cannot change their GeoID. -If you disable or do not configure this policy setting, users may select any GeoID. +- If you disable or do not configure this policy setting, users may select any GeoID. -If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. +- If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. +- If you disable this policy setting at the computer level, the per-user policy is ignored. +- If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. @@ -1116,13 +999,13 @@ To set this policy setting on a per-user basis, make sure that the per-computer > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventGeoIdChange | +| Name | PreventGeoIdChange_1 | | Friendly Name | Disallow changing of geographic location | | Location | User Configuration | | Path | System > Locale Services | @@ -1137,6 +1020,72 @@ To set this policy setting on a per-user basis, make sure that the per-computer + +## PreventGeoIdChange_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_2 +``` + + + + +This policy setting prevents users from changing their user geographical location (GeoID). + +- If you enable this policy setting, users cannot change their GeoID. + +- If you disable or do not configure this policy setting, users may select any GeoID. + +- If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. +- If you disable this policy setting at the computer level, the per-user policy is ignored. +- If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings. + +To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventGeoIdChange_2 | +| Friendly Name | Disallow changing of geographic location | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventGeoIdChange | +| ADMX File Name | Globalization.admx | + + + + + + + + ## PreventUserOverrides_1 @@ -1160,9 +1109,11 @@ Any existing overrides in place when this policy is enabled will be frozen. To r When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. -If this policy setting is disabled or not configured, then the user can customize their user locale overrides. +- If this policy setting is disabled or not configured, then the user can customize their user locale overrides. -If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. +- If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. +- If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. +- If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. @@ -1182,13 +1133,13 @@ To set this policy on a per-user basis, make sure that the per-computer policy i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventUserOverrides | +| Name | PreventUserOverrides_1 | | Friendly Name | Disallow user override of locale settings | | Location | User Configuration | | Path | System > Locale Services | @@ -1203,6 +1154,74 @@ To set this policy on a per-user basis, make sure that the per-computer policy i + +## PreventUserOverrides_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_2 +``` + + + + +This policy setting prevents the user from customizing their locale by changing their user overrides. + +Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy. + +When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides. + +- If this policy setting is disabled or not configured, then the user can customize their user locale overrides. + +- If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. +- If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. +- If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies. + +To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventUserOverrides_2 | +| Friendly Name | Disallow user override of locale settings | +| Location | Computer Configuration | +| Path | System > Locale Services | +| Registry Key Name | Software\Policies\Microsoft\Control Panel\International | +| Registry Value Name | PreventUserOverrides | +| ADMX File Name | Globalization.admx | + + + + + + + + ## RestrictUILangSelect @@ -1222,11 +1241,11 @@ To set this policy on a per-user basis, make sure that the per-computer policy i This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English. -If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. +- If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used. To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting. -If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. +- If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language. @@ -1244,7 +1263,7 @@ If you disable or do not configure this policy setting, the logged-on user can a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1285,11 +1304,11 @@ This policy turns off the autocorrect misspelled words option. This does not, ho The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. -If the policy is Enabled, then the option will be locked to not autocorrect misspelled words. +- If the policy is enabled, then the option will be locked to not autocorrect misspelled words. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -Note that the availability and function of this setting is dependent on supported languages being enabled. +**Note** that the availability and function of this setting is dependent on supported languages being enabled. @@ -1307,7 +1326,7 @@ Note that the availability and function of this setting is dependent on supporte > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1349,11 +1368,11 @@ This policy turns off the highlight misspelled words option. This does not, howe The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. -If the policy is Enabled, then the option will be locked to not highlight misspelled words. +- If the policy is enabled, then the option will be locked to not highlight misspelled words. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -Note that the availability and function of this setting is dependent on supported languages being enabled. +**Note** that the availability and function of this setting is dependent on supported languages being enabled. @@ -1371,7 +1390,7 @@ Note that the availability and function of this setting is dependent on supporte > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1413,11 +1432,11 @@ This policy turns off the insert a space after selecting a text prediction optio The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. -If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction. +- If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -Note that the availability and function of this setting is dependent on supported languages being enabled. +**Note** that the availability and function of this setting is dependent on supported languages being enabled. @@ -1435,7 +1454,7 @@ Note that the availability and function of this setting is dependent on supporte > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1477,11 +1496,11 @@ This policy turns off the offer text predictions as I type option. This does not The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. -If the policy is Enabled, then the option will be locked to not offer text predictions. +- If the policy is enabled, then the option will be locked to not offer text predictions. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference. -Note that the availability and function of this setting is dependent on supported languages being enabled. +**Note** that the availability and function of this setting is dependent on supported languages being enabled. @@ -1499,7 +1518,7 @@ Note that the availability and function of this setting is dependent on supporte > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1541,11 +1560,11 @@ This policy setting determines how programs interpret two-digit years. This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program. -If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. +- If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19. For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999. -If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. +- If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program. @@ -1563,7 +1582,7 @@ If you disable or do not configure this policy setting, Windows does not interpr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 80c36f00cc..9b6d315322 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Netlogon Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Netlogon > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -56,7 +54,7 @@ The allowable values for this setting result in the following behaviors: To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -74,7 +72,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -115,11 +113,11 @@ This policy setting detremines the type of IP address that is returned for a dom By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior. -If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. +- If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. -If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail. +- If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail. -If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. +- If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator. @@ -137,7 +135,7 @@ If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -179,9 +177,9 @@ This policy setting specifies whether the computers to which this setting is app By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled. -If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails. +- If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails. -If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. +- If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest. @@ -199,7 +197,7 @@ If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -241,11 +239,11 @@ This policy setting controls whether the Net Logon service will allow the use of By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller. -If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk. +- If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk. -If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. +- If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. -If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. +- If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms. @@ -263,7 +261,7 @@ If you do not configure this policy setting, Net Logon will not allow the negoti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -305,11 +303,11 @@ This policy setting specifies whether the computers to which this setting is app By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name. -If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution. +- If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution. -If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. +- If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined. -If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. @@ -327,7 +325,7 @@ If you do not configure this policy setting, it is not applied to any computers, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -367,11 +365,11 @@ If you do not configure this policy setting, it is not applied to any computers, This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. -If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. +- If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists. -If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own. +- If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -389,7 +387,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -431,11 +429,11 @@ This policy setting allows you to control the domain controller (DC) location al NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. -Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. +**Note** that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. -If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior. +- If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior. -If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. +- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails. @@ -453,7 +451,7 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -493,13 +491,13 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password. -Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. +Contacting the PDC emulator is useful in case the client's password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection. -If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password. +- If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password. -If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator. +- If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator. -If you do not configure this policy setting, it is not applied to any DCs. +- If you do not configure this policy setting, it is not applied to any DCs. @@ -517,7 +515,7 @@ If you do not configure this policy setting, it is not applied to any DCs. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -563,7 +561,8 @@ This setting is relevant only to those callers of DsGetDcName that have specifie If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used. -Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. +> [!WARNING] +> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive. @@ -581,7 +580,7 @@ Warning: If the value for this setting is too large, a client will not attempt t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -626,7 +625,8 @@ The default value for this setting is 60 minutes (60*60). The maximum value for If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used. -Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC. +> [!WARNING] +> If the value for this setting is too large, a client may take very long periods to try to find a DC. If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic. @@ -646,7 +646,7 @@ If the value for this setting is too small and the DC is not available, the freq > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -687,7 +687,8 @@ This policy setting determines when retries are no longer allowed for applicatio The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0. -Warning: If the value for this setting is too small, a client will stop trying to find a DC too soon. +> [!WARNING] +> If the value for this setting is too small, a client will stop trying to find a DC too soon. @@ -705,7 +706,7 @@ Warning: If the value for this setting is too small, a client will stop trying t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -760,7 +761,7 @@ This policy setting determines when a successful DC cache entry is refreshed. Th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -801,11 +802,11 @@ This policy setting specifies the level of debug output for the Net Logon servic The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. -If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting. +- If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting. If you specify zero for this policy setting, the default behavior occurs as described above. -If you disable this policy setting or do not configure it, the default behavior occurs as described above. +- If you disable this policy setting or do not configure it, the default behavior occurs as described above. @@ -823,7 +824,7 @@ If you disable this policy setting or do not configure it, the default behavior > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -859,43 +860,42 @@ If you disable this policy setting or do not configure it, the default behavior - -This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. - -If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied. - -Select the mnemonics from the following list: - -Mnemonic Type DNS Record - -LdapIpAddress A `` -Ldap SRV _ldap._tcp.`` -LdapAtSite SRV _ldap._tcp.``._sites.`` -Pdc SRV _ldap._tcp.pdc._msdcs.`` -Gc SRV _ldap._tcp.gc._msdcs.`` -GcAtSite SRV _ldap._tcp.``._sites.gc._msdcs.`` -DcByGuid SRV _ldap._tcp.``.domains._msdcs.`` -GcIpAddress A gc._msdcs.`` -DsaCname CNAME ``._msdcs.`` -Kdc SRV _kerberos._tcp.dc._msdcs.`` -KdcAtSite SRV _kerberos._tcp.``._sites.dc._msdcs.`` -Dc SRV _ldap._tcp.dc._msdcs.`` -DcAtSite SRV _ldap._tcp.``._sites.dc._msdcs.`` -Rfc1510Kdc SRV _kerberos._tcp.`` -Rfc1510KdcAtSite SRV _kerberos._tcp.``._sites.`` -GenericGc SRV _gc._tcp.`` -GenericGcAtSite SRV _gc._tcp.``._sites.`` -Rfc1510UdpKdc SRV _kerberos._udp.`` -Rfc1510Kpwd SRV _kpasswd._tcp.`` -Rfc1510UdpKpwd SRV _kpasswd._udp.`` - -If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records. - -If you do not configure this policy setting, DCs use their local configuration. + +This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service. + +- If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied. Select the mnemonics from the following table: + + | Mnemonic | Type | DNS Record | + |------------------|-------|----------------------------------------------------------------| + | LdapIpAddress | A | `` | + | Ldap | SRV | _ldap._tcp.`` | + | LdapAtSite | SRV | _ldap._tcp.``._sites.`` | + | Pdc | SRV | _ldap._tcp.pdc._msdcs.`` | + | Gc | SRV | _ldap._tcp.gc._msdcs.`` | + | GcAtSite | SRV | _ldap._tcp.``._sites.gc._msdcs.`` | + | DcByGuid | SRV | _ldap._tcp.``.domains._msdcs.`` | + | GcIpAddress | A | gc._msdcs.`` | + | DsaCname | CNAME | ``._msdcs.`` | + | Kdc | SRV | _kerberos._tcp.dc._msdcs.`` | + | KdcAtSite | SRV | _kerberos._tcp.``._sites.dc._msdcs. | + | KdcAtSite | SRV | _kerberos._tcp.``._sites.dc._msdcs.`` | + | Dc | SRV | _ldap._tcp.dc._msdcs.`` | + | DcAtSite | SRV | _ldap._tcp.``._sites.dc._msdcs.`` | + | Rfc1510Kdc | SRV | _kerberos._tcp.`` | + | Rfc1510KdcAtSite | SRV | _kerberos._tcp.``._sites.`` | + | GenericGc | SRV | _gc._tcp.`` | + | GenericGcAtSite | SRV | _gc._tcp.``._sites.`` | + | Rfc1510UdpKdc | SRV | _kerberos._udp.`` | + | Rfc1510Kpwd | SRV | _kpasswd._tcp.`` | + | Rfc1510UdpKpwd | SRV | _kpasswd._udp.`` | + +- If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records. + +- If you don't configure this policy setting, DCs use their local configuration. @@ -909,7 +909,7 @@ If you do not configure this policy setting, DCs use their local configuration. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -948,13 +948,14 @@ If you do not configure this policy setting, DCs use their local configuration. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update. -DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. +DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records' data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database. -Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records. +> [!WARNING] +> If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records. To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes). -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -972,7 +973,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1039,7 +1040,7 @@ More information is available at > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1081,7 +1082,7 @@ This policy setting specifies the value for the Time-To-Live (TTL) field in SRV To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes). -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -1099,7 +1100,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1136,11 +1137,11 @@ If you do not configure this policy setting, it is not applied to any DCs, and D -This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network. +This policy setting specifies the additional time for the computer to wait for the domain controller's (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute). -If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. @@ -1158,7 +1159,7 @@ If you do not configure this policy setting, it is not applied to any computers, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1199,11 +1200,11 @@ This policy setting determines the interval for when a Force Rediscovery is carr The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries. -If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity. +- If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity. -If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval. +- If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval. -If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. +- If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value. @@ -1221,7 +1222,7 @@ If you do not configure this policy setting, Force Rediscovery will be used by d > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1264,7 +1265,7 @@ The GC Locator DNS records and the site-specific SRV records are dynamically reg To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format. -If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration. @@ -1282,7 +1283,7 @@ If you do not configure this policy setting, it is not applied to any GCs, and G > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1321,13 +1322,14 @@ If you do not configure this policy setting, it is not applied to any GCs, and G This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). -Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. +> [!NOTE] +> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message. This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names. -If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location. +- If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location. -If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. +- If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator. @@ -1345,7 +1347,7 @@ If you disable or do not configure this policy setting, this DC processes incomi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1385,11 +1387,11 @@ If you disable or do not configure this policy setting, this DC processes incomi This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. -The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. +The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record's Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed. To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -1407,7 +1409,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1450,7 +1452,7 @@ The Weight field in the SRV record can be used in addition to the Priority value To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -1468,7 +1470,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1507,9 +1509,10 @@ If you do not configure this policy setting, it is not applied to any DCs, and D This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. -By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. +By default, the maximum size of the log file is 20MB. +- If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified. -If you disable or do not configure this policy setting, the default behavior occurs as indicated above. +- If you disable or do not configure this policy setting, the default behavior occurs as indicated above. @@ -1527,7 +1530,7 @@ If you disable or do not configure this policy setting, the default behavior occ > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1570,7 +1573,7 @@ The application directory partition DC Locator DNS records and the site-specific To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -1588,7 +1591,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1629,7 +1632,8 @@ This policy setting specifies the amount of time (in seconds) the DC locator rem The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0. -Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. +> [!WARNING] +> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available. @@ -1647,7 +1651,7 @@ Warning: If the value for this setting is too large, a client will not attempt t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1686,15 +1690,16 @@ Warning: If the value for this setting is too large, a client will not attempt t This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. -If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. +- If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission. -If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. +- If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission. By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested. -Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased. +> [!NOTE] +> The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased. -If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. +- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. @@ -1712,7 +1717,7 @@ If you enable this policy setting, domain administrators should ensure that the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1770,7 +1775,7 @@ The default value for this setting is 30 minutes (1800). The maximum value for t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1818,7 +1823,7 @@ The allowable values for this setting result in the following behaviors: To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2. -If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. @@ -1836,7 +1841,7 @@ If you do not configure this policy setting, it is not applied to any computers, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1879,7 +1884,7 @@ This policy setting determines the interval at which Netlogon performs the follo - On the domain controllers (DC), discovers a DC that has not been discovered. -- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn’t already been successfully added. +- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn't already been successfully added. None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain. @@ -1901,7 +1906,7 @@ To enable the setting, click Enabled, and then specify the interval in seconds. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1944,7 +1949,7 @@ The DC Locator DNS records are dynamically registered by the Net Logon service, To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -1962,7 +1967,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2005,7 +2010,7 @@ An Active Directory site is one or more well-connected TCP/IP subnets that allow To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory. -If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. +- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration. @@ -2023,7 +2028,7 @@ If you do not configure this policy setting, it is not applied to any computers, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2068,9 +2073,10 @@ When this setting is disabled or not configured, the SYSVOL share will grant sha By default, the SYSVOL share will grant shared read access to files on the share when exclusive access is requested. -Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased. +> [!NOTE] +> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased. -If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. +- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator. @@ -2088,7 +2094,7 @@ If you enable this policy setting, domain administrators should ensure that the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2130,11 +2136,11 @@ This policy setting enables DC Locator to attempt to locate a DC in the nearest The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. -If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer. +- If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer. -If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. +- If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored. -If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. +- If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used. @@ -2152,7 +2158,7 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2192,11 +2198,11 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC. -If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. +- If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections. -If you disable this policy setting, DCs will not register DC Locator DNS resource records. +- If you disable this policy setting, DCs will not register DC Locator DNS resource records. -If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. +- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration. @@ -2214,7 +2220,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index cea112d18a..63f4bdafb9 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Scripts Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Scripts > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. -If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. +- If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. -If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured. +- If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, user account cross-fores > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,13 +106,13 @@ This policy setting determines how long the system waits for scripts applied by This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. -If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0. +- If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0. -This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop. +This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop. An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely. -If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default. +- If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default. @@ -132,7 +130,7 @@ If you disable or do not configure this setting the system lets the combined set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -168,39 +166,35 @@ If you disable or do not configure this setting the system lets the combined set - -This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. - -If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. - -For example, assume the following scenario: - -There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. - -GPO B and GPO C include the following computer startup scripts: - -GPO B: B.cmd, B.ps1 -GPO C: C.cmd, C.ps1 - -Assume also that there are two computers, DesktopIT and DesktopSales. -For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT: - -Within GPO B: B.ps1, B.cmd -Within GPO C: C.ps1, C.cmd - -For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales: - -Within GPO B: B.cmd, B.ps1 -Within GPO C: C.cmd, C.ps1 - -Note: This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: - -Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup -Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown + +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. + +For example, assume the following scenario: + +There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts: + +- GPO B: B.cmd, B.ps1 +- GPO C: C.cmd, C.ps1 + +Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT: + +- Within GPO B: B.ps1, B.cmd +- Within GPO C: C.ps1, C.cmd + +For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales: + +- Within GPO B: B.cmd, B.ps1 +- Within GPO C: C.cmd, C.ps1 + +> [!NOTE] +> This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: +> +> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup +> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown @@ -214,7 +208,7 @@ Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shut > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -235,347 +229,6 @@ Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shut - -## Run_Logon_Script_Sync_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2 -``` - - - - -This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. - -If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. - -If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. - -This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Run_Logon_Script_Sync | -| Friendly Name | Run logon scripts synchronously | -| Location | Computer Configuration | -| Path | System > Scripts | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | RunLogonScriptSync | -| ADMX File Name | Scripts.admx | - - - - - - - - - -## Run_Shutdown_Script_Visible - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible -``` - - - - -This policy setting displays the instructions in shutdown scripts as they run. - -Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. - -If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window. - -If you disable or do not configure this policy setting, the instructions are suppressed. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Run_Shutdown_Script_Visible | -| Friendly Name | Display instructions in shutdown scripts as they run | -| Location | Computer Configuration | -| Path | System > Scripts | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | HideShutdownScripts | -| ADMX File Name | Scripts.admx | - - - - - - - - - -## Run_Startup_Script_Sync - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync -``` - - - - -This policy setting lets the system run startup scripts simultaneously. - -Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. - -If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously. - -If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete. - -Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the ""Run startup scripts visible"" policy setting is enabled or not. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Run_Startup_Script_Sync | -| Friendly Name | Run startup scripts asynchronously | -| Location | Computer Configuration | -| Path | System > Scripts | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | RunStartupScriptSync | -| ADMX File Name | Scripts.admx | - - - - - - - - - -## Run_Startup_Script_Visible - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible -``` - - - - -This policy setting displays the instructions in startup scripts as they run. - -Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. - -If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users. - -If you disable or do not configure this policy setting, the instructions are suppressed. - -Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Run_Startup_Script_Visible | -| Friendly Name | Display instructions in startup scripts as they run | -| Location | Computer Configuration | -| Path | System > Scripts | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | HideStartupScripts | -| ADMX File Name | Scripts.admx | - - - - - - - - - -## Run_User_PS_Scripts_First - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First -``` - - - - -This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. - -If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. - -For example, assume the following scenario: - -There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. - -GPO B and GPO C include the following user logon scripts: - -GPO B: B.cmd, B.ps1 -GPO C: C.cmd, C.ps1 - -Assume also that there are two users, Qin Hong and Tamara Johnston. -For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin: - -Within GPO B: B.ps1, B.cmd -Within GPO C: C.ps1, C.cmd - -For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara: - -Within GPO B: B.cmd, B.ps1 -Within GPO C: C.cmd, C.ps1 - -Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: - -User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon -User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff - -This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Run_User_PS_Scripts_First | -| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff | -| Location | Computer and User Configuration | -| Path | System > Scripts | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | RunUserPSScriptsFirst | -| ADMX File Name | Scripts.admx | - - - - - - - - ## Run_Legacy_Logon_Script_Hidden @@ -597,9 +250,9 @@ This policy setting hides the instructions in logon scripts written for Windows Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. -If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier. +- If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier. -If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier. +- If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier. Also, see the "Run Logon Scripts Visible" setting. @@ -619,7 +272,7 @@ Also, see the "Run Logon Scripts Visible" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -661,9 +314,9 @@ This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. -If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. +- If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. -If you disable or do not configure this policy setting, the instructions are suppressed. +- If you disable or do not configure this policy setting, the instructions are suppressed. @@ -681,7 +334,7 @@ If you disable or do not configure this policy setting, the instructions are sup > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -721,9 +374,9 @@ If you disable or do not configure this policy setting, the instructions are sup This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. -If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. +- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. -If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. +- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. @@ -743,13 +396,13 @@ This policy setting appears in the Computer Configuration and User Configuration > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Run_Logon_Script_Sync | +| Name | Run_Logon_Script_Sync_1 | | Friendly Name | Run logon scripts synchronously | | Location | User Configuration | | Path | System > Scripts | @@ -764,6 +417,68 @@ This policy setting appears in the Computer Configuration and User Configuration + +## Run_Logon_Script_Sync_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2 +``` + + + + +This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. + +- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. + +- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously. + +This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Logon_Script_Sync_2 | +| Friendly Name | Run logon scripts synchronously | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunLogonScriptSync | +| ADMX File Name | Scripts.admx | + + + + + + + + ## Run_Logon_Script_Visible @@ -785,9 +500,9 @@ This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. -If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. +- If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users. -If you disable or do not configure this policy setting, the instructions are suppressed. +- If you disable or do not configure this policy setting, the instructions are suppressed. @@ -805,7 +520,7 @@ If you disable or do not configure this policy setting, the instructions are sup > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -826,6 +541,281 @@ If you disable or do not configure this policy setting, the instructions are sup + +## Run_Shutdown_Script_Visible + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible +``` + + + + +This policy setting displays the instructions in shutdown scripts as they run. + +Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. + +- If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window. + +- If you disable or do not configure this policy setting, the instructions are suppressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Shutdown_Script_Visible | +| Friendly Name | Display instructions in shutdown scripts as they run | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideShutdownScripts | +| ADMX File Name | Scripts.admx | + + + + + + + + + +## Run_Startup_Script_Sync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync +``` + + + + +This policy setting lets the system run startup scripts simultaneously. + +Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. + +- If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously. + +- If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete. + +> [!NOTE] +> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Startup_Script_Sync | +| Friendly Name | Run startup scripts asynchronously | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunStartupScriptSync | +| ADMX File Name | Scripts.admx | + + + + + + + + + +## Run_Startup_Script_Visible + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible +``` + + + + +This policy setting displays the instructions in startup scripts as they run. + +Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. + +- If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users. + +- If you disable or do not configure this policy setting, the instructions are suppressed. + +> [!NOTE] +> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_Startup_Script_Visible | +| Friendly Name | Display instructions in startup scripts as they run | +| Location | Computer Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | HideStartupScripts | +| ADMX File Name | Scripts.admx | + + + + + + + + + +## Run_User_PS_Scripts_First + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First +``` + + + + + + + + +This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. + +For example, assume the following scenario: + +There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following user logon scripts: + +- GPO B: B.cmd, B.ps1 +- GPO C: C.cmd, C.ps1 + +Assume also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin: + +- Within GPO B: B.ps1, B.cmd +- Within GPO C: C.ps1, C.cmd + +For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara: + +- Within GPO B: B.cmd, B.ps1 +- Within GPO C: C.cmd, C.ps1 + +> [!NOTE] +> This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: +> +> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon +> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_User_PS_Scripts_First | +| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff | +| Location | Computer and User Configuration | +| Path | System > Scripts | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | RunUserPSScriptsFirst | +| ADMX File Name | Scripts.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index dfce165594..0d3f1d6f32 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_StartMenu Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_StartMenu > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,535 +25,6 @@ ms.topic: reference - -## HidePowerOptions - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/HidePowerOptions -``` - - - - -This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. - -If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. - -If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | HidePowerOptions | -| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | -| Location | Computer Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | HidePowerOptions | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## NoChangeStartMenu - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu -``` - - - - -This policy setting allows you to prevent users from changing their Start screen layout. - -If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. - -If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoChangeStartMenu | -| Friendly Name | Prevent users from customizing their Start Screen | -| Location | User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoChangeStartMenu | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## NoMoreProgramsList - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList -``` - - - - -If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. - -Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. - -Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. - -Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows. - -If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoMoreProgramsList | -| Friendly Name | Remove All Programs list from the Start menu | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## NoRun - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun -``` - - - - -Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. - -If you enable this setting, the following changes occur: - -(1) The Run command is removed from the Start menu. - -(2) The New Task (Run) command is removed from Task Manager. - -(3) The user will be blocked from entering the following into the Internet Explorer Address Bar: - ---- A UNC path: \\``\\`` - ----Accessing local drives: e.g., C: - ---- Accessing local folders: e.g., \temp> - -Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. - -If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. - - - -Note:This setting affects the specified interface only. It does not prevent users from using other methods to run programs. - -Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoRun | -| Friendly Name | Remove Run menu from Start Menu | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoRun | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## NoSetTaskbar - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar -``` - - - - -This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. - -If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. - -If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. - -If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoSetTaskbar | -| Friendly Name | Prevent changes to Taskbar and Start Menu Settings | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoSetTaskbar | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## NoTrayContextMenu - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu -``` - - - - -This policy setting allows you to remove access to the context menus for the taskbar. - -If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. - -If you disable or do not configure this policy setting, the context menus for the taskbar are available. - -This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoTrayContextMenu | -| Friendly Name | Remove access to the context menus for the taskbar | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoTrayContextMenu | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## NoUninstallFromStart - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart -``` - - - - -If you enable this setting, users cannot uninstall apps from Start. - -If you disable this setting or do not configure it, users can access the uninstall command from Start - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoUninstallFromStart | -| Friendly Name | Prevent users from uninstalling applications from Start | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | NoUninstallFromStart | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## StartPinAppsWhenInstalled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled -``` - - - - -This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | StartPinAppsWhenInstalled | -| Friendly Name | Pin Apps to Start when installed | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | StartPinAppsWhenInstalled | -| ADMX File Name | StartMenu.admx | - - - - - - - - ## AddSearchInternetLinkInStartMenu @@ -573,11 +42,11 @@ This policy setting allows pinning apps to Start by default, when they are inclu -If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. +- If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. -If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. +- If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. -If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. +- If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. @@ -595,7 +64,7 @@ If you do not configure this policy (default), there will not be a "Search the I > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -635,11 +104,12 @@ If you do not configure this policy (default), there will not be a "Search the I Clear history of recently opened documents on exit. -If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. +- If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. -If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. +- If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. -Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. +> [!NOTE] +> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected. @@ -665,7 +135,7 @@ This policy also does not clear items that the user may have pinned to the Jump > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -703,9 +173,9 @@ This policy also does not clear items that the user may have pinned to the Jump -If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. +- If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. -If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. +- If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. @@ -723,7 +193,7 @@ If you disable or do not configure this policy, the start menu recent programs l > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -761,9 +231,9 @@ If you disable or do not configure this policy, the start menu recent programs l -If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. +- If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. -If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. +- If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. @@ -783,7 +253,7 @@ This setting does not prevent new notifications from appearing. See the "Turn of > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -823,9 +293,9 @@ This setting does not prevent new notifications from appearing. See the "Turn of This policy setting allows desktop apps to be listed first in the Apps view in Start. -If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. +- If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. -If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. +- If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. @@ -843,7 +313,7 @@ If you disable or don't configure this policy setting, the desktop apps won't be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -885,9 +355,9 @@ This policy setting prevents the user from searching apps, files, settings (and This policy setting is only applied when the Apps view is set as the default view for Start. -If you enable this policy setting, searching from the Apps view will only search the list of installed apps. +- If you enable this policy setting, searching from the Apps view will only search the list of installed apps. -If you disable or don’t configure this policy setting, the user can configure this setting. +- If you disable or don't configure this policy setting, the user can configure this setting. @@ -905,7 +375,7 @@ If you disable or don’t configure this policy setting, the user can configure > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -947,13 +417,14 @@ This policy only applies to the classic version of the start menu and does not a Adds the "Log Off ``" item to the Start menu and prevents users from removing it. -If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu. +- If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu. -If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. +- If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. -Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. +> [!NOTE] +> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff. @@ -973,7 +444,7 @@ Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\ > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1013,11 +484,11 @@ Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\ This policy setting allows users to go to the desktop instead of the Start screen when they sign in. -If you enable this policy setting, users will always go to the desktop when they sign in. +- If you enable this policy setting, users will always go to the desktop when they sign in. -If you disable this policy setting, users will always go to the Start screen when they sign in. +- If you disable this policy setting, users will always go to the Start screen when they sign in. -If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. +- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it. @@ -1035,7 +506,7 @@ If you don’t configure this policy setting, the default setting for the user > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1079,9 +550,10 @@ This setting makes it easier for users to distinguish between programs that are Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use. -If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. +- If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. -Note: Enabling this setting can make the Start menu slow to open. +> [!NOTE] +> Enabling this setting can make the Start menu slow to open. @@ -1099,7 +571,7 @@ Note: Enabling this setting can make the Start menu slow to open. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1120,6 +592,66 @@ Note: Enabling this setting can make the Start menu slow to open. + +## HidePowerOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/HidePowerOptions +``` + + + + +This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. + +- If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. + +- If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HidePowerOptions | +| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | HidePowerOptions | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## Intellimenus @@ -1141,11 +673,13 @@ Disables personalized menus. Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. -If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. +- If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. -Note: Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. +> [!NOTE] +> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. -Tip: To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. +> [!TIP] +> To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. @@ -1163,7 +697,7 @@ Tip: To Turn off personalized menus without specifying a setting, click Start, c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1205,11 +739,12 @@ This setting affects the taskbar, which is used to switch between running applic The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. -If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. +- If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. -If you disable this setting or do not configure it, the user can configure the taskbar position. +- If you disable this setting or do not configure it, the user can configure the taskbar position. -Note: Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. +> [!NOTE] +> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. @@ -1227,7 +762,7 @@ Note: Enabling this setting also locks the QuickLaunch bar and any other toolbar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1287,7 +822,7 @@ Enabling this setting adds a check box to the Run dialog box, giving users the o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1329,9 +864,9 @@ This setting affects the notification area, also called the "system tray." The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." -If you enable this setting, the system notification area expands to show all of the notifications that use this area. +- If you enable this setting, the system notification area expands to show all of the notifications that use this area. -If you disable this setting, the system notification area will always collapse notifications. +- If you disable this setting, the system notification area will always collapse notifications. If you do not configure it, the user can choose if they want notifications collapsed. @@ -1351,7 +886,7 @@ If you do not configure it, the user can choose if they want notifications colla > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1393,9 +928,9 @@ Hides pop-up text on the Start menu and in the notification area. When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. -If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. +- If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. -If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. +- If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. @@ -1413,7 +948,7 @@ If you disable this setting or do not configure it, all pop-up text is displayed > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1434,6 +969,70 @@ If you disable this setting or do not configure it, all pop-up text is displayed + +## NoChangeStartMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu +``` + + + + +This policy setting allows you to prevent users from changing their Start screen layout. + +- If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. + +- If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoChangeStartMenu | +| Friendly Name | Prevent users from customizing their Start Screen | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoChangeStartMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## NoClose @@ -1453,11 +1052,12 @@ If you disable this setting or do not configure it, all pop-up text is displayed This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. -If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. +- If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. -If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. +- If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. -Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. +> [!NOTE] +> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. @@ -1475,7 +1075,7 @@ Note: Third-party programs certified as compatible with Microsoft Windows Vista, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1515,9 +1115,11 @@ Note: Third-party programs certified as compatible with Microsoft Windows Vista, Removes items in the All Users profile from the Programs menu on the Start menu. -By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. +By default, the Programs menu contains items from the All Users profile and items from the user's profile. +- If you enable this setting, only items in the user's profile appear in the Programs menu. -Tip: To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. +> [!TIP] +> To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. @@ -1535,7 +1137,7 @@ Tip: To see the Program menu items in the All Users profile, on the system drive > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1575,15 +1177,18 @@ Tip: To see the Program menu items in the All Users profile, on the system drive Prevents users from adding the Favorites menu to the Start menu or classic Start menu. -If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. +- If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. -If you disable or do not configure this setting, the Display Favorite item is available. +- If you disable or do not configure this setting, the Display Favorite item is available. -Note:The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. +> [!NOTE] +> The Favorites menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. -Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. +> [!NOTE] +> The items that appear in the Favorites menu when you install Windows are pre-configured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. -Note:This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. +> [!NOTE] +> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. @@ -1601,7 +1206,7 @@ Note:This setting only affects the Start menu. The Favorites item still appears > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1643,15 +1248,16 @@ This policy setting allows you to remove the Search link from the Start menu, an **Note** that this does not remove the search box from the new style Start menu. -If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. +- If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. -Note: Enabling this policy setting also prevents the user from using the F3 key. +> [!NOTE] +> Enabling this policy setting also prevents the user from using the F3 key. In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder. This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search. -If you disable or do not configure this policy setting, the Search link is available from the Start menu. +- If you disable or do not configure this policy setting, the Search link is available from the Start menu. @@ -1669,7 +1275,7 @@ If you disable or do not configure this policy setting, the Search link is avail > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1707,9 +1313,9 @@ If you disable or do not configure this policy setting, the Search link is avail -If you enable this policy the start menu will not show a link to the Games folder. +- If you enable this policy the start menu will not show a link to the Games folder. -If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. +- If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. @@ -1727,7 +1333,7 @@ If you disable or do not configure this policy, the start menu will show a link > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1767,9 +1373,9 @@ If you disable or do not configure this policy, the start menu will show a link This policy setting allows you to remove the Help command from the Start menu. -If you enable this policy setting, the Help command is removed from the Start menu. +- If you enable this policy setting, the Help command is removed from the Start menu. -If you disable or do not configure this policy setting, the Help command is available from the Start menu. +- If you disable or do not configure this policy setting, the Help command is available from the Start menu. This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help. @@ -1789,7 +1395,7 @@ This policy setting only affects the Start menu. It does not remove the Help men > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1829,9 +1435,9 @@ This policy setting only affects the Start menu. It does not remove the Help men This policy setting allows you to turn off user tracking. -If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. +- If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. -If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. +- If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus". @@ -1853,7 +1459,7 @@ This policy setting does not prevent users from pinning programs to the Start Me > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1874,6 +1480,73 @@ This policy setting does not prevent users from pinning programs to the Start Me + +## NoMoreProgramsList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList +``` + + + + +- If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. + +Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. + +Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. + +Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows. + +- If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoMoreProgramsList | +| Friendly Name | Remove All Programs list from the Start menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## NoNetAndDialupConnect @@ -1893,13 +1566,13 @@ This policy setting does not prevent users from pinning programs to the Start Me This policy setting allows you to remove Network Connections from the Start Menu. -If you enable this policy setting, users are prevented from running Network Connections. +- If you enable this policy setting, users are prevented from running Network Connections. Enabling this policy setting prevents the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu. Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action. -If you disable or do not configure this policy setting, Network Connections is available from the Start Menu. +- If you disable or do not configure this policy setting, Network Connections is available from the Start Menu. Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). @@ -1919,7 +1592,7 @@ Also, see the "Disable programs on Settings menu" and "Disable Control Panel" po > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1957,11 +1630,11 @@ Also, see the "Disable programs on Settings menu" and "Disable Control Panel" po -If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. +- If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. -If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. +- If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. @@ -1979,7 +1652,7 @@ If you disable this setting or do not configure it, the "Pinned Programs" list r > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2021,7 +1694,7 @@ Removes the Recent Items menu from the Start menu. Removes the Documents menu fr The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. -If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. +- If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. @@ -2029,7 +1702,8 @@ When the setting is disabled, the Recent Items menu appears in the Start Menu, a If the setting is not configured, users can turn the Recent Items menu on and off. -Note: This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. +> [!NOTE] +> This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. @@ -2049,7 +1723,7 @@ This setting also does not hide document shortcuts displayed in the Open dialog > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2089,11 +1763,12 @@ This setting also does not hide document shortcuts displayed in the Open dialog This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. -If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. +- If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. -If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. +- If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. -Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. +> [!NOTE] +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings. @@ -2113,7 +1788,7 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2153,11 +1828,12 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. -If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. +- If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. -If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. +- If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. -Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. +> [!NOTE] +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings. @@ -2177,7 +1853,7 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2198,6 +1874,90 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use + +## NoRun + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun +``` + + + + +Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. + +- If you enable this setting, the following changes occur: + +(1) The Run command is removed from the Start menu. + +(2) The New Task (Run) command is removed from Task Manager. + +(3) The user will be blocked from entering the following into the Internet Explorer Address Bar: + +--- A UNC path: \\``\\`` + +---Accessing local drives: e.g., C: + +--- Accessing local folders: e.g., \temp> + +Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. + +- If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. + +> [!NOTE] +> This setting affects the specified interface only. It does not prevent users from using other methods to run programs. + +> [!NOTE] +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoRun | +| Friendly Name | Remove Run menu from Start Menu | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoRun | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## NoSearchCommInStartMenu @@ -2215,9 +1975,9 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use -If you enable this policy the start menu search box will not search for communications. +- If you enable this policy the start menu search box will not search for communications. -If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. +- If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. @@ -2235,7 +1995,7 @@ If you disable or do not configure this policy, the start menu will search for c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2273,9 +2033,9 @@ If you disable or do not configure this policy, the start menu will search for c -If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. +- If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. -If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. +- If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. @@ -2293,7 +2053,7 @@ If you disable or do not configure this policy, the "See all results" link will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2331,9 +2091,9 @@ If you disable or do not configure this policy, the "See all results" link will -If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. +- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. -If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. +- If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. @@ -2351,7 +2111,7 @@ If you disable or do not configure this policy, a "See more results" link will b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2389,9 +2149,10 @@ If you disable or do not configure this policy, a "See more results" link will b -If you enable this policy setting the Start menu search box will not search for files. +- If you enable this policy setting the Start menu search box will not search for files. -If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. +- If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. +- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. @@ -2409,7 +2170,7 @@ If you disable or do not configure this policy setting, the Start menu will sear > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2447,9 +2208,9 @@ If you disable or do not configure this policy setting, the Start menu will sear -If you enable this policy the start menu search box will not search for internet history or favorites. +- If you enable this policy the start menu search box will not search for internet history or favorites. -If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. +- If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. @@ -2467,7 +2228,7 @@ If you disable or do not configure this policy, the start menu will search for f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2505,9 +2266,9 @@ If you disable or do not configure this policy, the start menu will search for f -If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. +- If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. -If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. +- If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. @@ -2525,7 +2286,7 @@ If you disable or do not configure this policy setting, the Start menu search bo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2565,11 +2326,11 @@ If you disable or do not configure this policy setting, the Start menu search bo This policy setting allows you to remove programs on Settings menu. -If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. +- If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. -If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. +- If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. @@ -2589,7 +2350,7 @@ Also, see the "Disable Control Panel," "Disable Display in Control Panel," and " > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2610,6 +2371,72 @@ Also, see the "Disable Control Panel," "Disable Display in Control Panel," and " + +## NoSetTaskbar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar +``` + + + + +This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. + +- If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. + +If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. + +- If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoSetTaskbar | +| Friendly Name | Prevent changes to Taskbar and Start Menu Settings | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoSetTaskbar | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## NoSMConfigurePrograms @@ -2629,13 +2456,14 @@ Also, see the "Disable Control Panel," "Disable Display in Control Panel," and " This policy setting allows you to remove the Default Programs link from the Start menu. -If you enable this policy setting, the Default Programs link is removed from the Start menu. +- If you enable this policy setting, the Default Programs link is removed from the Start menu. Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. -If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu. +- If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu. -Note: This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. +> [!NOTE] +> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. @@ -2653,7 +2481,7 @@ Note: This policy setting does not prevent the Set Default Programs for This Com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2693,11 +2521,12 @@ Note: This policy setting does not prevent the Set Default Programs for This Com This policy setting allows you to remove the Documents icon from the Start menu and its submenus. -If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. +- If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. -Note: To make changes to this policy setting effective, you must log off and then log on. +> [!NOTE] +> To make changes to this policy setting effective, you must log off and then log on. -If you disable or do not configure this policy setting, he Documents icon is available from the Start menu. +- If you disable or do not configure this policy setting, he Documents icon is available from the Start menu. Also, see the "Remove Documents icon on the desktop" policy setting. @@ -2717,7 +2546,7 @@ Also, see the "Remove Documents icon on the desktop" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2757,9 +2586,9 @@ Also, see the "Remove Documents icon on the desktop" policy setting. This policy setting allows you to remove the Music icon from Start Menu. -If you enable this policy setting, the Music icon is no longer available from Start Menu. +- If you enable this policy setting, the Music icon is no longer available from Start Menu. -If you disable or do not configure this policy setting, the Music icon is available from Start Menu. +- If you disable or do not configure this policy setting, the Music icon is available from Start Menu. @@ -2777,7 +2606,7 @@ If you disable or do not configure this policy setting, the Music icon is availa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2817,9 +2646,9 @@ If you disable or do not configure this policy setting, the Music icon is availa This policy setting allows you to remove the Network icon from Start Menu. -If you enable this policy setting, the Network icon is no longer available from Start Menu. +- If you enable this policy setting, the Network icon is no longer available from Start Menu. -If you disable or do not configure this policy setting, the Network icon is available from Start Menu. +- If you disable or do not configure this policy setting, the Network icon is available from Start Menu. @@ -2837,7 +2666,7 @@ If you disable or do not configure this policy setting, the Network icon is avai > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2877,9 +2706,9 @@ If you disable or do not configure this policy setting, the Network icon is avai This policy setting allows you to remove the Pictures icon from Start Menu. -If you enable this policy setting, the Pictures icon is no longer available from Start Menu. +- If you enable this policy setting, the Pictures icon is no longer available from Start Menu. -If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. +- If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. @@ -2897,7 +2726,7 @@ If you disable or do not configure this policy setting, the Pictures icon is ava > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2937,9 +2766,9 @@ If you disable or do not configure this policy setting, the Pictures icon is ava This policy setting allows you to remove the Downloads link from the Start Menu. -If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. +- If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. -If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. +- If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. @@ -2957,7 +2786,7 @@ If you disable or do not configure this policy setting, the Downloads link is av > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2995,9 +2824,9 @@ If you disable or do not configure this policy setting, the Downloads link is av -If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. +- If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. -If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. +- If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. @@ -3015,7 +2844,7 @@ If you disable or do not configure this policy, users can use the Start Menu opt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3055,9 +2884,9 @@ If you disable or do not configure this policy, users can use the Start Menu opt This policy setting allows you to remove the Recorded TV link from the Start Menu. -If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. +- If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. -If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. +- If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. @@ -3075,7 +2904,7 @@ If you disable or do not configure this policy setting, the Recorded TV link is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3117,11 +2946,11 @@ Hides all folders on the user-specific (top) section of the Start menu. Other it This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders. -Note that this setting hides all user-specific folders, not just those associated with redirected folders. +**Note** that this setting hides all user-specific folders, not just those associated with redirected folders. -If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. +- If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. -If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. +- If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. @@ -3139,7 +2968,7 @@ If you disable this setting or do not configured it, Windows 2000 Professional a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3179,9 +3008,9 @@ If you disable this setting or do not configured it, Windows 2000 Professional a This policy setting allows you to remove the Videos link from the Start Menu. -If you enable this policy setting, the Start Menu does not show a link to the Videos library. +- If you enable this policy setting, the Start Menu does not show a link to the Videos library. -If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. +- If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. @@ -3199,7 +3028,7 @@ If you disable or do not configure this policy setting, the Videos link is avail > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3241,11 +3070,11 @@ This setting affects the presentation of the Start menu. The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. -If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. +- If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. -If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. +- If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. -If you do not configure this setting, the default is the new style, and the user can change the view. +- If you do not configure this setting, the default is the new style, and the user can change the view. @@ -3263,7 +3092,7 @@ If you do not configure this setting, the default is the new style, and the user > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3303,9 +3132,9 @@ If you do not configure this setting, the default is the new style, and the user Prevents the clock in the system notification area from being displayed. -If you enable this setting, the clock will not be displayed in the system notification area. +- If you enable this setting, the clock will not be displayed in the system notification area. -If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. +- If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. @@ -3323,7 +3152,7 @@ If you disable or do not configure this setting, the default behavior of the clo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3365,7 +3194,7 @@ This setting affects the taskbar buttons used to switch between running programs Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. -If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. +- If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. @@ -3385,7 +3214,7 @@ If you disable or do not configure it, items on the taskbar that share the same > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3427,9 +3256,9 @@ This setting affects the taskbar. The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application. -If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. +- If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. -If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. +- If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. @@ -3447,7 +3276,7 @@ If this setting is disabled or is not configured, the taskbar displays all toolb > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3468,6 +3297,72 @@ If this setting is disabled or is not configured, the taskbar displays all toolb + +## NoTrayContextMenu + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu +``` + + + + +This policy setting allows you to remove access to the context menus for the taskbar. + +- If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. + +- If you disable or do not configure this policy setting, the context menus for the taskbar are available. + +This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoTrayContextMenu | +| Friendly Name | Remove access to the context menus for the taskbar | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoTrayContextMenu | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## NoTrayItemsDisplay @@ -3489,11 +3384,12 @@ This setting affects the notification area (previously called the "system tray") Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. -If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. +- If this setting is enabled, the user's entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. -If this setting is disabled or is not configured, the notification area is shown in the user's taskbar. +- If this setting is disabled or is not configured, the notification area is shown in the user's taskbar. -Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. +> [!NOTE] +> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. @@ -3511,7 +3407,7 @@ Note: Enabling this setting overrides the "Turn off notification area cleanup" s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3532,6 +3428,68 @@ Note: Enabling this setting overrides the "Turn off notification area cleanup" s + +## NoUninstallFromStart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart +``` + + + + +- If you enable this setting, users cannot uninstall apps from Start. + +- If you disable this setting or do not configure it, users can access the uninstall command from Start + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoUninstallFromStart | +| Friendly Name | Prevent users from uninstalling applications from Start | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUninstallFromStart | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## NoUserFolderOnStartMenu @@ -3549,9 +3507,9 @@ Note: Enabling this setting overrides the "Turn off notification area cleanup" s -If you enable this policy the start menu will not show a link to the user's storage folder. +- If you enable this policy the start menu will not show a link to the user's storage folder. -If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. +- If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. @@ -3569,7 +3527,7 @@ If you disable or do not configure this policy, the start menu will display a li > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3609,11 +3567,11 @@ If you disable or do not configure this policy, the start menu will display a li This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003. -If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. +- If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting. -If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. +- If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. @@ -3631,7 +3589,7 @@ If you disable or do not configure this policy setting, the user name label appe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3671,13 +3629,13 @@ If you disable or do not configure this policy setting, the user name label appe This policy setting allows you to remove links and access to Windows Update. -If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. +- If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. Enabling this policy setting blocks user access to the Windows Update Web site at . Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. -Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. +Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. -If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. +- If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. Also, see the "Hide the "Add programs from Microsoft" option" policy setting. @@ -3697,7 +3655,7 @@ Also, see the "Hide the "Add programs from Microsoft" option" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3737,11 +3695,11 @@ Also, see the "Hide the "Add programs from Microsoft" option" policy setting. Set the default action of the power button on the Start menu. -If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. +- If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down. -If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. +- If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. @@ -3759,13 +3717,13 @@ If you disable or do not configure this setting, the Start Menu power button wil > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PowerButtonAction_DisplayName | +| Name | PowerButtonAction | | Friendly Name | Change Start Menu power button | | Location | User Configuration | | Path | Start Menu and Taskbar | @@ -3798,11 +3756,11 @@ If you disable or do not configure this setting, the Start Menu power button wil This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. -If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. +- If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. -If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. +- If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. -If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. +- If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. @@ -3820,7 +3778,7 @@ If you do not configure this policy setting, then users will be able to turn the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3858,9 +3816,9 @@ If you do not configure this policy setting, then users will be able to turn the -If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. +- If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. -If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. +- If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. @@ -3878,7 +3836,7 @@ If you disable this setting or do not configure it, the "Undock PC" button remai > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3918,9 +3876,9 @@ If you disable this setting or do not configure it, the "Undock PC" button remai This policy setting allows the Apps view to be opened by default when the user goes to Start. -If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. +- If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. -If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. +- If you disable or don't configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. @@ -3938,7 +3896,7 @@ If you disable or don’t configure this policy setting, the Start screen will a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3978,11 +3936,12 @@ If you disable or don’t configure this policy setting, the Start screen will a This policy setting shows or hides the "Run as different user" command on the Start application bar. -If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. +- If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. -If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications. +- If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications. -Note: This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. +> [!NOTE] +> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. @@ -4000,7 +3959,7 @@ Note: This setting does not prevent users from using other methods, such as the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4038,7 +3997,8 @@ Note: This setting does not prevent users from using other methods, such as the -If you enable this setting, the Run command is added to the Start menu. If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. +- If you enable this setting, the Run command is added to the Start menu. +- If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. @@ -4056,7 +4016,7 @@ If you enable this setting, the Run command is added to the Start menu. If you d > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4096,9 +4056,9 @@ If you enable this setting, the Run command is added to the Start menu. If you d This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. -If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. +- If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. -If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. +- If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. @@ -4116,7 +4076,7 @@ If you disable or don't configure this policy setting, the Start screen will alw > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4156,13 +4116,14 @@ If you disable or don't configure this policy setting, the Start screen will alw This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. -If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. +- If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. -If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. +- If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off. -Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. +> [!TIP] +> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff. @@ -4182,7 +4143,7 @@ See also: "Remove Logoff" policy setting in User Configuration\Administrative Te > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4203,6 +4164,66 @@ See also: "Remove Logoff" policy setting in User Configuration\Administrative Te + +## StartPinAppsWhenInstalled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled +``` + + + + +This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | StartPinAppsWhenInstalled | +| Friendly Name | Pin Apps to Start when installed | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | StartPinAppsWhenInstalled | +| ADMX File Name | StartMenu.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 37964f5ea5..ddb5e01490 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_Taskbar Area in Policy CSP author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/06/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Taskbar > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -52,9 +50,9 @@ This policy setting removes Notifications and Action Center from the notificatio The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. -If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss. +- If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won't be able to review any notifications they miss. -If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. +- If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. A reboot is required for this policy setting to take effect. @@ -74,7 +72,7 @@ A reboot is required for this policy setting to take effect. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -95,70 +93,6 @@ A reboot is required for this policy setting to take effect. - -## TaskbarNoPinnedList - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList -``` - - - - -This policy setting allows you to remove pinned programs from the taskbar. - -If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. - -If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TaskbarNoPinnedList | -| Friendly Name | Remove pinned programs from the Taskbar | -| Location | Computer and User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | TaskbarNoPinnedList | -| ADMX File Name | Taskbar.admx | - - - - - - - - ## EnableLegacyBalloonNotifications @@ -178,11 +112,11 @@ If you disable or do not configure this policy setting, users can pin programs s This policy disables the functionality that converts balloons to toast notifications. -If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. +- If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications. -If you disable or don’t configure this policy setting, all notifications will appear as toast notifications. +- If you disable or don't configure this policy setting, all notifications will appear as toast notifications. A reboot is required for this policy setting to take effect. @@ -202,7 +136,7 @@ A reboot is required for this policy setting to take effect. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -242,9 +176,9 @@ A reboot is required for this policy setting to take effect. This policy setting allows you to remove Security and Maintenance from the system control area. -If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. +- If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. -If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. +- If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. @@ -262,7 +196,7 @@ If you disable or do not configure this policy setting, the Security and Mainten > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -302,9 +236,9 @@ If you disable or do not configure this policy setting, the Security and Mainten This policy setting allows you to remove the networking icon from the system control area. -If you enable this policy setting, the networking icon is not displayed in the system notification area. +- If you enable this policy setting, the networking icon is not displayed in the system notification area. -If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. +- If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. @@ -322,7 +256,7 @@ If you disable or do not configure this policy setting, the networking icon is d > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -362,9 +296,9 @@ If you disable or do not configure this policy setting, the networking icon is d This policy setting allows you to remove the battery meter from the system control area. -If you enable this policy setting, the battery meter is not displayed in the system notification area. +- If you enable this policy setting, the battery meter is not displayed in the system notification area. -If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. +- If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. @@ -382,13 +316,13 @@ If you disable or do not configure this policy setting, the battery meter is dis > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | HideSCABattery | +| Name | HideSCAPower | | Friendly Name | Remove the battery meter | | Location | User Configuration | | Path | Start Menu and Taskbar | @@ -422,9 +356,9 @@ If you disable or do not configure this policy setting, the battery meter is dis This policy setting allows you to remove the volume control icon from the system control area. -If you enable this policy setting, the volume control icon is not displayed in the system notification area. +- If you enable this policy setting, the volume control icon is not displayed in the system notification area. -If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. +- If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. @@ -442,7 +376,7 @@ If you disable or do not configure this policy setting, the volume control icon > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -482,7 +416,7 @@ If you disable or do not configure this policy setting, the volume control icon This policy setting allows you to turn off feature advertisement balloon notifications. -If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. +- If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. If you disable do not configure this policy setting, feature advertisement balloons are shown. @@ -502,7 +436,7 @@ If you disable do not configure this policy setting, feature advertisement ballo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -542,9 +476,9 @@ If you disable do not configure this policy setting, feature advertisement ballo This policy setting allows you to control pinning the Store app to the Taskbar. -If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. +- If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. -If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. +- If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. @@ -562,7 +496,7 @@ If you disable or do not configure this policy setting, users can pin the Store > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -602,9 +536,9 @@ If you disable or do not configure this policy setting, users can pin the Store This policy setting allows you to control pinning items in Jump Lists. -If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. +- If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. -If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. +- If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. @@ -622,7 +556,7 @@ If you disable or do not configure this policy setting, users can pin files, fol > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -662,9 +596,9 @@ If you disable or do not configure this policy setting, users can pin files, fol This policy setting allows you to control pinning programs to the Taskbar. -If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. +- If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. -If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. +- If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. @@ -682,7 +616,7 @@ If you disable or do not configure this policy setting, users can change the pro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -724,11 +658,12 @@ This policy setting allows you to control displaying or tracking items in Jump L The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. -If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. +- If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. -If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. +- If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. -Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump Lists"" policy setting. +> [!NOTE] +> This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting. @@ -746,7 +681,7 @@ Note: This setting does not prevent Windows from displaying remote files that th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -786,9 +721,9 @@ Note: This setting does not prevent Windows from displaying remote files that th This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. -If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. +- If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. -If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. +- If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. @@ -806,7 +741,7 @@ If you disable or do not configure this policy setting, newly added notification > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -846,11 +781,11 @@ If you disable or do not configure this policy setting, newly added notification This policy setting allows users to see Windows Store apps on the taskbar. -If you enable this policy setting, users will see Windows Store apps on the taskbar. +- If you enable this policy setting, users will see Windows Store apps on the taskbar. -If you disable this policy setting, users won’t see Windows Store apps on the taskbar. +- If you disable this policy setting, users won't see Windows Store apps on the taskbar. -If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. +- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it. @@ -868,7 +803,7 @@ If you don’t configure this policy setting, the default setting for the user > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -908,9 +843,9 @@ If you don’t configure this policy setting, the default setting for the user This policy setting allows you to lock all taskbar settings. -If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. +- If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. -If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. +- If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. @@ -928,7 +863,7 @@ If you disable or do not configure this policy setting, the user will be able to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -968,9 +903,9 @@ If you disable or do not configure this policy setting, the user will be able to This policy setting allows you to prevent users from adding or removing toolbars. -If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. +- If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. -If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. +- If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. @@ -988,7 +923,7 @@ If you disable or do not configure this policy setting, the users and applicatio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1028,9 +963,9 @@ If you disable or do not configure this policy setting, the users and applicatio This policy setting allows you to prevent users from rearranging toolbars. -If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. +- If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. -If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. +- If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. @@ -1048,7 +983,7 @@ If you disable or do not configure this policy setting, users are able to rearra > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1088,9 +1023,9 @@ If you disable or do not configure this policy setting, users are able to rearra This policy setting allows you to prevent taskbars from being displayed on more than one monitor. -If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. +- If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. -If you disable or do not configure this policy setting, users can show taskbars on more than one display. +- If you disable or do not configure this policy setting, users can show taskbars on more than one display. @@ -1108,7 +1043,7 @@ If you disable or do not configure this policy setting, users can show taskbars > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1148,9 +1083,9 @@ If you disable or do not configure this policy setting, users can show taskbars This policy setting allows you to turn off all notification balloons. -If you enable this policy setting, no notification balloons are shown to the user. +- If you enable this policy setting, no notification balloons are shown to the user. -If you disable or do not configure this policy setting, notification balloons are shown to the user. +- If you disable or do not configure this policy setting, notification balloons are shown to the user. @@ -1168,7 +1103,7 @@ If you disable or do not configure this policy setting, notification balloons ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1189,6 +1124,70 @@ If you disable or do not configure this policy setting, notification balloons ar + +## TaskbarNoPinnedList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList +``` + + + + +This policy setting allows you to remove pinned programs from the taskbar. + +- If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. + +- If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TaskbarNoPinnedList | +| Friendly Name | Remove pinned programs from the Taskbar | +| Location | Computer and User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | TaskbarNoPinnedList | +| ADMX File Name | Taskbar.admx | + + + + + + + + ## TaskbarNoRedock @@ -1208,9 +1207,9 @@ If you disable or do not configure this policy setting, notification balloons ar This policy setting allows you to prevent users from moving taskbar to another screen dock location. -If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). +- If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). -If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. +- If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. @@ -1228,7 +1227,7 @@ If you disable or do not configure this policy setting, users are able to drag t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1268,9 +1267,9 @@ If you disable or do not configure this policy setting, users are able to drag t This policy setting allows you to prevent users from resizing the taskbar. -If you enable this policy setting, users are not be able to resize their taskbar. +- If you enable this policy setting, users are not be able to resize their taskbar. -If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. +- If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. @@ -1288,7 +1287,7 @@ If you disable or do not configure this policy setting, users are able to resize > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1328,9 +1327,9 @@ If you disable or do not configure this policy setting, users are able to resize This policy setting allows you to turn off taskbar thumbnails. -If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. +- If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. -If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. +- If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. @@ -1348,7 +1347,7 @@ If you disable or do not configure this policy setting, the taskbar thumbnails a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 47389ccf0a..f0b95d516f 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -108,9 +108,9 @@ This policy setting lets you control the redirection of video capture devices to By default, Remote Desktop Services allows redirection of video capture devices. -If you enable this policy setting, users cannot redirect their video capture devices to the remote computer. +- If you enable this policy setting, users cannot redirect their video capture devices to the remote computer. -If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. +- If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. @@ -170,7 +170,7 @@ This policy setting allows you to specify the name of the certificate template t A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. -If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. +- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. @@ -234,9 +234,9 @@ If you disable or do not configure this policy, the certificate template name is This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. +- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. +- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. > [!NOTE] > You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. @@ -297,9 +297,9 @@ If you disable this policy setting, users cannot run .rdp files that are signed This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. +- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. +- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. > [!NOTE] > You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. @@ -360,9 +360,9 @@ If you disable this policy setting, users cannot run .rdp files that are signed This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. @@ -420,9 +420,9 @@ If you disable this policy setting, users cannot run unsigned .rdp files and .rd This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. @@ -483,11 +483,11 @@ Users can specify where to play the remote computer's audio output by configurin By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. -If you enable this policy setting, audio and video playback redirection is allowed. +- If you enable this policy setting, audio and video playback redirection is allowed. -If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. +- If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. -If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. +- If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. @@ -548,11 +548,11 @@ Users can specify whether to record audio to the remote computer by configuring By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. -If you enable this policy setting, audio recording redirection is allowed. +- If you enable this policy setting, audio recording redirection is allowed. -If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. +- If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. -If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. +- If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. @@ -610,13 +610,13 @@ If you do not configure this policy setting, Audio recording redirection is not This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. -If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. +- If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. -If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. +- If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. @@ -675,11 +675,11 @@ This policy setting specifies whether to prevent the sharing of Clipboard conten You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. -If you enable this policy setting, users cannot redirect Clipboard data. +- If you enable this policy setting, users cannot redirect Clipboard data. -If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. +- If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. -If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. +- If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. @@ -739,11 +739,11 @@ This policy setting specifies whether to prevent the redirection of data to clie You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. -If you enable this policy setting, users cannot redirect server data to the local COM port. +- If you enable this policy setting, users cannot redirect server data to the local COM port. -If you disable this policy setting, Remote Desktop Services always allows COM port redirection. +- If you disable this policy setting, Remote Desktop Services always allows COM port redirection. -If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. +- If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. @@ -803,11 +803,11 @@ This policy setting allows you to specify whether the client default printer is By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior. -If you enable this policy setting, the default printer is the printer specified on the remote computer. +- If you enable this policy setting, the default printer is the printer specified on the remote computer. -If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. +- If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. -If you do not configure this policy setting, the default printer is not specified at the Group Policy level. +- If you do not configure this policy setting, the default printer is not specified at the Group Policy level. @@ -983,11 +983,11 @@ This policy setting specifies whether to prevent the redirection of data to clie You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. -If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. +- If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. -If you disable this policy setting, LPT port redirection is always allowed. +- If you disable this policy setting, LPT port redirection is always allowed. -If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. +- If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. @@ -1047,9 +1047,10 @@ This policy setting lets you control the redirection of supported Plug and Play By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. -If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. +- If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. -If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. +- If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. +- If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. > [!NOTE] > You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. @@ -1112,11 +1113,11 @@ This policy setting allows you to specify whether to prevent the mapping of clie You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. -If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. +- If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. -If you disable this policy setting, users can redirect print jobs with client printer mapping. +- If you disable this policy setting, users can redirect print jobs with client printer mapping. -If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. +- If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. @@ -1174,9 +1175,9 @@ If you do not configure this policy setting, client printer mapping is not speci This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. +- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. **Note**: @@ -1241,9 +1242,9 @@ If the list contains a string that is not a certificate thumbprint, it is ignore This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. +- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. **Note**: @@ -1308,9 +1309,9 @@ If the list contains a string that is not a certificate thumbprint, it is ignore This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. -If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. +- If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. -If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. +- If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. @@ -1370,9 +1371,9 @@ This policy setting allows you to specify the maximum color resolution (color de You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. -If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. +- If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. -If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. +- If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. **Note**: @@ -1444,9 +1445,9 @@ This policy setting allows you to limit the size of the entire roaming user prof > [!NOTE] > If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. -If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. +- If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. -If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. +- If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. > [!NOTE] > This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. @@ -1571,11 +1572,11 @@ If the status is set to Not Configured, the default behavior applies. This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. -If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. +- If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. -If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. +- If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. -If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. +- If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting. @@ -1635,9 +1636,9 @@ NOTE: The policy setting enables load-balancing of graphics processing units (GP This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. +- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. +- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. > [!NOTE] > If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. @@ -1698,9 +1699,9 @@ If you disable this policy setting, the RD Session Host server tries to find a s This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. +- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. +- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. > [!NOTE] > If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. @@ -1765,11 +1766,11 @@ When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. -If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. +- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. -If you disable this policy setting, RemoteFX will be disabled. +- If you disable this policy setting, RemoteFX will be disabled. -If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. +- If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. @@ -1829,7 +1830,7 @@ This policy setting allows you to specify the RD Session Host server fallback pr By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. -If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: +- If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: "Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. @@ -1839,9 +1840,9 @@ If you enable this policy setting, the fallback printer driver is enabled, and t "Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. -If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. +- If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. -If you do not configure this policy setting, the fallback printer driver behavior is off by default. +- If you do not configure this policy setting, the fallback printer driver behavior is off by default. > [!NOTE] > If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. @@ -1904,9 +1905,9 @@ This policy setting determines whether an administrator attempting to connect re This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. -If you enable this policy setting, logging off the connected administrator is not allowed. +- If you enable this policy setting, logging off the connected administrator is not allowed. -If you disable or do not configure this policy setting, logging off the connected administrator is allowed. +- If you disable or do not configure this policy setting, logging off the connected administrator is allowed. > [!NOTE] > The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. @@ -1969,7 +1970,7 @@ Specifies the authentication method that clients must use when attempting to con To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. -If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. +- If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. @@ -2024,7 +2025,7 @@ If you disable or do not configure this policy setting, the authentication metho -If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. +- If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. @@ -2033,7 +2034,7 @@ You can enforce this policy setting or you can allow users to overwrite this set To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. -If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. +- If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. @@ -2156,13 +2157,14 @@ This policy setting allows you to specify whether the RD Session Host server sho If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. -If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. +- If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. If the policy setting is not configured, the policy setting is not specified at the Group Policy level. **Note**: -1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. +1. +- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -2224,9 +2226,9 @@ This policy setting allows you to enter a keep-alive interval to ensure that the After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. -If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. +- If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. -If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. +- If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. @@ -2286,11 +2288,11 @@ This policy setting allows you to specify the RD Session Host servers to which a You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one. -If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. +- If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. -If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. +- If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. > [!NOTE] > You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. @@ -2351,13 +2353,13 @@ If you disable or do not configure this policy setting, the Remote Desktop licen This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. -If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: +- If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Desktop license servers that are published in Active Directory Domain Services. 2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. -If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. +- If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. @@ -2416,9 +2418,9 @@ This policy setting determines whether notifications are displayed on an RD Sess By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. -If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. +- If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. -If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. +- If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. @@ -2481,9 +2483,9 @@ Per User licensing mode requires that each user account connecting to this RD Se Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. -If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. +- If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. -If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. +- If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. @@ -2606,9 +2608,9 @@ If the status is set to Disabled or Not Configured, limits to the number of conn This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load. -If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. +- If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. -If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. +- If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. @@ -2665,9 +2667,9 @@ If you disable or do not configure this policy setting, the maximum resolution t This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load. -If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. +- If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. -If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. +- If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. @@ -2726,9 +2728,9 @@ This policy setting allows you to remove the "Disconnect" option from the Shut D You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. -If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. +- If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. -If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. +- If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. > [!NOTE] > This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. @@ -2856,9 +2858,9 @@ By default, if the most appropriate RDS CAL is not available for a connection, a * A client connecting to a Windows Server 2003 terminal server * A client connecting to a Windows 2000 terminal server -If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. +- If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. -If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. +- If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. @@ -2916,12 +2918,12 @@ If you disable or do not configure this policy setting, the license server will This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. -If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. +- If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. > [!NOTE] > If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. -If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. +- If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. @@ -2981,9 +2983,9 @@ This policy setting specifies the default connection URL for RemoteApp and Deskt The default connection URL must be configured in the form of . -If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. +- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. -If you disable or do not configure this policy setting, the user has no default connection URL. +- If you disable or do not configure this policy setting, the user has no default connection URL. > [!NOTE] > RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. @@ -3045,9 +3047,9 @@ This policy setting allows you to specify whether the app registration is comple By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. -If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. +- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. -If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. +- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. @@ -3103,7 +3105,7 @@ If you disable or do not configure this policy setting, the Start screen is show -If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: +- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. @@ -3113,7 +3115,7 @@ If you enable this policy setting, administrators can interact with a user's Rem 5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. -If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. +- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. @@ -3168,7 +3170,7 @@ If you disable this policy setting, administrators can interact with a user's Re -If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: +- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list: 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. 2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. @@ -3178,7 +3180,7 @@ If you enable this policy setting, administrators can interact with a user's Rem 5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. -If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. +- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. @@ -3239,7 +3241,8 @@ Depending on the requirements of your users, you can reduce network bandwidth us If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. -By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). +By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. +- If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). @@ -3298,9 +3301,9 @@ This policy setting allows you to specify the name of a farm to join in RD Conne If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. -If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. +- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. -If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. +- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. **Note**: @@ -3363,11 +3366,11 @@ If you disable or do not configure this policy setting, the farm name is not spe This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. -If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. +- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. -If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. +- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. -If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. +- If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. **Note**: @@ -3429,9 +3432,9 @@ If you do not configure this policy setting, the Use IP address redirection poli This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. -If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. +- If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. -If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. +- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. **Note**: @@ -3496,7 +3499,7 @@ If you disable or do not configure this policy setting, the policy setting is no This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available: +- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available: * Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. @@ -3504,7 +3507,7 @@ If you enable this policy setting, all communications between clients and RD Ses * SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. -If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. +- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. @@ -3569,7 +3572,7 @@ If you disable Continuous Network Detect, Remote Desktop Protocol will not try t If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. -If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. +- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. @@ -3626,7 +3629,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. -If you enable this policy setting, you must specify if you would like RDP to use UDP. +- If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" @@ -3634,7 +3637,7 @@ If you select "Use either UDP or TCP" and the UDP connection is successful, most If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. -If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. +- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. @@ -3691,9 +3694,9 @@ If you disable or do not configure this policy setting, RDP will choose the opti This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. -If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. +- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. -If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. +- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. @@ -3751,7 +3754,7 @@ If you disable this policy setting, RemoteApp programs published from this RD Se This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. -If you enable this policy setting, you must specify one of the following settings: +- If you enable this policy setting, you must specify one of the following settings: Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. @@ -3759,7 +3762,7 @@ Warn me if authentication fails: The client attempts to authenticate the RD Sess Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. -If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. +- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. @@ -3930,11 +3933,11 @@ This policy setting allows you to specify which Remote Desktop Protocol (RDP) co By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. -If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. +- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. -If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. +- If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. @@ -3990,11 +3993,11 @@ If you disable or do not configure this policy setting, the default RDP compress This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. -If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. -If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. -If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. -If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. -If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. +- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. +- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. +- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. +- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. +- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. @@ -4049,7 +4052,9 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi -This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. +This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. +- If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. +- If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions. @@ -4107,14 +4112,14 @@ This policy setting allows you to configure graphics encoding to use the RemoteF This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. -If you enable this policy setting, the RemoteFX experience could be set to one of the following options: +- If you enable this policy setting, the RemoteFX experience could be set to one of the following options: 1. Let the system choose the experience for the network condition 2. Optimize for server scalability 3. Optimize for minimum bandwidth usage -If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." +- If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." @@ -4173,9 +4178,9 @@ This policy setting allows you to specify the visual experience that remote user By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. -If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. +- If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. -If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. +- If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. @@ -4232,9 +4237,9 @@ If you disable or do not configure this policy setting, Remote Desktop Services This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections. -If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. +- If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. -If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. +- If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. For this change to take effect, you must restart Windows. @@ -4298,11 +4303,11 @@ You can use this setting to direct Remote Desktop Services to end a session (tha Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. -If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. +- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. -If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. > [!NOTE] > This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. @@ -4367,11 +4372,11 @@ You can use this setting to direct Remote Desktop Services to end a session (tha Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. -If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. +- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. -If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. > [!NOTE] > This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. @@ -4436,9 +4441,9 @@ You can use this policy setting to specify the maximum amount of time that a dis When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. > [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -4502,9 +4507,9 @@ You can use this policy setting to specify the maximum amount of time that a dis When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. > [!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -4564,9 +4569,9 @@ If you disable or do not configure this policy setting, this policy setting is n This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. -If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. -If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4628,9 +4633,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. -If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. -If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4692,9 +4697,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. -If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4756,9 +4761,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. -If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. +- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4820,11 +4825,11 @@ If you want Remote Desktop Services to end instead of disconnect a session when This policy setting allows you to restrict users to a single Remote Desktop Services session. -If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. +- If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. -If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. +- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. -If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. +- If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. @@ -4882,9 +4887,9 @@ If you do not configure this policy setting, this policy setting is not specifie This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. -If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. +- If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. -If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. +- If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. > [!NOTE] > The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. @@ -5084,11 +5089,11 @@ This policy setting specifies whether Remote Desktop Services retains a user's p You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. -If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. +- If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. -If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. +- If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. -If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. +- If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. > [!NOTE] > This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. @@ -5151,11 +5156,11 @@ This policy setting allows you to prevent Remote Desktop Services from creating You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. -If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. +- If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. -If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. +- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. -If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. +- If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. @@ -5213,9 +5218,9 @@ If you do not configure this policy setting, per-session temporary folders are c This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session. -If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). +- If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). -If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. +- If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. > [!NOTE] > Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later. @@ -5278,9 +5283,9 @@ This policy setting specifies whether to disable the administrator rights to cus You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. -If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. +- If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. -If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. +- If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. > [!NOTE] > The preferred method of managing user access is by adding a user to the Remote Desktop Users group. @@ -5341,9 +5346,9 @@ If you disable or do not configure this policy setting, server administrators ha This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. -If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. +- If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. -If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. +- If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. > [!NOTE] > If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. @@ -5410,7 +5415,7 @@ Remote Desktop sessions don't currently support UI Automation redirection. If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session. -If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps. +- If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps. @@ -5468,9 +5473,9 @@ If you disable this policy setting, UI Automation clients running on your local This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. -If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. +- If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. -If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. +- If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. @@ -5529,13 +5534,13 @@ For this change to take effect, you must restart Windows. This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. -If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. +- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. -If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. +- If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. -If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. +- If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. > [!IMPORTANT] > Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. @@ -5662,9 +5667,9 @@ If the status is set to Disabled or Not Configured, the user's home directory is This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. -If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. +- If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. -If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. +- If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. **Note**: @@ -5728,11 +5733,11 @@ This policy setting allows you to specify the network path that Remote Desktop S By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. -If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. +- If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. -If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. +- If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. **Note**: From c2b331c8118f0d3290c506781f3bb56ed57a5d91 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 9 Jan 2023 13:01:28 -0500 Subject: [PATCH 123/152] Add final set of CSPs --- .../mdm/policy-csp-admx-disknvcache.md | 362 +- .../mdm/policy-csp-admx-diskquota.md | 670 +- .../policy-csp-admx-locationprovideradm.md | 5 +- ...icy-csp-admx-microsoftdefenderantivirus.md | 8444 +++++++++-------- .../mdm/policy-csp-admx-mmc.md | 504 +- .../mdm/policy-csp-admx-pushtoinstall.md | 119 +- .../mdm/policy-csp-admx-radar.md | 135 +- .../mdm/policy-csp-admx-soundrec.md | 218 +- .../mdm/policy-csp-admx-srmfci.md | 322 +- .../mdm/policy-csp-admx-windowscolorsystem.md | 204 +- .../mdm/policy-csp-printers.md | 1988 ++-- 11 files changed, 7213 insertions(+), 5758 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 679efe6819..80b531a03c 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,200 +1,296 @@ --- -title: Policy CSP - ADMX_DiskNVCache -description: Learn about Policy CSP - ADMX_DiskNVCache. +title: ADMX_DiskNVCache Policy CSP +description: Learn more about the ADMX_DiskNVCache Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DiskNVCache - -
    - - -## ADMX_DiskNVCache policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
    -
    - ADMX_DiskNVCache/BootResumePolicy -
    -
    - ADMX_DiskNVCache/FeatureOffPolicy -
    -
    - ADMX_DiskNVCache/SolidStatePolicy -
    -
    + +## BootResumePolicy + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/BootResumePolicy +``` + - -**ADMX_DiskNVCache/BootResumePolicy** - + + +This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. - -
    +- If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. -> [!div class = "checklist"] -> * Device +> [!NOTE] +> This policy setting is applicable only if the NV cache feature is on. + -
    + + + - - -This policy setting turns off the boot and resumes optimizations for the hybrid hard disks in the system. + +**Description framework properties**: -If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -The system determines the data that will be stored in the NV cache to optimize boot and resume. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. +**ADMX mapping**: -This policy setting is applicable only if the NV cache feature is on. +| Name | Value | +|:--|:--| +| Name | BootResumePolicy | +| Friendly Name | Turn off boot and resume optimizations | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | OptimizeBootAndResume | +| ADMX File Name | DiskNVCache.admx | + - + + + - -ADMX Info: -- GP Friendly name: *Turn off boot and resume optimizations* -- GP name: *BootResumePolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* + - - -
    + +## CachePowerModePolicy -**ADMX_DiskNVCache/FeatureOffPolicy** - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/CachePowerModePolicy +``` + - -
    + + +This policy setting turns off power save mode on the hybrid hard disks in the system. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, the hard disks are not put into NV cache power save mode and no power savings are achieved. -> [!div class = "checklist"] -> * Device +- If you disable this policy setting, the hard disks are put into an NV cache power saving mode. In this mode, the system tries to save power by aggressively spinning down the disk. -
    +- If you do not configure this policy setting, the default behavior is to allow the hybrid hard disks to be in power save mode. - - -This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. +> [!NOTE] +> This policy setting is applicable only if the NV cache feature is on. + -To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. + + + -If you enable this policy setting, the system won't manage the NV cache and won't enable NV cache power saving mode. + +**Description framework properties**: -If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: - -ADMX Info: -- GP Friendly name: *Turn off non-volatile cache feature* -- GP name: *FeatureOffPolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* +| Name | Value | +|:--|:--| +| Name | CachePowerModePolicy | +| Friendly Name | Turn off cache power mode | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | EnablePowerModeState | +| ADMX File Name | DiskNVCache.admx | + - - + + + -
    + - -**ADMX_DiskNVCache/SolidStatePolicy** - + +## FeatureOffPolicy -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/FeatureOffPolicy +``` + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + +This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache. -> [!div class = "checklist"] -> * Device +- If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode. -
    +- If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured. - - +> [!NOTE] +> This policy setting will take effect on next boot. + +- If you do not configure this policy setting, the default behavior is to turn on support for the NV cache. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FeatureOffPolicy | +| Friendly Name | Turn off non-volatile cache feature | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | EnableNvCache | +| ADMX File Name | DiskNVCache.admx | + + + + + + + + + +## SolidStatePolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskNVCache/SolidStatePolicy +``` + + + + This policy setting turns off the solid state mode for the hybrid hard disks. -If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. +- If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. -If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. +- If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. **Note** that this can cause increased wear of the NV cache. -This can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. +- If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. ->[!Note] +> [!NOTE] > This policy setting is applicable only if the NV cache feature is on. + + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off solid state mode* -- GP name: *SolidStatePolicy* -- GP path: *System\Disk NV Cache* -- GP ADMX file name: *DiskNVCache.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | SolidStatePolicy | +| Friendly Name | Turn off solid state mode | +| Location | Computer Configuration | +| Path | System > Disk NV Cache | +| Registry Key Name | Software\Policies\Microsoft\Windows\NvCache | +| Registry Value Name | EnableSolidStateMode | +| ADMX File Name | DiskNVCache.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 35d3111b03..0c1693728b 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,365 +1,437 @@ --- -title: Policy CSP - ADMX_DiskQuota -description: Learn about Policy CSP - ADMX_DiskQuota. +title: ADMX_DiskQuota Policy CSP +description: Learn more about the ADMX_DiskQuota Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/12/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_DiskQuota - -
    - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - -## ADMX_DiskQuota policies + + + + +## DQ_Enable -
    -
    - ADMX_DiskQuota/DQ_RemovableMedia -
    -
    - ADMX_DiskQuota/DQ_Enable -
    -
    - ADMX_DiskQuota/DQ_Enforce -
    -
    - ADMX_DiskQuota/DQ_LogEventOverLimit -
    -
    - ADMX_DiskQuota/DQ_LogEventOverThreshold -
    -
    - ADMX_DiskQuota/DQ_Limit -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_Enable +``` + -
    - - -**ADMX_DiskQuota/DQ_RemovableMedia** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media. - -If you disable or don't configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. - -When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. - - - - -ADMX Info: -- GP Friendly name: *Apply policy to removable media* -- GP name: *DQ_RemovableMedia* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* - - - - -
    - - -**ADMX_DiskQuota/DQ_Enable** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. -If you enable this policy setting, disk quota management is turned on, and users can't turn it off. +- If you enable this policy setting, disk quota management is turned on, and users cannot turn it off. -If you disable the policy setting, disk quota management is turned off, and users can't turn it on. When this policy setting isn't configured then the disk quota management is turned off by default, and the administrators can turn it on. +- If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. + +- If this policy setting is not configured, disk quota management is turned off by default, but administrators can turn it on. To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes. -This policy setting turns on disk quota management but doesn't establish or enforce a particular disk quota limit. +> [!NOTE] +> This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. -To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. +> [!NOTE] +> To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + -To turn on or turn off disk quota management without specifying a setting, in My Computer, right-click the name of an NTFS volume, click Properties, click the Quota tab, and then click "Enable quota management." + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable disk quotas* -- GP name: *DQ_Enable* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | DQ_Enable | +| Friendly Name | Enable disk quotas | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | Enable | +| ADMX File Name | DiskQuota.admx | + - -**ADMX_DiskQuota/DQ_Enforce** - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## DQ_Enforce - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_Enforce +``` + -
    - - - + + This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting. -If you enable this policy setting, disk quota limits are enforced. +- If you enable this policy setting, disk quota limits are enforced. +- If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect. -If you disable this policy setting, disk quota limits aren't enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators can't make changes while the setting is in effect. +- If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. -If you don't configure this policy setting, the disk quota limit isn't enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available. +Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes, but they can continue to write to the volume as long as physical space is available. -This policy setting overrides user settings that enable or disable quota enforcement on their volumes. +> [!NOTE] +> This policy setting overrides user settings that enable or disable quota enforcement on their volumes. -To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. +> [!NOTE] +> To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit. + - + + + - -ADMX Info: -- GP Friendly name: *Enforce disk quota limit* -- GP name: *DQ_Enforce* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -**ADMX_DiskQuota/DQ_LogEventOverLimit** - +| Name | Value | +|:--|:--| +| Name | DQ_Enforce | +| Friendly Name | Enforce disk quota limit | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | Enforce | +| ADMX File Name | DiskQuota.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DQ_Limit -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_Limit +``` + - - -This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. - -If you enable this policy setting, the system records an event when the user reaches their limit. - -If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators can't change the setting while a setting is in effect. If you don't configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. - -This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their limit, because their status in the Quota Entries window changes. - -To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. - - - - - -ADMX Info: -- GP Friendly name: *Log event when quota limit is exceeded* -- GP name: *DQ_LogEventOverLimit* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* - - - -
    - - - -**ADMX_DiskQuota/DQ_LogEventOverThreshold** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. - -If you enable this policy setting, the system records an event. - -If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators can't change logging while a policy setting is in effect. - -If you don't configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their warning level because their status in the Quota Entries window changes. - -To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. - - - - -ADMX Info: -- GP Friendly name: *Log event when quota warning level is exceeded* -- GP name: *DQ_LogEventOverThreshold* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* - - - - -
    - - - -**ADMX_DiskQuota/DQ_Limit** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting specifies the default disk quota limit and warning level for new users of the volume. + This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit. -This setting overrides new users’ settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. -This policy setting applies to all new users as soon as they write to the volume. It doesn't affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). +This setting overrides new users' settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab. -If you disable or don't configure this policy setting, the disk space available to users isn't limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it's reasonable for the range of volumes in the group. +This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties). -This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas aren't enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. +- If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. - +When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group. - -ADMX Info: -- GP Friendly name: *Specify default quota limit and warning level* -- GP name: *DQ_Limit* -- GP path: *System\Disk Quotas* -- GP ADMX file name: *DiskQuota.admx* +This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume. + - - + + + -
    + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -## Related topics + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_Limit | +| Friendly Name | Specify default quota limit and warning level | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + +## DQ_LogEventOverLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_LogEventOverLimit +``` + + + + +This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. + +- If you enable this policy setting, the system records an event when the user reaches their limit. +- If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. + +- If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting. + +This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. + +Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes. + +> [!NOTE] +> To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_LogEventOverLimit | +| Friendly Name | Log event when quota limit is exceeded | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | LogEventOverLimit | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + +## DQ_LogEventOverThreshold + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_LogEventOverThreshold +``` + + + + +This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. + +- If you enable this policy setting, the system records an event. +- If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect. + +- If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. + +This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes. + +> [!NOTE] +> To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_LogEventOverThreshold | +| Friendly Name | Log event when quota warning level is exceeded | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | LogEventOverThreshold | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + +## DQ_RemovableMedia + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DiskQuota/DQ_RemovableMedia +``` + + + + +This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media. + +- If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only + +> [!NOTE] +> When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DQ_RemovableMedia | +| Friendly Name | Apply policy to removable media | +| Location | Computer Configuration | +| Path | System > Disk Quotas | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\DiskQuota | +| Registry Value Name | ApplyToRemovableMedia | +| ADMX File Name | DiskQuota.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index 1c2c560e41..18f83b496c 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -24,8 +24,9 @@ ms.topic: reference > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -[!WARNING] -Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!WARNING] +> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index db7d591d25..865a8854ec 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,819 +1,655 @@ --- -title: Policy CSP - ADMX_MicrosoftDefenderAntivirus -description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus. +title: ADMX_MicrosoftDefenderAntivirus Policy CSP +description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 08/19/2022 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MicrosoftDefenderAntivirus ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MicrosoftDefenderAntivirus policies + +## AllowFastServiceStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths -
    -
    - ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications -
    -
    - ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders -
    -
    - ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid -
    -
    - ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyBypass -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl -
    -
    - ADMX_MicrosoftDefenderAntivirus/ProxyServer -
    -
    - ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring -
    -
    - ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents -
    -
    - ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval -
    -
    - ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup -
    -
    - ADMX_MicrosoftDefenderAntivirus/SpynetReporting -
    -
    - ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting -
    -
    - ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification -
    -
    - ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup +``` + -
    - - -**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - + + This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. -If you enable or don't configure this setting, the antimalware service will load as a normal priority task. +- If you enable or do not configure this setting, the antimalware service will load as a normal priority task. -If you disable this setting, the antimalware service will load as a low priority task. +- If you disable this setting, the antimalware service will load as a low priority task. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow antimalware service to startup with normal priority* -- GP name: *AllowFastServiceStartup* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AllowFastServiceStartup | +| Friendly Name | Allow antimalware service to startup with normal priority | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | AllowFastServiceStartup | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAntiSpywareDefender -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender +``` + - - + + This policy setting turns off Microsoft Defender Antivirus. -If you enable this policy setting, Microsoft Defender Antivirus doesn't run, and won't scan computers for malware or other potentially unwanted software. +- If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. -If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. +- If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. -If you don't configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. +- If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. -Enabling or disabling this policy may lead to unexpected or unsupported behavior. It's recommended that you leave this policy setting unconfigured. +Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off Microsoft Defender Antivirus* -- GP name: *DisableAntiSpywareDefender* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableAntiSpywareDefender | +| Friendly Name | Turn off Microsoft Defender Antivirus | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | DisableAntiSpyware | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableAutoExclusions -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions +``` + - - + + Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. -If you disable or don't configure this policy setting, Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance. It is disabled by default. +Disabled (Default): +Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. -If you enable this policy setting, Microsoft Defender Antivirus won't exclude pre-defined list of paths from scans. This non-exclusion can impact machine performance in some scenarios. +Enabled: +Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios. - +Not configured: +Same as Disabled. + + + + - -ADMX Info: -- GP Friendly name: *Turn off Auto Exclusions* -- GP name: *DisableAutoExclusions* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | DisableAutoExclusions | +| Friendly Name | Turn off Auto Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | DisableAutoExclusions | +| ADMX File Name | WindowsDefender.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## DisableBlockAtFirstSeen -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check won't occur, which will lower the protection state of the device. + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen +``` + -If you enable this feature, the Block at First Sight setting is turned on. -If you disable this feature, the Block at First Sight setting is turned off. + + +This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. +Enabled - The Block at First Sight setting is turned on. +Disabled - The Block at First Sight setting is turned off. -This feature requires these Policy settings to be set as follows: +This feature requires these Group Policy settings to be set as follows: +MAPS -> The "Join Microsoft MAPS" must be enabled or the "Block at First Sight" feature will not function. +MAPS -> The "Send file samples when further analysis is required" should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. +Real-time Protection -> The "Scan all downloaded files and attachments" policy must be enabled or the "Block at First Sight" feature will not function. +Real-time Protection -> Do not enable the "Turn off real-time protection" policy or the "Block at First Sight" feature will not function. + -- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature won't function. -- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature won't function. -- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature won't function. -- Real-time Protection -> don't enable the “Turn off real-time protection” policy or the “Block at First Sight” feature won't function. + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure the 'Block at First Sight' feature* -- GP name: *DisableBlockAtFirstSeen* -- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableBlockAtFirstSeen | +| Friendly Name | Configure the 'Block at First Sight' feature | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | DisableBlockAtFirstSeen | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableLocalAdminMerge -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge +``` + - - -This policy setting controls whether or not complex list settings configured by a local administrator are merged with Policy settings. This setting applies to lists such as threats and Exclusions. + + +This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. -If you enable or don't configure this setting, unique items defined in Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, Policy Settings will override preference settings. +- If you disable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. -If you disable this setting, only items defined by Policy will be used in the resulting effective policy. Policy settings will override preference settings configured by the local administrator. +- If you enable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure local administrator merge behavior for lists* -- GP name: *DisableLocalAdminMerge* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableLocalAdminMerge | +| Friendly Name | Configure local administrator merge behavior for lists | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | DisableLocalAdminMerge | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRealtimeMonitoring -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring +``` + - - -This policy setting turns off real-time protection prompts for known malware detection. + + +This policy turns off real-time protection in Microsoft Defender Antivirus. -Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. +Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections. -If you enable this policy setting, Microsoft Defender Antivirus won't prompt users to take actions on malware detections. +- If you enable this policy setting, real-time protection is turned off. -If you disable or don't configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections. +If you either disable or do not configure this policy setting, real-time protection is turned on. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off real-time protection* -- GP name: *DisableRealtimeMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRealtimeMonitoring | +| Friendly Name | Turn off real-time protection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableRealtimeMonitoring | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## DisableRoutinelyTakingAction -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction +``` + - - + + This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. -If you enable this policy setting, Microsoft Defender Antivirus doesn't automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. +- If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. -If you disable or don't configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. +- If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off routine remediation* -- GP name: *DisableRoutinelyTakingAction* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableRoutinelyTakingAction | +| Friendly Name | Turn off routine remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | DisableRoutinelyTakingAction | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Exclusions_Extensions -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions +``` + - - -This policy setting allows you to specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value isn't used and it's recommended that this value is set to 0. + + +This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Extension Exclusions* -- GP name: *Exclusions_Extensions* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Exclusions_Extensions | +| Friendly Name | Extension Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Extensions | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Exclusions_Paths -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths +``` + - - -This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. + + +This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + -As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value isn't used and it's recommended that this value is set to 0. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Path Exclusions* -- GP name: *Exclusions_Paths* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes** +| Name | Value | +|:--|:--| +| Name | Exclusions_Paths | +| Friendly Name | Path Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Paths | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Exclusions_Processes - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes +``` + -
    + + +This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as "c\windows\app.exe". The value is not used and it is recommended that this be set to 0. + - - -This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself won't be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value isn't used and it's recommended that this value is set to 0. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Process Exclusions* -- GP name: *Exclusions_Processes* -- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions** +| Name | Value | +|:--|:--| +| Name | Exclusions_Processes | +| Friendly Name | Process Exclusions | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Exclusions | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions | +| Registry Value Name | Exclusions_Processes | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## ExploitGuard_ASR_ASROnlyExclusions - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions +``` + -
    - - - + + Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: - - Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder - Value column: Enter "0" for each item @@ -823,61 +659,76 @@ No exclusions will be applied to the ASR rules. Not configured: Same as Disabled. -You can configure ASR rules in the "Configure Attack Surface Reduction rules" GP setting. +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules* -- GP name: *ExploitGuard_ASR_ASROnlyExclusions* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_ASROnlyExclusions | +| Friendly Name | Exclude files and paths from Attack Surface Reduction Rules | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExploitGuard_ASR_Rules -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules +``` + - - -Set the state for each ASR rule. + + +Set the state for each Attack Surface Reduction (ASR) rule. -After enabling this setting, you can set each rule to the following values in the Options section: +After enabling this setting, you can set each rule to the following in the Options section: +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied +- Not Configured: the rule is enabled with default values +- Warn: the rule will be applied and the end-user will have the option to bypass the block -- Block: The rule will be applied -- Audit Mode: If the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied) -- Off: The rule won't be applied +Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured. Enabled: Specify the state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: - - Name column: Enter a valid ASR rule ID - Value column: Enter the status ID that relates to state you want to specify for the associated rule @@ -885,11 +736,16 @@ The following status IDs are permitted under the value column: - 1 (Block) - 0 (Off) - 2 (Audit) +- 5 (Not Configured) +- 6 (Warn) Example: -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +2 Disabled: No ASR rules will be configured. @@ -898,3903 +754,4951 @@ Not configured: Same as Disabled. You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Attack Surface Reduction rules* -- GP name: *ExploitGuard_ASR_Rules* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ASR_Rules | +| Friendly Name | Configure Attack Surface Reduction rules | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR | +| Registry Value Name | ExploitGuard_ASR_Rules | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExploitGuard_ControlledFolderAccess_AllowedApplications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications +``` + - - -Add other applications that should be considered "trusted" by controlled folder access. + + +Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowed to modify or delete files in controlled folder access folders. -Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add other applications. +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled: -Specify other allowed applications in the Options section. +Specify additional allowed applications in the Options section.. Disabled: -No other applications will be added to the trusted list. +No additional applications will be added to the trusted list. Not configured: Same as Disabled. -You can enable controlled folder access in the "Configure controlled folder access" GP setting. +You can enable controlled folder access in the Configure controlled folder access GP setting. -Default system folders are automatically guarded, but you can add folders in the "Configure protected folders" GP setting. +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure allowed applications* -- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| Friendly Name | Configure allowed applications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ExploitGuard_ControlledFolderAccess_ProtectedFolders -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders +``` + - - + + Specify additional folders that should be guarded by the Controlled folder access feature. -Files in these folders can't be modified or deleted by untrusted applications. +Files in these folders cannot be modified or deleted by untrusted applications. -Default system folders are automatically protected. You can configure this setting to add more folders. +Default system folders are automatically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in Windows Security. Enabled: -Specify more folders that should be protected in the Options section. +Specify additional folders that should be protected in the Options section. Disabled: -No other folders will be protected. +No additional folders will be protected. Not configured: Same as Disabled. -You can enable controlled folder access in the "Configure controlled folder access" GP setting. +You can enable controlled folder access in the Configure controlled folder access GP setting. -Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add more trusted applications in the "Configure allowed applications" GP setting. +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure protected folders* -- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* -- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| Friendly Name | Configure protected folders | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access | +| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MpEngine_EnableFileHashComputation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation +``` + - - + + Enable or disable file hash computation feature. Enabled: -When this feature is enabled, Microsoft Defender Antivirus will compute hash value for files it scans. +When this feature is enabled Microsoft Defender will compute hash value for files it scans. Disabled: -File hash value isn't computed +File hash value is not computed Not configured: Same as Disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Enable file hash computation feature* -- GP name: *MpEngine_EnableFileHashComputation* -- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MpEngine_EnableFileHashComputation | +| Friendly Name | Enable file hash computation feature | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MpEngine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine | +| Registry Value Name | EnableFileHashComputation | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Nis_Consumers_IPS_DisableSignatureRetirement -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement +``` + - - -This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system isn't vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired, then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. + + +This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocal are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. -If you enable or don't configure this setting, definition retirement will be enabled. +- If you enable or do not configure this setting, definition retirement will be enabled. -If you disable this setting, definition retirement will be disabled. +- If you disable this setting, definition retirement will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on definition retirement* -- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement* -- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Nis_Consumers_IPS_DisableSignatureRetirement | +| Friendly Name | Turn on definition retirement | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Network Inspection System | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS | +| Registry Value Name | DisableSignatureRetirement | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid +``` + - - -This policy setting defines more definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value isn't used and it's recommended that this value is set to 0. + + +This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: "{b54b6ac9-a737-498e-9120-6616ad3bf590}". The value is not used and it is recommended that this be set to 0. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify additional definition sets for network traffic inspection* -- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid* -- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid | +| Friendly Name | Specify additional definition sets for network traffic inspection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Network Inspection System | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\SKU Differentiation | +| Registry Value Name | Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Nis_DisableProtocolRecognition -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition +``` + - - + + This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. -If you enable or don't configure this setting, protocol recognition will be enabled. +- If you enable or do not configure this setting, protocol recognition will be enabled. -If you disable this setting, protocol recognition will be disabled. +- If you disable this setting, protocol recognition will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on protocol recognition* -- GP name: *Nis_DisableProtocolRecognition* -- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ProxyBypass** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Nis_DisableProtocolRecognition | +| Friendly Name | Turn on protocol recognition | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Network Inspection System | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\NIS | +| Registry Value Name | DisableProtocolRecognition | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProxyBypass -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ProxyBypass +``` + - - + + This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. -If you enable this setting, the proxy server will be bypassed for the specified addresses. +- If you enable this setting, the proxy server will be bypassed for the specified addresses. -If you disable or don't configure this setting, the proxy server won't be bypassed for the specified addresses. +- If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define addresses to bypass proxy server* -- GP name: *ProxyBypass* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProxyBypass | +| Friendly Name | Define addresses to bypass proxy server | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProxyPacUrl -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - - -This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there's no proxy auto-config specified, the client will fall back to the alternative options (in order): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl +``` + + + +This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL (if specified) + 3. None 4. Internet Explorer proxy settings + 5. Autodetect -If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. +- If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. -If you disable or don't configure this setting, the proxy will skip over this fallback step according to the order specified above. +- If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define proxy auto-config (.pac) for connecting to the network* -- GP name: *ProxyPacUrl* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/ProxyServer** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProxyPacUrl | +| Friendly Name | Define proxy auto-config (.pac) for connecting to the network | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## ProxyServer -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    - - - -This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there's no proxy specified, the client will fall back to the alternative options (in order): + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ProxyServer +``` + + + +This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL (if specified) + 3. None 4. Internet Explorer proxy settings + 5. Autodetect -If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://. +- If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://. -If you disable or don't configure this setting, the proxy will skip over this fallback step according to the order specified above. +- If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define proxy server for connecting to the network* -- GP name: *ProxyServer* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProxyServer | +| Friendly Name | Define proxy server for connecting to the network | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Quarantine_LocalSettingOverridePurgeItemsAfterDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay +``` + - - -This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Policy. + + +This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. -If you enable this setting, the local preference setting will take priority over Policy. +- If you enable this setting, the local preference setting will take priority over Group Policy. -If you disable or don't configure this setting, Policy will take priority over the local preference setting. +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure local setting override for the removal of items from Quarantine folder* -- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Quarantine_LocalSettingOverridePurgeItemsAfterDelay | +| Friendly Name | Configure local setting override for the removal of items from Quarantine folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | +| Registry Value Name | LocalSettingOverridePurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Quarantine_PurgeItemsAfterDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay +``` + - - + + This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. -If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. +- If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. -If you disable or don't configure this setting, items will be kept in the quarantine folder indefinitely and won't be automatically removed. +- If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure removal of items from Quarantine folder* -- GP name: *Quarantine_PurgeItemsAfterDelay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Quarantine_PurgeItemsAfterDelay | +| Friendly Name | Configure removal of items from Quarantine folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Quarantine | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine | +| Registry Value Name | PurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RandomizeScheduleTaskTimes -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes +``` + - - -This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. + + +This policy setting allows you to configure the scheduled scan, and the scheduled security intelligence update, start time window in hours. -If you enable or don't configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. +- If you disable or do not configure this setting, scheduled tasks will begin at a random time within 4 hours after the time specified in Task Scheduler. +- If you enable this setting, you can widen, or narrow, this randomization period. Specify a randomization window of between 1 and 23 hours. + -If you disable this setting, scheduled tasks will begin at the specified start time. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Randomize scheduled task times* -- GP name: *RandomizeScheduleTaskTimes* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring** +| Name | Value | +|:--|:--| +| Name | RandomizeScheduleTaskTimes | +| Friendly Name | Randomize scheduled task times | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | RandomizeScheduleTaskTimes | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## RealtimeProtection_DisableBehaviorMonitoring - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring +``` + -
    - - - + + This policy setting allows you to configure behavior monitoring. -If you enable or don't configure this setting, behavior monitoring will be enabled. +- If you enable or do not configure this setting, behavior monitoring will be enabled. -If you disable this setting, behavior monitoring will be disabled. +- If you disable this setting, behavior monitoring will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on behavior monitoring* -- GP name: *RealtimeProtection_DisableBehaviorMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableBehaviorMonitoring | +| Friendly Name | Turn on behavior monitoring | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableBehaviorMonitoring | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableIOAVProtection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection +``` + - - + + This policy setting allows you to configure scanning for all downloaded files and attachments. -If you enable or don't configure this setting, scanning for all downloaded files and attachments will be enabled. +- If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. -If you disable this setting, scanning for all downloaded files and attachments will be disabled. +- If you disable this setting, scanning for all downloaded files and attachments will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Scan all downloaded files and attachments* -- GP name: *RealtimeProtection_DisableIOAVProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableIOAVProtection | +| Friendly Name | Scan all downloaded files and attachments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableIOAVProtection | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableOnAccessProtection -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection +``` + - - + + This policy setting allows you to configure monitoring for file and program activity. -If you enable or don't configure this setting, monitoring for file and program activity will be enabled. +- If you enable or do not configure this setting, monitoring for file and program activity will be enabled. -If you disable this setting, monitoring for file and program activity will be disabled. +- If you disable this setting, monitoring for file and program activity will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Monitor file and program activity on your computer* -- GP name: *RealtimeProtection_DisableOnAccessProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableOnAccessProtection | +| Friendly Name | Monitor file and program activity on your computer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableOnAccessProtection | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableRawWriteNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification +``` + - - + + This policy setting controls whether raw volume write notifications are sent to behavior monitoring. -If you enable or don't configure this setting, raw write notifications will be enabled. +- If you enable or do not configure this setting, raw write notifications will be enabled. -If you disable this setting, raw write notifications be disabled. +- If you disable this setting, raw write notifications be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on raw volume write notifications* -- GP name: *RealtimeProtection_DisableRawWriteNotification* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableRawWriteNotification | +| Friendly Name | Turn on raw volume write notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableRawWriteNotification | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_DisableScanOnRealtimeEnable -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable +``` + - - -This policy setting allows you to configure process scanning when real-time protection is turned on. This configuration helps to catch malware that could start when real-time protection is turned off. + + +This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. -If you enable or don't configure this setting, a process scan will be initiated when real-time protection is turned on. +- If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. -If you disable this setting, a process scan won't be initiated when real-time protection is turned on. +- If you disable this setting, a process scan will not be initiated when real-time protection is turned on. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on process scanning whenever real-time protection is enabled* -- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_DisableScanOnRealtimeEnable | +| Friendly Name | Turn on process scanning whenever real-time protection is enabled | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | DisableScanOnRealtimeEnable | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## RealtimeProtection_IOAVMaxSize -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize +``` + - - + + This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. -If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. - -If you disable or don't configure this setting, a default size will be applied. - - - - - -ADMX Info: -- GP Friendly name: *Define the maximum size of downloaded files and attachments to be scanned* -- GP name: *RealtimeProtection_IOAVMaxSize* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for turn on behavior monitoring* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for scanning all downloaded files and attachments* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for monitoring file and program activity on your computer* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override to turn on real-time protection* -- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for monitoring for incoming and outgoing file activity* -- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection* -- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation* -- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. + +- If you disable or do not configure this setting, a default size will be applied. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_IOAVMaxSize | +| Friendly Name | Define the maximum size of downloaded files and attachments to be scanned | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | IOAVMaxSize | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring +``` + + + + +This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring | +| Friendly Name | Configure local setting override for turn on behavior monitoring | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableBehaviorMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableIOAVProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection +``` + + + + +This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableIOAVProtection | +| Friendly Name | Configure local setting override for scanning all downloaded files and attachments | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableIOAVProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection +``` + + + + +This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection | +| Friendly Name | Configure local setting override for monitoring file and program activity on your computer | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableOnAccessProtection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring +``` + + + + +This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring | +| Friendly Name | Configure local setting override to turn on real-time protection | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideDisableRealtimeMonitoring | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## RealtimeProtection_LocalSettingOverrideRealtimeScanDirection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection +``` + + + + +This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RealtimeProtection_LocalSettingOverrideRealtimeScanDirection | +| Friendly Name | Configure local setting override for monitoring for incoming and outgoing file activity | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection | +| Registry Value Name | LocalSettingOverrideRealtimeScanDirection | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Remediation_LocalSettingOverrideScan_ScheduleTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime +``` + + + + +This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Remediation_LocalSettingOverrideScan_ScheduleTime | +| Friendly Name | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Remediation | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Remediation | +| Registry Value Name | LocalSettingOverrideScan_ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Remediation_Scan_ScheduleDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay +``` + + + + This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: +(0x0) Every Day +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never (default) -- (0x0) Every Day -- (0x1) Sunday -- (0x2) Monday -- (0x3) Tuesday -- (0x4) Wednesday -- (0x5) Thursday -- (0x6) Friday -- (0x7) Saturday -- (0x8) Never (default) +- If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. -If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. +- If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + -If you disable or don't configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the day of the week to run a scheduled full scan to complete remediation* -- GP name: *Remediation_Scan_ScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime** +| Name | Value | +|:--|:--| +| Name | Remediation_Scan_ScheduleDay | +| Friendly Name | Specify the day of the week to run a scheduled full scan to complete remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Remediation | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Remediation | +| Registry Value Name | Scan_ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Remediation_Scan_ScheduleTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime +``` + -
    + + +This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. - - -This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. +- If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. -If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. +- If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. + -If you disable or don't configure this setting, a scheduled full scan to complete remediation will run at a default time. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the time of day to run a scheduled full scan to complete remediation* -- GP name: *Remediation_Scan_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout** +| Name | Value | +|:--|:--| +| Name | Remediation_Scan_ScheduleTime | +| Friendly Name | Specify the time of day to run a scheduled full scan to complete remediation | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Remediation | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Remediation | +| Registry Value Name | Scan_ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Reporting_AdditionalActionTimeout - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout +``` + -
    - - - + + This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections requiring additional action* -- GP name: *Reporting_AdditionalActionTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_AdditionalActionTimeout | +| Friendly Name | Configure time out for detections requiring additional action | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | AdditionalActionTimeout | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_CriticalFailureTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout +``` + - - -This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. + + +This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections in critically failed state* -- GP name: *Reporting_CriticalFailureTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_CriticalFailureTimeout | +| Friendly Name | Configure time out for detections in critically failed state | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | CriticalFailureTimeout | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_DisableEnhancedNotifications -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications +``` + - - + + Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. -If you disable or don't configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. +- If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. -If you enable this setting, Microsoft Defender Antivirus enhanced notifications won't display on clients. +- If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn off enhanced notifications* -- GP name: *Reporting_DisableEnhancedNotifications* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -**ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports** -
    +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_DisableEnhancedNotifications | +| Friendly Name | Turn off enhanced notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | DisableEnhancedNotifications | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_DisablegenericrePorts -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts +``` + - - + + This policy setting allows you to configure whether or not Watson events are sent. -If you enable or don't configure this setting, Watson events will be sent. +- If you enable or do not configure this setting, Watson events will be sent. -If you disable this setting, Watson events won't be sent. +- If you disable this setting, Watson events will not be sent. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Watson events* -- GP name: *Reporting_Disablegenericreports* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_DisablegenericrePorts | +| Friendly Name | Configure Watson events | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | DisableGenericRePorts | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_NonCriticalTimeout -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout +``` + - - + + This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections in non-critical failed state* -- GP name: *Reporting_NonCriticalTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout** -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Reporting_NonCriticalTimeout | +| Friendly Name | Configure time out for detections in non-critical failed state | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | NonCriticalTimeout | +| ADMX File Name | WindowsDefender.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Reporting_RecentlyCleanedTimeout -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout +``` + + + + This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure time out for detections in recently remediated state* -- GP name: *Reporting_RecentlyCleanedTimeout* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_RecentlyCleanedTimeout | +| Friendly Name | Configure time out for detections in recently remediated state | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | RecentlyCleanedTimeout | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_WppTracingComponents -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents +``` + - - + + This policy configures Windows software trace preprocessor (WPP Software Tracing) components. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure Windows software trace preprocessor components* -- GP name: *Reporting_WppTracingComponents* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Reporting_WppTracingComponents | +| Friendly Name | Configure Windows software trace preprocessor components | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | WppTracingComponents | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Reporting_WppTracingLevel -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel +``` + - - + + This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). - Tracing levels are defined as: +1 - Error +2 - Warning +3 - Info +4 - Debug + -- 1 - Error -- 2 - Warning -- 3 - Info -- 4 - Debug + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Configure WPP tracing level* -- GP name: *Reporting_WppTracingLevel* -- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause** +| Name | Value | +|:--|:--| +| Name | Reporting_WppTracingLevel | +| Friendly Name | Configure WPP tracing level | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Reporting | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Reporting | +| Registry Value Name | WppTracingLevel | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Scan_AllowPause - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause +``` + -
    - - - + + This policy setting allows you to manage whether or not end users can pause a scan in progress. -If you enable or don't configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. - -If you disable this setting, users won't be able to pause scans. - - - - - -ADMX Info: -- GP Friendly name: *Allow users to pause scan* -- GP name: *Scan_AllowPause* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. - -If you enable this setting, archive files will be scanned to the directory depth level specified. - -If you disable or don't configure this setting, archive files will be scanned to the default directory depth level. - - - - - -ADMX Info: -- GP Friendly name: *Specify the maximum depth to scan archive files* -- GP name: *Scan_ArchiveMaxDepth* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. - -If you enable this setting, archive files less than or equal to the size specified will be scanned. - -If you disable or don't configure this setting, archive files will be scanned according to the default value. - - - - - -ADMX Info: -- GP Friendly name: *Specify the maximum size of archive files to be scanned* -- GP name: *Scan_ArchiveMaxSize* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. - -If you enable or don't configure this setting, archive files will be scanned. - -If you disable this setting, archive files won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Scan archive files* -- GP name: *Scan_DisableArchiveScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). - -If you enable this setting, e-mail scanning will be enabled. - -If you disable or don't configure this setting, e-mail scanning will be disabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn on e-mail scanning* -- GP name: *Scan_DisableEmailScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It's recommended that you don't turn off heuristics. - -If you enable or don't configure this setting, heuristics will be enabled. - -If you disable this setting, heuristics will be disabled. - - - - - -ADMX Info: -- GP Friendly name: *Turn on heuristics* -- GP name: *Scan_DisableHeuristics* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure scanning for packed executables. It's recommended that this type of scanning remains enabled. - -If you enable or don't configure this setting, packed executables will be scanned. - -If you disable this setting, packed executables won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Scan packed executables* -- GP name: *Scan_DisablePackedExeScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. + +- If you disable this setting, users will not be able to pause scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_AllowPause | +| Friendly Name | Allow users to pause scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | AllowPause | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_ArchiveMaxDepth + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth +``` + + + + +This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0. + +- If you enable this setting, archive files will be scanned to the directory depth level specified. + +- If you disable or do not configure this setting, archive files will be scanned to the default directory depth level. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ArchiveMaxDepth | +| Friendly Name | Specify the maximum depth to scan archive files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ArchiveMaxDepth | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_ArchiveMaxSize + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize +``` + + + + +This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. + +- If you enable this setting, archive files less than or equal to the size specified will be scanned. + +- If you disable or do not configure this setting, archive files will be scanned according to the default value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ArchiveMaxSize | +| Friendly Name | Specify the maximum size of archive files to be scanned | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ArchiveMaxSize | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableArchiveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning +``` + + + + +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files. + +- If you enable or do not configure this setting, archive files will be scanned. + +- If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableArchiveScanning | +| Friendly Name | Scan archive files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableArchiveScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableEmailScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning +``` + + + + +This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. + +- If you enable this setting, e-mail scanning will be enabled. + +- If you disable or do not configure this setting, e-mail scanning will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableEmailScanning | +| Friendly Name | Turn on e-mail scanning | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableEmailScanning | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableHeuristics + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics +``` + + + + +This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. + +- If you enable or do not configure this setting, heuristics will be enabled. + +- If you disable this setting, heuristics will be disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableHeuristics | +| Friendly Name | Turn on heuristics | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableHeuristics | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisablePackedExeScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + + + + + + + + + + + +## Scan_DisableRemovableDriveScanning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning +``` + + + + This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. -If you enable this setting, removable drives will be scanned during any type of scan. +- If you enable this setting, removable drives will be scanned during any type of scan. -If you disable or don't configure this setting, removable drives won't be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. +- If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Scan removable drives* -- GP name: *Scan_DisableRemovableDriveScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_DisableRemovableDriveScanning | +| Friendly Name | Scan removable drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableRemovableDriveScanning | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_DisableReparsePointScanning -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning +``` + - - -This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there's a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this setting is the recommended state for this functionality. + + +This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. -If you enable this setting, reparse point scanning will be enabled. +- If you enable this setting, reparse point scanning will be enabled. -If you disable or don't configure this setting, reparse point scanning will be disabled. +- If you disable or do not configure this setting, reparse point scanning will be disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on reparse point scanning* -- GP name: *Scan_DisableReparsePointScanning* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_DisableReparsePointScanning | +| Friendly Name | Turn on reparse point scanning | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableReparsePointScanning | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_DisableRestorePoint -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint +``` + - - + + This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. -If you enable this setting, a system restore point will be created. +- If you enable this setting, a system restore point will be created. -If you disable or don't configure this setting, a system restore point won't be created. +- If you disable or do not configure this setting, a system restore point will not be created. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Create a system restore point* -- GP name: *Scan_DisableRestorePoint* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** -
    - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | Scan_DisableRestorePoint | +| Friendly Name | Create a system restore point | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableRestorePoint | +| ADMX File Name | WindowsDefender.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * Device + +## Scan_DisableScanningMappedNetworkDrivesForFullScan -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan +``` + + + + This policy setting allows you to configure scanning mapped network drives. -If you enable this setting, mapped network drives will be scanned. - -If you disable or don't configure this setting, mapped network drives won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Run full scan on mapped network drives* -- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting. - -If you enable this setting, network files will be scanned. - -If you disable or don't configure this setting, network files won't be scanned. - - - - - -ADMX Info: -- GP Friendly name: *Scan network files* -- GP name: *Scan_DisableScanningNetworkFiles* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for maximum percentage of CPU utilization* -- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for the scan type to use for a scheduled scan* -- GP name: *Scan_LocalSettingOverrideScanParameters* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for schedule scan day* -- GP name: *Scan_LocalSettingOverrideScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for scheduled quick scan time* -- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for scheduled scan time* -- GP name: *Scan_LocalSettingOverrideScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable this setting, mapped network drives will be scanned. + +- If you disable or do not configure this setting, mapped network drives will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningMappedNetworkDrivesForFullScan | +| Friendly Name | Run full scan on mapped network drives | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningMappedNetworkDrivesForFullScan | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_DisableScanningNetworkFiles + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles +``` + + + + +This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +- If you enable this setting, network files will be scanned. + +- If you disable or do not configure this setting, network files will not be scanned. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisableScanningNetworkFiles | +| Friendly Name | Scan network files | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | DisableScanningNetworkFiles | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideAvgCPULoadFactor + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor +``` + + + + +This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideAvgCPULoadFactor | +| Friendly Name | Configure local setting override for maximum percentage of CPU utilization | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideAvgCPULoadFactor | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScanParameters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters +``` + + + + +This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScanParameters | +| Friendly Name | Configure local setting override for the scan type to use for a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScanParameters | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScheduleDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay +``` + + + + +This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScheduleDay | +| Friendly Name | Configure local setting override for schedule scan day | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScheduleDay | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScheduleQuickScantime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime +``` + + + + +This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScheduleQuickScantime | +| Friendly Name | Configure local setting override for scheduled quick scan time | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScheduleQuickScanTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LocalSettingOverrideScheduleTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime +``` + + + + +This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_LocalSettingOverrideScheduleTime | +| Friendly Name | Configure local setting override for scheduled scan time | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LocalSettingOverrideScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## Scan_LowCpuPriority + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority +``` + + + + This policy setting allows you to enable or disable low CPU priority for scheduled scans. -If you enable this setting, low CPU priority will be used during scheduled scans. +- If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans. +- If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Configure low CPU priority for scheduled scans* -- GP name: *Scan_LowCpuPriority* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_LowCpuPriority | +| Friendly Name | Configure low CPU priority for scheduled scans | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | LowCpuPriority | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_MissedScheduledScanCountBeforeCatchup -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup +``` + - - + + This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. -If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. +- If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. -If you disable or don't configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. +- If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define the number of days after which a catch-up scan is forced* -- GP name: *Scan_MissedScheduledScanCountBeforeCatchup* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_MissedScheduledScanCountBeforeCatchup | +| Friendly Name | Define the number of days after which a catch-up scan is forced | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | MissedScheduledScanCountBeforeCatchup | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_PurgeItemsAfterDelay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay +``` + - - -This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and won't be automatically removed. By default, the value is set to 30 days. + + +This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. -If you enable this setting, items will be removed from the scan history folder after the number of days specified. +- If you enable this setting, items will be removed from the scan history folder after the number of days specified. -If you disable or don't configure this setting, items will be kept in the scan history folder for the default number of days. +- If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Turn on removal of items from scan history folder* -- GP name: *Scan_PurgeItemsAfterDelay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_PurgeItemsAfterDelay | +| Friendly Name | Turn on removal of items from scan history folder | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | PurgeItemsAfterDelay | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_QuickScanInterval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval +``` + - - -This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans won't occur. By default, this setting is set to 0. + + +This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. -If you enable this setting, a quick scan will run at the interval specified. +- If you enable this setting, a quick scan will run at the interval specified. -If you disable or don't configure this setting, a quick scan will run at a default time. +- If you disable or do not configure this setting, quick scan controlled by this config will not be run. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify the interval to run quick scans per day* -- GP name: *Scan_QuickScanInterval* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_QuickScanInterval | +| Friendly Name | Specify the interval to run quick scans per day | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | QuickScanInterval | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_ScanOnlyIfIdle -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle +``` + - - + + This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. -If you enable or don't configure this setting, scheduled scans will only run when the computer is on but not in use. +- If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. -If you disable this setting, scheduled scans will run at the scheduled time. +- If you disable this setting, scheduled scans will run at the scheduled time. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Start the scheduled scan only when computer is on but not in use* -- GP name: *Scan_ScanOnlyIfIdle* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Scan_ScanOnlyIfIdle | +| Friendly Name | Start the scheduled scan only when computer is on but not in use | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScanOnlyIfIdle | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Scan_ScheduleDay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay +``` + - - + + This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: +(0x0) Every Day +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never (default) -- (0x0) Every Day -- (0x1) Sunday -- (0x2) Monday -- (0x3) Tuesday -- (0x4) Wednesday -- (0x5) Thursday -- (0x6) Friday -- (0x7) Saturday -- (0x8) Never (default) +- If you enable this setting, a scheduled scan will run at the frequency specified. -If you enable this setting, a scheduled scan will run at the frequency specified. +- If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + -If you disable or don't configure this setting, a scheduled scan will run at a default frequency. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the day of the week to run a scheduled scan* -- GP name: *Scan_ScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime** +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleDay | +| Friendly Name | Specify the day of the week to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## Scan_ScheduleTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime +``` + -
    - - - + + This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. -If you enable this setting, a scheduled scan will run at the time of day specified. - -If you disable or don't configure this setting, a scheduled scan will run at a default time. - - - - - -ADMX Info: -- GP Friendly name: *Specify the time of day to run a scheduled scan* -- GP name: *Scan_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It's recommended that this setting remains disabled. - -If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence are disabled. - -If you disable or don't configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it's set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. - - - - - -ADMX Info: -- GP Friendly name: *Allow antimalware service to remain running always* -- GP name: *ServiceKeepAlive* -- GP path: *Windows Components\Microsoft Defender Antivirus* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. - -We don't recommend setting the value to less than 2 days to prevent machines from going out of date. - -If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. - -If you disable or don't configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. - - - - - -ADMX Info: -- GP Friendly name: *Define the number of days before spyware security intelligence is considered out of date* -- GP name: *SignatureUpdate_ASSignatureDue* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. - -If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. - -If you disable or don't configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. - - - - - -ADMX Info: -- GP Friendly name: *Define the number of days before virus security intelligence is considered out of date* -- GP name: *SignatureUpdate_AVSignatureDue* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. - -If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. - -If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted. - - - - - -ADMX Info: -- GP Friendly name: *Define file shares for downloading security intelligence updates* -- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting allows you to configure the automatic scan that starts after a security intelligence update has occurred. - -If you enable or don't configure this setting, a scan will start following a security intelligence update. - -If you disable this setting, a scan won't start following a security intelligence update. - - - - - -ADMX Info: -- GP Friendly name: *Turn on scan after security intelligence update* -- GP name: *SignatureUpdate_DisableScanOnUpdate* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - +- If you enable this setting, a scheduled scan will run at the time of day specified. + +- If you disable or do not configure this setting, a scheduled scan will run at a default time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_ScheduleTime | +| Friendly Name | Specify the time of day to run a scheduled scan | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Scan | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan | +| Registry Value Name | ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## ServiceKeepAlive + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive +``` + + + + +This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. + +- If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled. + +- If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ServiceKeepAlive | +| Friendly Name | Allow antimalware service to remain running always | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender | +| Registry Value Name | ServiceKeepAlive | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_ASSignatureDue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue +``` + + + + +This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. + +- If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. + +- If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ASSignatureDue | +| Friendly Name | Define the number of days before spyware security intelligence is considered out of date | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ASSignatureDue | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_AVSignatureDue + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue +``` + + + + +This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. + +- If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. + +- If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_AVSignatureDue | +| Friendly Name | Define the number of days before virus security intelligence is considered out of date | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | AVSignatureDue | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_DefinitionUpdateFileSharesSources + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources +``` + + + + +This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. + +- If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +- If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DefinitionUpdateFileSharesSources | +| Friendly Name | Define file shares for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_DisableScanOnUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate +``` + + + + +This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. + +- If you enable or do not configure this setting, a scan will start following a security intelligence update. + +- If you disable this setting, a scan will not start following a security intelligence update. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DisableScanOnUpdate | +| Friendly Name | Turn on scan after security intelligence update | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | DisableScanOnUpdate | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SignatureUpdate_DisableScheduledSignatureUpdateonBattery + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery +``` + + + + This policy setting allows you to configure security intelligence updates when the computer is running on battery power. -If you enable or don't configure this setting, security intelligence updates will occur as usual regardless of power state. +- If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state. -If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. +- If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow security intelligence updates when running on battery power* -- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DisableScheduledSignatureUpdateonBattery | +| Friendly Name | Allow security intelligence updates when running on battery power | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | DisableScheduledSignatureUpdateOnBattery | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_DisableUpdateOnStartupWithoutEngine -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine +``` + - - -This policy setting allows you to configure security intelligence updates on startup when there's no antimalware engine present. + + +This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. -If you enable or don't configure this setting, security intelligence updates will be initiated on startup when there's no antimalware engine present. +- If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present. -If you disable this setting, security intelligence updates won't be initiated on startup when there's no antimalware engine present. +- If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Initiate security intelligence update on startup* -- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_DisableUpdateOnStartupWithoutEngine | +| Friendly Name | Initiate security intelligence update on startup | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | DisableUpdateOnStartupWithoutEngine | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_FallbackOrder -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder +``` + - - -This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. + + +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } -If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted. +- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. -If you disable or don't configure this setting, security intelligence update sources will be contacted in a default order. +- If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define the order of sources for downloading security intelligence updates* -- GP name: *SignatureUpdate_FallbackOrder* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_FallbackOrder | +| Friendly Name | Define the order of sources for downloading security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_ForceUpdateFromMU -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU +``` + - - + + This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. -If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. +- If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. -If you disable or don't configure this setting, security intelligence updates will be downloaded from the configured download source. +- If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow security intelligence updates from Microsoft Update* -- GP name: *SignatureUpdate_ForceUpdateFromMU* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ForceUpdateFromMU | +| Friendly Name | Allow security intelligence updates from Microsoft Update | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ForceUpdateFromMU | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_RealtimeSignatureDelivery -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery +``` + - - + + This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. -If you enable or don't configure this setting, real-time security intelligence updates will be enabled. +- If you enable or do not configure this setting, real-time security intelligence updates will be enabled. -If you disable this setting, real-time security intelligence updates will be disabled. +- If you disable this setting, real-time security intelligence updates will disabled. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS* -- GP name: *SignatureUpdate_RealtimeSignatureDelivery* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_RealtimeSignatureDelivery | +| Friendly Name | Allow real-time security intelligence updates based on reports to Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | RealtimeSignatureDelivery | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_ScheduleDay -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay +``` + - - + + This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: +(0x0) Every Day (default) +(0x1) Sunday +(0x2) Monday +(0x3) Tuesday +(0x4) Wednesday +(0x5) Thursday +(0x6) Friday +(0x7) Saturday +(0x8) Never -- (0x0) Every Day (default) -- (0x1) Sunday -- (0x2) Monday -- (0x3) Tuesday -- (0x4) Wednesday -- (0x5) Thursday -- (0x6) Friday -- (0x7) Saturday -- (0x8) Never +- If you enable this setting, the check for security intelligence updates will occur at the frequency specified. -If you enable this setting, the check for security intelligence updates will occur at the frequency specified. +- If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency. + -If you disable or don't configure this setting, the check for security intelligence updates will occur at a default frequency. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify the day of the week to check for security intelligence updates* -- GP name: *SignatureUpdate_ScheduleDay* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime** +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ScheduleDay | +| Friendly Name | Specify the day of the week to check for security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ScheduleDay | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## SignatureUpdate_ScheduleTime - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime +``` + -
    - - - + + This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. -If you enable this setting, the check for security intelligence updates will occur at the time of day specified. +- If you enable this setting, the check for security intelligence updates will occur at the time of day specified. -If you disable or don't configure this setting, the check for security intelligence updates will occur at the default time. +- If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Specify the time to check for security intelligence updates* -- GP name: *SignatureUpdate_ScheduleTime* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_ScheduleTime | +| Friendly Name | Specify the time to check for security intelligence updates | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | ScheduleTime | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_SharedSignaturesLocation -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation +``` + - - + + This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or don't configure this setting, security intelligence will be referred from the default local source. +- If you disable or do not configure this setting, security intelligence will be referred from the default local source. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define security intelligence location for VDI clients.* -- GP name: *SignatureUpdate_SharedSignaturesLocation* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    - +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SharedSignaturesLocation | +| Friendly Name | Define security intelligence location for VDI clients. | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_SignatureDisableNotification -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification +``` + - - + + This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. -If you enable this setting or don't configure, the antimalware service will receive notifications to disable security intelligence. +- If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence. -If you disable this setting, the antimalware service won't receive notifications to disable security intelligence. +- If you disable this setting, the antimalware service will not receive notifications to disable security intelligence. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS* -- GP name: *SignatureUpdate_SignatureDisableNotification* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SignatureDisableNotification | +| Friendly Name | Allow notifications to disable security intelligence based reports to Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | SignatureDisableNotification | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_SignatureUpdateCatchupInterval -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval +``` + - - + + This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. -If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. +- If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. -If you disable or don't configure this setting, a catch-up security intelligence update will be required after the default number of days. +- If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Define the number of days after which a catch-up security intelligence update is required* -- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_SignatureUpdateCatchupInterval | +| Friendly Name | Define the number of days after which a catch-up security intelligence update is required | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | SignatureUpdateCatchupInterval | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## SignatureUpdate_UpdateOnStartup -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup +``` + - - + + This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. -If you enable this setting, a check for new security intelligence will occur after service startup. +- If you enable this setting, a check for new security intelligence will occur after service startup. -If you disable this setting or don't configure this setting, a check for new security intelligence won't occur after service startup. +- If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Check for the latest virus and spyware security intelligence on startup* -- GP name: *SignatureUpdate_UpdateOnStartup* -- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/SpynetReporting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SignatureUpdate_UpdateOnStartup | +| Friendly Name | Check for the latest virus and spyware security intelligence on startup | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates | +| Registry Value Name | UpdateOnStartUp | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Spynet_LocalSettingOverrideSpynetReporting -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting +``` + - - + + +This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. + +- If you enable this setting, the local preference setting will take priority over Group Policy. + +- If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Spynet_LocalSettingOverrideSpynetReporting | +| Friendly Name | Configure local setting override for reporting to Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | LocalSettingOverrideSpynetReporting | +| ADMX File Name | WindowsDefender.admx | + + + + + + + + + +## SpynetReporting + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/SpynetReporting +``` + + + + This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. -You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft won't use this information to identify you or contact you. +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. Possible options are: - -- (0x0) Disabled (default) -- (0x1) Basic membership -- (0x2) Advanced membership +(0x0) Disabled (default) +(0x1) Basic membership +(0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. -If you enable this setting, you'll join Microsoft MAPS with the membership specified. +- If you enable this setting, you will join Microsoft MAPS with the membership specified. -If you disable or don't configure this setting, you won't join Microsoft MAPS. +- If you disable or do not configure this setting, you will not join Microsoft MAPS. In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Join Microsoft MAPS* -- GP name: *SpynetReporting* -- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* -- GP ADMX file name: *WindowsDefender.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | SpynetReporting | +| Friendly Name | Join Microsoft MAPS | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > MAPS | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet | +| Registry Value Name | SpynetReporting | +| ADMX File Name | WindowsDefender.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Threats_ThreatIdDefaultAction -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction +``` + - - - This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Policy. - -If you enable this setting, the local preference setting will take priority over Policy. - -If you disable or don't configure this setting, Policy will take priority over the local preference setting. - - - - - -ADMX Info: -- GP Friendly name: *Configure local setting override for reporting to Microsoft MAPS* -- GP name: *Spynet_LocalSettingOverrideSpynetReporting* -- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* -- GP ADMX file name: *WindowsDefender.admx* - - - - -
    - - -**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting customizes which remediation action will be taken for each listed Threat ID when it's detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. + + +This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. Valid remediation action values are: +2 = Quarantine +3 = Remove +6 = Ignore + -- 2 = Quarantine -- 3 = Remove -- 6 = Ignore + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Specify threats upon which default action should not be taken when detected* -- GP name: *Threats_ThreatIdDefaultAction* -- GP path: *Windows Components\Microsoft Defender Antivirus\Threats* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString** +| Name | Value | +|:--|:--| +| Name | Threats_ThreatIdDefaultAction | +| Friendly Name | Specify threats upon which default action should not be taken when detected | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Threats | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats | +| Registry Value Name | Threats_ThreatIdDefaultAction | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_CustomDefaultActionToastString - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString +``` + -
    + + +This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. - - -This policy setting allows you to configure whether or not to display more text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. +- If you enable this setting, the additional text specified will be displayed. -If you enable this setting, the extra text specified will be displayed. +- If you disable or do not configure this setting, there will be no additional text displayed. + -If you disable or don't configure this setting, there will be no extra text displayed. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Display additional text to clients when they need to perform an action* -- GP name: *UX_Configuration_CustomDefaultActionToastString* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress** +| Name | Value | +|:--|:--| +| Name | UX_Configuration_CustomDefaultActionToastString | +| Friendly Name | Display additional text to clients when they need to perform an action | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_Notification_Suppress - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress +``` + -
    - - - + + Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. +- If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients. -If you disable or don't configure this setting, Microsoft Defender Antivirus notifications will display on clients. +- If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients. + -If you enable this setting, Microsoft Defender Antivirus notifications won't display on clients. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Suppress all notifications* -- GP name: *UX_Configuration_Notification_Suppress* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification** +| Name | Value | +|:--|:--| +| Name | UX_Configuration_Notification_Suppress | +| Friendly Name | Suppress all notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | Notification_Suppress | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_SuppressRebootNotification - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification +``` + -
    + + +This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). - - -This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). +- If you enable this setting AM UI won't show reboot notifications. + -If you enable this setting, AM UI won't show reboot notifications. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Suppresses reboot notifications* -- GP name: *UX_Configuration_SuppressRebootNotification* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: - -**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown** +| Name | Value | +|:--|:--| +| Name | UX_Configuration_SuppressRebootNotification | +| Friendly Name | Suppresses reboot notifications | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | SuppressRebootNotification | +| ADMX File Name | WindowsDefender.admx | + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + - -
    + +## UX_Configuration_UILockdown - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -> [!div class = "checklist"] -> * Device + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown +``` + -
    - - - + + This policy setting allows you to configure whether or not to display AM UI to the users. +- If you enable this setting AM UI won't be available to users. + -If you enable this setting, AM UI won't be available to users. + + + - + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Enable headless UI mode* -- GP name: *UX_Configuration_UILockdown* -- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* -- GP ADMX file name: *WindowsDefender.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -
    +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | UX_Configuration_UILockdown | +| Friendly Name | Enable headless UI mode | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Antivirus > Client Interface | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration | +| Registry Value Name | UILockdown | +| ADMX File Name | WindowsDefender.admx | + + + + - + -## Related topics + + + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index cde0000329..432f506c62 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,333 +1,379 @@ --- -title: Policy CSP - ADMX_MMC -description: Learn about Policy CSP - ADMX_MMC. +title: ADMX_MMC Policy CSP +description: Learn more about the ADMX_MMC Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/03/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_MMC ->[!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). + +> [!TIP] +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_MMC policies + +## MMC_ActiveXControl -
    -
    - ADMX_MMC/MMC_ActiveXControl -
    -
    - ADMX_MMC/MMC_ExtendView -
    -
    - ADMX_MMC/MMC_LinkToWeb -
    -
    - ADMX_MMC/MMC_Restrict_Author -
    -
    - ADMX_MMC/MMC_Restrict_To_Permitted_Snapins -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_ActiveXControl +``` + -
    + + +Permits or prohibits use of this snap-in. - -**ADMX_MMC/MMC_ActiveXControl** +- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. - +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. - -
    +To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. -> [!div class = "checklist"] -> * User +To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. -
    +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - - -This policy setting permits or prohibits use of this snap-in. + + + -If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. + +**Description framework properties**: -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited. +**ADMX mapping**: -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited. +| Name | Value | +|:--|:--| +| Name | MMC_ActiveXControl | +| Friendly Name | ActiveX Control | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMC.admx | + -To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted. + + + -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. + - + +## MMC_ExtendView + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *ActiveX Control* -- GP name: *MMC_ActiveXControl* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMC.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_ExtendView +``` + - - -
    + + +Permits or prohibits use of this snap-in. - -**ADMX_MMC/MMC_ExtendView** +- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. - +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. - -
    +To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. -> [!div class = "checklist"] -> * User +To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. -
    +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - - -This policy setting permits or prohibits use of this snap-in. + + + -If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. + +**Description framework properties**: -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited. +**ADMX mapping**: -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited. +| Name | Value | +|:--|:--| +| Name | MMC_ExtendView | +| Friendly Name | Extended View (Web View) | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins > Extension snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{B708457E-DB61-4C55-A92F-0D4B5E9B1224} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMC.admx | + -To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted. + + + -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. + - + +## MMC_LinkToWeb + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -ADMX Info: -- GP Friendly name: *Extended View (Web View)* -- GP name: *MMC_ExtendView* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins* -- GP ADMX file name: *MMC.admx* + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_LinkToWeb +``` + - - -
    + + +Permits or prohibits use of this snap-in. - -**ADMX_MMC/MMC_LinkToWeb** +- If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. - +If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. - -
    +To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. -> [!div class = "checklist"] -> * User +To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted. -
    +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. + - - -This policy setting permits or prohibits use of this snap-in. + + + -If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. + +**Description framework properties**: -If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited. +**ADMX mapping**: -- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited. +| Name | Value | +|:--|:--| +| Name | MMC_LinkToWeb | +| Friendly Name | Link to Web Address | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console > Restricted/Permitted snap-ins | +| Registry Key Name | Software\Policies\Microsoft\MMC\{C96401D1-0E17-11D3-885B-00C04F72C717} | +| Registry Value Name | Restrict_Run | +| ADMX File Name | MMC.admx | + -To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted. + + + -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. + - + +## MMC_Restrict_Author + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - -ADMX Info: -- GP Friendly name: *Link to Web Address* -- GP name: *MMC_LinkToWeb* -- GP path: *Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins* -- GP ADMX file name: *MMC.admx* - - - -
    - - -**ADMX_MMC/MMC_Restrict_Author** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy setting prevents users from entering author mode. + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_Author +``` + + + + +Prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. -As a result, users can't create console files or add or remove snap-ins. Also, because they can't open author-mode console files, they can't use the tools that the files contain. +As a result, users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain. -This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users can't open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also can't open a blank MMC console window from a command prompt. +This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt. -If you disable this setting or don't configure it, users can enter author mode and open author-mode console files. +- If you disable this setting or do not configure it, users can enter author mode and open author-mode console files. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict the user from entering author mode* -- GP name: *MMC_Restrict_Author* -- GP path: *Windows Components\Microsoft Management Console* -- GP ADMX file name: *MMC.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_MMC/MMC_Restrict_To_Permitted_Snapins** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | MMC_Restrict_Author | +| Friendly Name | Restrict the user from entering author mode | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console | +| Registry Key Name | Software\Policies\Microsoft\MMC | +| Registry Value Name | RestrictAuthorMode | +| ADMX File Name | MMC.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## MMC_Restrict_To_Permitted_Snapins -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_To_Permitted_Snapins +``` + - - -This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. + + +Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. -- If you enable this setting, all snap-ins are prohibited, except those snap-ins that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. +- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins. To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited. -- If you disable this setting or don't configure it, all snap-ins are permitted, except those snap-ins that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins. +- If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins. To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted. -When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear. +When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. > [!NOTE] -> If you enable this setting, and you don't enable any settings in the Restricted/Permitted snap-ins folder, users can't use any MMC snap-ins. +> If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins. + - + + + + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Restrict users to the explicitly permitted list of snap-ins* -- GP name: *MMC_Restrict_To_Permitted_Snapins* -- GP path: *Windows Components\Microsoft Management Console* -- GP ADMX file name: *MMC.admx* +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: +| Name | Value | +|:--|:--| +| Name | MMC_Restrict_To_Permitted_Snapins | +| Friendly Name | Restrict users to the explicitly permitted list of snap-ins | +| Location | User Configuration | +| Path | Windows Components > Microsoft Management Console | +| Registry Key Name | Software\Policies\Microsoft\MMC | +| Registry Value Name | RestrictToPermittedSnapins | +| ADMX File Name | MMC.admx | + - + + + -## Related topics + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index 3efeeafc81..0d81b19812 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,83 +1,92 @@ --- -title: Policy CSP - ADMX_PushToInstall -description: Learn about Policy CSP - ADMX_PushToInstall. +title: ADMX_PushToInstall Policy CSP +description: Learn more about the ADMX_PushToInstall Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_PushToInstall > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_PushToInstall policies + +## DisablePushToInstall -
    -
    - ADMX_PushToInstall/DisablePushToInstall -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PushToInstall/DisablePushToInstall +``` + -
    + + +- If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + - -**ADMX_PushToInstall/DisablePushToInstall** + + + - + +**Description framework properties**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -[Scope](./policy-configuration-service-provider.md#policy-scope): +**ADMX mapping**: -> [!div class = "checklist"] -> * Device +| Name | Value | +|:--|:--| +| Name | DisablePushToInstall | +| Friendly Name | Turn off Push To Install service | +| Location | Computer Configuration | +| Path | Windows Components > Push To Install | +| Registry Key Name | Software\Policies\Microsoft\PushToInstall | +| Registry Value Name | DisablePushToInstall | +| ADMX File Name | PushToInstall.admx | + -
    + + + - - -If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Push To Install service* -- GP name: *DisablePushToInstall* -- GP path: *Windows Components\Push To Install* -- GP ADMX file name: *PushToInstall.admx* + - - +## Related articles - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index 13a94d8fbf..fcc3ae8253 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,99 +1,104 @@ --- -title: Policy CSP - ADMX_Radar -description: Learn about Policy CSP - ADMX_Radar. +title: ADMX_Radar Policy CSP +description: Learn more about the ADMX_Radar Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/08/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_Radar > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_Radar policies + +## WdiScenarioExecutionPolicy -
    -
    - ADMX_Radar/WdiScenarioExecutionPolicy -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Radar/WdiScenarioExecutionPolicy +``` + -
    + + +Determines the execution level for Windows Resource Exhaustion Detection and Resolution. - -**ADMX_Radar/WdiScenarioExecutionPolicy** +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. - +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. - -
    +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +No system restart or service restart is required for this policy to take effect: changes take effect immediately. -> [!div class = "checklist"] -> * Device +This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + -
    + + + - - -This policy determines the execution level for Windows Resource Exhaustion Detection and Resolution. + +**Description framework properties**: -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determine their root causes. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting, and resolution, the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you disable this policy setting, Windows won't be able to detect, troubleshoot or resolve any Windows Resource Exhaustion problems that are handled by the DPS. +**ADMX mapping**: -If you don't configure this policy setting, the DPS will enable Windows Resource Exhaustion for resolution by default. -This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +| Name | Value | +|:--|:--| +| Name | WdiScenarioExecutionPolicy | +| Friendly Name | Configure Scenario Execution Level | +| Location | Computer Configuration | +| Path | System > Troubleshooting and Diagnostics > Windows Resource Exhaustion Detection and Resolution | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WDI\{3af8b24a-c441-4fa4-8c5c-bed591bfa867} | +| Registry Value Name | ScenarioExecutionEnabled | +| ADMX File Name | Radar.admx | + -No system restart or service restart is required for this policy to take effect; changes take effect immediately. + + + ->[!Note] -> This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + - + + + - -ADMX Info: -- GP Friendly name: *Configure Scenario Execution Level* -- GP name: *WdiScenarioExecutionPolicy* -- GP path: *System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution* -- GP ADMX file name: *Radar.admx* + -
    +## Related articles - - - - - -## Related topics - -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index 9a1a7a7fd8..a66d9243e6 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,142 +1,160 @@ --- -title: Policy CSP - ADMX_SoundRec -description: Learn about Policy CSP - ADMX_SoundRec. +title: ADMX_SoundRec Policy CSP +description: Learn more about the ADMX_SoundRec Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 12/01/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_SoundRec -
    - - -## ADMX_SoundRec policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 -
    -
    - ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 -
    -
    + + + + +## Soundrec_DiableApplication_TitleText_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1 +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy specifies whether Sound Recorder can run. + + +Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. -If you enable this policy setting, Sound Recorder won't run. +- If you enable this policy setting, Sound Recorder will not run. -If you disable or don't configure this policy setting, Sound Recorder can run. +- If you disable or do not configure this policy setting, Sound Recorder can be run. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Sound Recorder to run* -- GP name: *Soundrec_DiableApplication_TitleText_1* -- GP path: *Windows Components\Sound Recorder* -- GP ADMX file name: *SettingSync.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -**ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | Soundrec_DiableApplication_TitleText_1 | +| Friendly Name | Do not allow Sound Recorder to run | +| Location | User Configuration | +| Path | Windows Components > Sound Recorder | +| Registry Key Name | SOFTWARE\Policies\Microsoft\SoundRecorder | +| Registry Value Name | Soundrec | +| ADMX File Name | SoundRec.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
    + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## Soundrec_DiableApplication_TitleText_2 -> [!div class = "checklist"] -> * User + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
    + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2 +``` + - - -This policy specifies whether Sound Recorder can run. + + +Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. -If you enable this policy setting, Sound Recorder won't run. +- If you enable this policy setting, Sound Recorder will not run. -If you disable or don't configure this policy setting, Sound Recorder can be run. +- If you disable or do not configure this policy setting, Sound Recorder can be run. + - + + + - -ADMX Info: -- GP Friendly name: *Do not allow Sound Recorder to run* -- GP name: *Soundrec_DiableApplication_TitleText_2* -- GP path: *Windows Components\Sound Recorder* -- GP ADMX file name: *SettingSync.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -## Related topics +**ADMX mapping**: -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) +| Name | Value | +|:--|:--| +| Name | Soundrec_DiableApplication_TitleText_2 | +| Friendly Name | Do not allow Sound Recorder to run | +| Location | Computer Configuration | +| Path | Windows Components > Sound Recorder | +| Registry Key Name | SOFTWARE\Policies\Microsoft\SoundRecorder | +| Registry Value Name | Soundrec | +| ADMX File Name | SoundRec.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index d56e6b36ff..bf1efd462a 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,137 +1,277 @@ --- -title: Policy CSP - ADMX_srmfci -description: Learn about Policy CSP - ADMX_srmfci. +title: ADMX_srmfci Policy CSP +description: Learn more about the ADMX_srmfci Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 09/18/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_srmfci > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -## ADMX_srmfci policies + +## AccessDeniedConfiguration -
    -
    - ADMX_srmfci/EnableShellAccessCheck -
    -
    - ADMX_srmfci/AccessDeniedConfiguration -
    -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/AccessDeniedConfiguration +``` + -
    + + +This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. - -**ADMX_srmfci/EnableShellAccessCheck** +- If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. - +- If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionality controlled by this policy setting, regardless of the file server configuration. -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +- If you do not configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +**Description framework properties**: -> [!div class = "checklist"] -> * Device +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - - -This group policy setting should be set on Windows clients to enable access-denied assistance for all file types. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | AccessDeniedConfiguration | +| Friendly Name | Customize message for Access Denied errors | +| Location | Computer Configuration | +| Path | System > Access-Denied Assistance | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\ADR\AccessDenied | +| Registry Value Name | Enabled | +| ADMX File Name | srm-fci.admx | + + + + - -ADMX Info: -- GP Friendly name: *Enable access-denied assistance on client for all file types* -- GP name: *EnableShellAccessCheck* -- GP path: *System\Access-Denied Assistance* -- GP ADMX file name: *srmfci.admx* + - - -
    + +## CentralClassificationList - -**ADMX_srmfci/AccessDeniedConfiguration** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/CentralClassificationList +``` + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +This policy setting controls which set of properties is available for classifying files on affected computers. - -
    +Administrators can define the properties for the organization by using Active Directory Domain Services (AD DS), and then group these properties into lists. Administrators can supplement these properties on individual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manager role service. - -[Scope](./policy-configuration-service-provider.md#policy-scope): +- If you enable this policy setting, you can select which list of properties is available for classification on the affected computers. -> [!div class = "checklist"] -> * Device +- If you disable or do not configure this policy setting, the Global Resource Property List in AD DS provides the default set of properties. + -
    + + + - - -This policy setting specifies the message that users see when they're denied access to a file or folder. You can customize the Access Denied message to include more text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access. + +**Description framework properties**: -If you enable this policy setting, users receive a customized Access Denied message from the file servers on which this policy setting is applied. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -If you disable this policy setting, users see a standard Access Denied message that doesn't provide any of the functionalities controlled by this policy setting, regardless of the file server configuration. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -If you don't configure this policy setting, users see a standard Access Denied message unless the file server is configured to display the customized Access Denied message. By default, users see the standard Access Denied message. +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | CentralClassificationList | +| Friendly Name | File Classification Infrastructure: Specify classification properties list | +| Location | Computer Configuration | +| Path | System > File Classification Infrastructure | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\FCI | +| ADMX File Name | srm-fci.admx | + - -ADMX Info: -- GP Friendly name: *Customize message for Access Denied errors* -- GP name: *AccessDeniedConfiguration* -- GP path: *System\Access-Denied Assistance* -- GP ADMX file name: *srmfci.admx* + + + - - -
    + + +## EnableManualUX - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -## Related topics + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/EnableManualUX +``` + -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) + + +This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer. + +The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the properties for the organization by using Group Policy, and supplement these with properties defined on individual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manager role service. + +- If you enable this policy setting, the Classification tab is displayed. + +- If you disable or do not configure this policy setting, the Classification tab is hidden. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableManualUX | +| Friendly Name | File Classification Infrastructure: Display Classification tab in File Explorer | +| Location | Computer Configuration | +| Path | System > File Classification Infrastructure | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\FCI | +| Registry Value Name | EnableManualUX | +| ADMX File Name | srm-fci.admx | + + + + + + + + + +## EnableShellAccessCheck + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_srmfci/EnableShellAccessCheck +``` + + + + +This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableShellAccessCheck | +| Friendly Name | Enable access-denied assistance on client for all file types | +| Location | Computer Configuration | +| Path | System > Access-Denied Assistance | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | EnableShellExecuteFileStreamCheck | +| ADMX File Name | srm-fci.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 42a29e7391..302b351101 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,136 +1,156 @@ --- -title: Policy CSP - ADMX_WindowsColorSystem -description: Policy CSP - ADMX_WindowsColorSystem +title: ADMX_WindowsColorSystem Policy CSP +description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa +ms.date: 01/09/2023 ms.localizationpriority: medium -ms.topic: article ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 10/27/2020 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ADMX_WindowsColorSystem -
    - - -## ADMX_WindowsColorSystem policies - > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    -
    - ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 -
    -
    - ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 -
    -
    + + + + +## ProhibitChangingInstalledProfileList_1 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -**WindowsColorSystem/ProhibitChangingInstalledProfileList_1** + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_1 +``` + - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - + + This policy setting affects the ability of users to install or uninstall color profiles. - If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. - If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit installing or uninstalling color profiles* -- GP name: *ProhibitChangingInstalledProfileList_1* -- GP path: *Windows Components\Windows Color System* -- GP ADMX file name: *WindowsColorSystem.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**WindowsColorSystem/ProhibitChangingInstalledProfileList_2** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | ProhibitChangingInstalledProfileList_1 | +| Friendly Name | Prohibit installing or uninstalling color profiles | +| Location | User Configuration | +| Path | Windows Components > Windows Color System | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsColorSystem | +| Registry Value Name | ProhibitInstallUninstall | +| ADMX File Name | WindowsColorSystem.admx | + - -
    + + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + +## ProhibitChangingInstalledProfileList_2 -
    + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - - + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsColorSystem/ProhibitChangingInstalledProfileList_2 +``` + + + + This policy setting affects the ability of users to install or uninstall color profiles. - If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. - If you disable or do not configure this policy setting, all users can install new color profiles. Standard users can uninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles. + - + + + - -ADMX Info: -- GP Friendly name: *Prohibit installing or uninstalling color profiles* -- GP name: *ProhibitChangingInstalledProfileList_2* -- GP path: *Windows Components\Windows Color System* -- GP ADMX file name: *WindowsColorSystem.admx* + +**Description framework properties**: +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - - -
    + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | ProhibitChangingInstalledProfileList_2 | +| Friendly Name | Prohibit installing or uninstalling color profiles | +| Location | Computer Configuration | +| Path | Windows Components > Windows Color System | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsColorSystem | +| Registry Value Name | ProhibitInstallUninstall | +| ADMX File Name | WindowsColorSystem.admx | + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 7cb6c243fb..cc7fc5a089 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,1001 +1,1145 @@ --- -title: Policy CSP - Printers -description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers. +title: Printers Policy CSP +description: Learn more about the Printers Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 01/09/2023 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - Printers - -
    - - -## Printers policies - -
    -
    - Printers/ApprovedUsbPrintDevices -
    -
    - Printers/ApprovedUsbPrintDevicesUser -
    -
    - Printers/ConfigureCopyFilesPolicy -
    -
    - Printers/ConfigureDriverValidationLevel -
    -
    - Printers/ConfigureIppPageCountsPolicy -
    -
    - Printers/ConfigureRedirectionGuardPolicy -
    -
    - Printers/ConfigureRpcConnectionPolicy -
    -
    - Printers/ConfigureRpcListenerPolicy -
    -
    - Printers/ConfigureRpcTcpPort -
    -
    - Printers/EnableDeviceControl -
    -
    - Printers/EnableDeviceControlUser -
    -
    - Printers/ManageDriverExclusionList -
    -
    - Printers/PointAndPrintRestrictions -
    -
    - Printers/PointAndPrintRestrictions_User -
    -
    - Printers/PublishPrinters -
    -
    - Printers/RestrictDriverInstallationToAdministrators -
    -
    - > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    + + + - -**Printers/ApprovedUsbPrintDevices** + +## ApprovedUsbPrintDevices - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. -The format of this setting is `/[,/]` - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *ApprovedUsbPrintDevices* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - - -
    - - -**Printers/ApprovedUsbPrintDevicesUser** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will contain the comma separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. -The format of this setting is `/[,/]` - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *ApprovedUsbPrintDevicesUser* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureCopyFilesPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate. - -If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. - -The following are the supported values: - -Type: DWORD. Defaults to 1. - -- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections. -- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. -- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections. - - - - -ADMX Info: -- GP Friendly name: *Manage processing of Queue-specific files* -- GP name: *ConfigureCopyFilesPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureDriverValidationLevel** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate. - -If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. - -The following are the supported values: - -Type: DWORD. Defaults to 4. - -- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer. -- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. -- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). -- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. -- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. - - - -ADMX Info: -- GP Friendly name: *Manage Print Driver signature validation* -- GP name: *ConfigureDriverValidationLevel* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureIppPageCountsPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary. - -If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs. - -The following are the supported values: - -AlwaysSendIppPageCounts: DWORD. Defaults to 0. - -- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**. -- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs. - - - - -ADMX Info: -- GP Friendly name: *Always send job page count information for IPP printers* -- GP name: *ConfigureIppPageCountsPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRedirectionGuardPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used. - -If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. - -The following are the supported values: - -Type: DWORD, defaults to 1. - -- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process. -- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used. -- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled. - - - - -ADMX Info: -- GP Friendly name: *Configure Redirection Guard* -- GP name: *ConfigureRedirectionGuardPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRpcConnectionPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack. - -There are 2 values which can be configured: - -- RpcUseNamedPipeProtocol DWORD - - 0: RpcOverTcp (default) - - 1: RpcOverNamedPipes -- RpcAuthentication DWORD - - 0: RpcConnectionAuthenticationDefault (default) - - 1: RpcConnectionAuthenticationEnabled - - 2: RpcConnectionAuthenticationDisabled - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines. - -If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly. - -The following are the supported values: - -- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines. -- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication. - - - - -ADMX Info: -- GP Friendly name: *Configure RPC connection settings* -- GP name: *ConfigureRpcConnectionPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRpcListenerPolicy** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack. - -There are 2 values which can be configured: -- RpcProtocols DWORD - - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes - - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default) - - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP -- ForceKerberosForRpc DWORD - - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support - - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*. - -If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. - -The following are the supported values: - -- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol. -- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use. - - - - -ADMX Info: -- GP Friendly name: *Configure RPC listener settings* -- GP name: *ConfigureRpcListenerPolicy* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/ConfigureRpcTcpPort** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack. - -- RpcTcpPort DWORD - - 0: Use dynamic TCP ports for RPC over TCP (default). - - 1-65535: Use the given port for RPC over TCP. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*. - -If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. - -The following are the supported values: - -- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP. -- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP. - - - - -ADMX Info: -- GP Friendly name: *Configure RPC over TCP port* -- GP name: *ConfigureRpcTcpPort* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/EnableDeviceControl** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. - -The default value of the policy will be Unconfigured. - -If the policy value is either Unconfigured or Disabled, the print spooler won't restrict printing. - -If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *EnableDeviceControl* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - -
    - - - -**Printers/EnableDeviceControlUser** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
    - - - -This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. - -This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. - -The default value of the policy will be Unconfigured. - -If the policy value is either Unconfigured or Disabled, the print spooler won't restrict printing. - -If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. - - - - -ADMX Info: -- GP Friendly name: *Support for new Device Control Print feature* -- GP name: *EnableDeviceControlUser* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - -
    - - -**Printers/ManageDriverExclusionList** - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - - -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update. - -The default value of the policy will be Unconfigured. - -If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list. - -If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value. - -The following are the supported values: - -Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` - -Type: REG_SZ -Value Name: Hash of excluded file -Value Data: Name of excluded file - - - - -ADMX Info: -- GP Friendly name: *Manage Print Driver exclusion list* -- GP name: *ManageDriverExclusionList* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -
    - - -**Printers/PointAndPrintRestrictions** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
    - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
    - - - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - -If you enable this policy setting: - -- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. - -- You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. - -If you don't configure this policy setting: - -- Windows Vista client computers can point and print to any server. - -- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print. - -- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated. - -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -If you disable this policy setting: - -- Windows Vista client computers can create a printer connection to any server using Point and Print. - -- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print. - -- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated. - -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - - - -ADMX Info: -- GP Friendly name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - -Example: - -```xml -Name: Point and Print Enable Oma-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions -Data type: String Value: - - - - - + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices ``` - - + -
    + + +This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. - -**Printers/PointAndPrintRestrictions_User** +When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing. - +Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list. + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + +The format of this setting is `/[,/]`. + - -
    + +**Description framework properties**: - -[Scope](./policy-configuration-service-provider.md#policy-scope): +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -> [!div class = "checklist"] -> * User + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -
    +**ADMX mapping**: - - +| Name | Value | +|:--|:--| +| Name | ApprovedUsbPrintDevices | +| Friendly Name | List of Approved USB-connected print devices | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ApprovedUsbPrintDevicesUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser +``` + + + + +This setting is a component of the Device Control Printing Restrictions. To use this setting, enable Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. + +When Device Control Printing is enabled, the system uses the specified list of vid/pid values to determine if the current USB connected printer is approved for local printing. + +Type all the approved vid/pid combinations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid will be compared to the approved list. + + + + +The format of this setting is `/[,/]`. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ApprovedUsbPrintDevicesUser | +| Friendly Name | List of Approved USB-connected print devices | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureCopyFilesPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureCopyFilesPolicy +``` + + + + +Manages how Queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server. + +You can enable this setting to change the default behavior involving queue-specific files. To use this setting, select one of the options below from the "Manage processing of Queue-specific files" box. + +- If you disable or do not configure this policy setting, the default behavior is "Limit Queue-specific files to Color profiles". + +- "Do not allow Queue-specific files" specifies that no queue-specific files will be allowed/processed during print queue/printer connection installation. + +- "Limit Queue-specific files to Color profiles" specifies that only queue-specific files that adhere to the standard color profile scheme will be allowed. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. "Limit Queue-specific files to Color profiles" is the default behavior. + +- "Allow all Queue-specific files" specifies that all queue-specific files will be allowed/processed during print queue/printer connection installation. + + + + +The following are the supported values: + +- 0: Do not allow Queue-specific files. +- 1 (Default): Limit Queue-specific files to Color profiles. +- 2: Allow all Queue-specific files. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureCopyFilesPolicy | +| Friendly Name | Manage processing of Queue-specific files | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureDriverValidationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureDriverValidationLevel +``` + + + + +This policy setting controls the print driver signature validation mechanism. This policy controls the type of digital signature that is required for a print driver to be considered valid and installed on the system. + +As part of this validation the catalog/embedded signature is verified and all files in the driver must be a part of the catalog or have their own embedded signature that can be used for validation. + +You can enable this setting to change the default signature validation method. To use this setting, select one of the options below from the "Select the driver signature mechanism for this computer" box. + +- If you disable or do not configure this policy setting, the default method is "Allow all validly signed drivers". + +- "Require inbox signed drivers" specifies only drivers that are shipped as part of a Windows image are allowed on this computer. + +- "Allow inbox and PrintDrivers Trusted Store signed drivers" specifies only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. + +- "Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). + +- "Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers" specifies the only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. + +- "Allow all validly signed drivers" specifies that any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. + +The 'PrintDrivers' certificate store needs to be created by an administrator under the local machine store location. + +The 'Trusted Publishers' certificate store can contain certificates from sources that are not related to print drivers. + + + + +The following are the supported values: + +- 0: Require inbox signed drivers. +- 1: Allow inbox and PrintDrivers Trusted Store signed drivers. +- 2: Allow inbox, PrintDrivers Trusted Store, and WHQL signed drivers. +- 3: Allow inbox, PrintDrivers Trusted Store, WHQL, and Trusted Publishers Store signed drivers. +- 4 (Default): Allow all validly signed drivers. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDriverValidationLevel | +| Friendly Name | Manage Print Driver signature validation | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Driver | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureIppPageCountsPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppPageCountsPolicy +``` + + + + +Determines whether to always send page count information for accounting purposes for printers using the Microsoft IPP Class Driver. + +By default, pages are sent to the printer as soon as they are rendered and page count information is not sent to the printer unless pages must be reordered. + +- If you enable this setting the system will render all print job pages up front and send the printer the total page count for the print job. + +- If you disable this setting or do not configure it, pages are printed as soon as they are rendered and page counts are only sent when page reordering is required to process the job. + + + + +The following are the supported values: + +- 0 (Default): Disabled. +- 1: Enabled. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureIppPageCountsPolicy | +| Friendly Name | Always send job page count information for IPP printers | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\IPP | +| Registry Value Name | AlwaysSendIppPageCounts | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRedirectionGuardPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRedirectionGuardPolicy +``` + + + + +Determines whether Redirection Guard is enabled for the print spooler. + +You can enable this setting to configure the Redirection Guard policy being applied to spooler. + +- If you disable or do not configure this policy setting, Redirection Guard will default to being 'enabled'. + +- If you enable this setting you may select the following options: + +- Enabled : Redirection Guard will prevent any file redirections from being followed + +- Disabled : Redirection Guard will not be enabled and file redirections may be used within the spooler process + +- Audit : Redirection Guard will log events as though it were enabled but will not actually prevent file redirections from being used within the spooler. + + + + +The following are the supported values: + +- 0: Redirection guard disabled. +- 1 (Default): Redirection guard enabled. +- 2: Redirection guard audit mode. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRedirectionGuardPolicy | +| Friendly Name | Configure Redirection Guard | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcAuthnLevelPrivacyEnabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcAuthnLevelPrivacyEnabled +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + + + + + + + + + + + +## ConfigureRpcConnectionPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcConnectionPolicy +``` + + + + +This policy setting controls which protocol and protocol settings to use for outgoing RPC connections to a remote print spooler. + +By default, RPC over TCP is used and authentication is always enabled. For RPC over named pipes, authentication is always enabled for domain joined machines but disabled for non domain joined machines. + +Protocol to use for outgoing RPC connections: +- "RPC over TCP": Use RPC over TCP for outgoing RPC connections to a remote print spooler +- "RPC over named pipes": Use RPC over named pipes for outgoing RPC connections to a remote print spooler + +Use authentication for outgoing RPC over named pipes connections: +- "Default": By default domain joined computers enable RPC authentication for RPC over named pipes while non domain joined computers disable RPC authentication for RPC over named pipes +- "Authentication enabled": RPC authentication will be used for outgoing RPC over named pipes connections +- "Authentication disabled": RPC authentication will not be used for outgoing RPC over named pipes connections + +- If you disable or do not configure this policy setting, the above defaults will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcConnectionPolicy | +| Friendly Name | Configure RPC connection settings | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcListenerPolicy + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcListenerPolicy +``` + + + + +This policy setting controls which protocols incoming RPC connections to the print spooler are allowed to use. + +By default, RPC over TCP is enabled and Negotiate is used for the authentication protocol. + +Protocols to allow for incoming RPC connections: +- "RPC over named pipes": Incoming RPC connections are only allowed over named pipes +- "RPC over TCP": Incoming RPC connections are only allowed over TCP (the default option) +- "RPC over named pipes and TCP": Incoming RPC connections will be allowed over TCP and named pipes + +Authentication protocol to use for incoming RPC connections: +- "Negotiate": Use the Negotiate authentication protocol (the default option) +- "Kerberos": Use the Kerberos authentication protocol + +- If you disable or do not configure this policy setting, the above defaults will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcListenerPolicy | +| Friendly Name | Configure RPC listener settings | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ConfigureRpcTcpPort + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRpcTcpPort +``` + + + + +This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers. + +By default dynamic TCP ports are used. + +RPC over TCP port: +- The port to use for RPC over TCP. A value of 0 is the default and indicates that dynamic TCP ports will be used + +- If you disable or do not configure this policy setting, dynamic TCP ports are used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcTcpPort | +| Friendly Name | Configure RPC over TCP port | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\RPC | +| ADMX File Name | Printing.admx | + + + + + + + + + +## EnableDeviceControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl +``` + + + + +Determines whether Device Control Printing Restrictions are enforced for printing on this computer. + +By default, there are no restrictions to printing based on connection type or printer Make/Model. + +- If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers. + +- If you disable this setting or do not configure it, there are no restrictions to printing based on connection type or printer Make/Model. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableDeviceControl | +| Friendly Name | Enable Device Control Printing Restrictions | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | EnableDeviceControl | +| ADMX File Name | Printing.admx | + + + + + + + + + +## EnableDeviceControlUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser +``` + + + + +Determines whether Device Control Printing Restrictions are enforced for printing on this computer. + +By default, there are no restrictions to printing based on connection type or printer Make/Model. + +- If you enable this setting, the computer will restrict printing to printer connections on the corporate network or approved USB-connected printers. + +- If you disable this setting or do not configure it, there are no restrictions to printing based on connection type or printer Make/Model. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnableDeviceControlUser | +| Friendly Name | Enable Device Control Printing Restrictions | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | EnableDeviceControl | +| ADMX File Name | Printing.admx | + + + + + + + + + +## ManageDriverExclusionList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/ManageDriverExclusionList +``` + + + + +This policy setting controls the print driver exclusion list. The exclusion list allows an administrator to curate a list of printer drivers that are not allowed to be installed on the system. + +This checks outranks the signature check and allows drivers that have a valid signature level for the Print Driver signature validation policy to be excluded. + +Entries in the exclusion list consist of a SHA256 hash (or SHA1 hash for Win7) of the INF file and/or main driver DLL file of the driver and the name of the file. + +- If you disable or do not configure this policy setting, the registry key and values associated with this policy setting will be deleted, if currently set to a value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ManageDriverExclusionList | +| Friendly Name | Manage Print Driver exclusion list | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Driver | +| ADMX File Name | Printing.admx | + + + + + + + + + +## PointAndPrintRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions +``` + + + + This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. -If you enable this policy setting: +- If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. -- Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver isn't available on the client, no connection will be made. +- If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. -- You can configure Windows Vista clients so that security warnings and elevated command prompts don't appear when users Point and Print, or when printer connection drivers need to be updated. +- If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + -If you don't configure this policy setting: + + + -- Windows Vista client computers can point and print to any server. + +**Description framework properties**: -- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print. +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated. + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. +**ADMX mapping**: -If you disable this policy setting: +| Name | Value | +|:--|:--| +| Name | PointAndPrint_Restrictions_Win7 | +| Friendly Name | Point and Print Restrictions | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | +| Registry Value Name | Restricted | +| ADMX File Name | Printing.admx | + -- Windows Vista client computers can create a printer connection to any server using Point and Print. + + + -- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print. + -- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated. + +## PointAndPrintRestrictions_User -- Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + -- The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + +```User +./User/Vendor/MSFT/Policy/Config/Printers/PointAndPrintRestrictions_User +``` + - - -ADMX Info: -- GP Friendly name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions* -- GP path: *Control Panel/Printers* -- GP ADMX file name: *Printing.admx* + + +This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - - +- If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. -
    +- If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -**Printers/PublishPrinters** +- If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + - + + + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Description framework properties**: - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> [!div class = "checklist"] -> * Device +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | PointAndPrint_Restrictions | +| Friendly Name | Point and Print Restrictions | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | +| Registry Value Name | Restricted | +| ADMX File Name | Printing.admx | + - - + + + + + + + +## PublishPrinters + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/PublishPrinters +``` + + + + Determines whether the computer's shared printers can be published in Active Directory. -If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' on the Sharing tab, to publish shared printers in Active Directory. +- If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. -If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available. +- If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. > [!NOTE] -> This setting takes priority over the setting "Automatically publish new printers in the Active Directory". +> This settings takes priority over the setting "Automatically publish new printers in the Active Directory". + - + + + - -ADMX Info: -- GP Friendly name: *Allow printers to be published* -- GP name: *PublishPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* + +**Description framework properties**: - - -
    +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**Printers/RestrictDriverInstallationToAdministrators** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +**ADMX mapping**: - -
    +| Name | Value | +|:--|:--| +| Name | PublishPrinters | +| Friendly Name | Allow printers to be published | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | PublishPrinters | +| ADMX File Name | Printing2.admx | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
    + +## RestrictDriverInstallationToAdministrators - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users. + +```Device +./Device/Vendor/MSFT/Policy/Config/Printers/RestrictDriverInstallationToAdministrators +``` + -This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup. + + +Determines whether users that aren't Administrators can install print drivers on this computer. -The default value of the policy will be Unconfigured. +By default, users that aren't Administrators can't install print drivers on this computer. -If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer. +- If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer. -If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer. +- If you disable this setting, the system won't limit installation of print drivers to this computer. + -The following are the supported values: + + + -- Not configured or Enabled - Only administrators can install print drivers on the computer. -- Disabled - Standard users are allowed to install print drivers on the computer. + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -ADMX Info: -- GP Friendly name: *Restrict installation of print drivers to Administrators* -- GP name: *RestrictDriverInstallationToAdministrators* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: -
    +| Name | Value | +|:--|:--| +| Name | RestrictDriverInstallationToAdministrators | +| Friendly Name | Limits print driver installation to Administrators | +| Location | Computer Configuration | +| Path | Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint | +| Registry Value Name | RestrictDriverInstallationToAdministrators | +| ADMX File Name | Printing.admx | + - + + + -## Related topics + -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) From 3231ccf3f55fa10e6732f86c4af21ec8ccf12e25 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Mon, 9 Jan 2023 14:48:56 -0500 Subject: [PATCH 124/152] add volume to audit --- .../client-management/mdm/policy-csp-audit.md | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index c039ded0e0..b2e381fcca 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -42,6 +42,7 @@ This policy setting allows you to audit events generated by validation tests on +Volume: High on domain controllers. @@ -102,6 +103,7 @@ This policy setting allows you to audit events generated by Kerberos authenticat +Volume: High on Kerberos Key Distribution Center servers. @@ -162,6 +164,7 @@ This policy setting allows you to audit events generated by Kerberos authenticat +Volume: Low. @@ -282,6 +285,7 @@ This policy setting allows you to audit events generated by a failed attempt to +Volume: Low. @@ -342,6 +346,7 @@ This policy allows you to audit the group memberhsip information in the user's l +Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -402,6 +407,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang +Volume: High. @@ -462,6 +468,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang +Volume: High. @@ -522,6 +529,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang +Volume: High. @@ -582,6 +590,7 @@ This policy setting allows you to audit events generated by the closing of a log +Volume: Low. @@ -642,6 +651,7 @@ This policy setting allows you to audit events generated by user account logon a +Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -702,6 +712,7 @@ This policy setting allows you to audit events generated by RADIUS (IAS) and Net +Volume: Medium or High on NPS and IAS server. No volume on other computers. @@ -762,6 +773,7 @@ This policy setting allows you to audit other logon/logoff-related events that a +Volume: Low. @@ -822,6 +834,7 @@ This policy setting allows you to audit events generated by special logons such +Volume: Low. @@ -882,6 +895,7 @@ This policy allows you to audit user and device claims information in the user's +Volume: Low on a client computer. Medium on a domain controller or a network server. @@ -942,6 +956,7 @@ This policy setting allows you to audit events generated by changes to applicati +Volume: Low. @@ -1002,6 +1017,7 @@ This policy setting allows you to audit events generated by changes to computer +Volume: Low. @@ -1064,6 +1080,7 @@ This policy setting allows you to audit events generated by changes to distribut +Volume: Low. @@ -1124,6 +1141,7 @@ This policy setting allows you to audit events generated by other user account c +Volume: Low. @@ -1184,6 +1202,7 @@ This policy setting allows you to audit events generated by changes to security +Volume: Low. @@ -1244,6 +1263,7 @@ This policy setting allows you to audit changes to user accounts. Events include +Volume: Low. @@ -1304,6 +1324,7 @@ This policy setting allows you to audit events generated when encryption or decr +Volume: Low. @@ -1364,6 +1385,7 @@ This policy setting allows you to audit when plug and play detects an external d +Volume: Low. @@ -1424,6 +1446,7 @@ This policy setting allows you to audit events generated when a process is creat +Volume: Depends on how the computer is used. @@ -1484,6 +1507,7 @@ This policy setting allows you to audit events generated when a process ends. If +Volume: Depends on how the computer is used. @@ -1544,6 +1568,7 @@ This policy setting allows you to audit inbound remote procedure call (RPC) conn +Volume: High on RPC servers. @@ -1604,6 +1629,7 @@ This policy setting allows you to audit events generated by adjusting the privil +Volume: High. @@ -1664,6 +1690,7 @@ This policy setting allows you to audit events generated by detailed Active Dire +Volume: High. @@ -1724,6 +1751,7 @@ This policy setting allows you to audit events generated when an Active Director +Volume: High on domain controllers. None on client computers. @@ -1786,6 +1814,7 @@ This policy setting allows you to audit events generated by changes to objects i +Volume: High on domain controllers only. @@ -1846,6 +1875,7 @@ This policy setting allows you to audit replication between two Active Directory +Volume: Medium on domain controllers. None on client computers. @@ -1906,6 +1936,7 @@ This policy setting allows you to audit applications that generate events using +Volume: Depends on the applications that are generating them. @@ -1966,6 +1997,7 @@ This policy setting allows you to audit access requests where the permission gra +Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. @@ -2026,6 +2058,7 @@ This policy setting allows you to audit Active Directory Certificate Services (A +Volume: Medium or Low on computers running Active Directory Certificate Services. @@ -2088,6 +2121,7 @@ This policy setting allows you to audit attempts to access files and folders on +Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. @@ -2150,6 +2184,7 @@ This policy setting allows you to audit attempts to access a shared folder. If y +Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. @@ -2212,6 +2247,7 @@ This policy setting allows you to audit user attempts to access file system obje +Volume: Depends on how the file system SACLs are configured. @@ -2272,6 +2308,7 @@ This policy setting allows you to audit connections that are allowed or blocked +Volume: High. @@ -2332,6 +2369,7 @@ This policy setting allows you to audit packets that are dropped by Windows Filt +Volume: High. @@ -2394,6 +2432,7 @@ This policy setting allows you to audit events generated when a handle to an obj +Volume: Depends on how SACLs are configured. @@ -2456,6 +2495,7 @@ This policy setting allows you to audit attempts to access the kernel, which inc +Volume: High if auditing access of global system objects is enabled. @@ -2516,6 +2556,7 @@ This policy setting allows you to audit events generated by the management of ta +Volume: Low. @@ -2578,6 +2619,7 @@ This policy setting allows you to audit attempts to access registry objects. A s +Volume: Depends on how registry SACLs are configured. @@ -2700,6 +2742,7 @@ This policy setting allows you to audit events generated by attempts to access t +Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects). @@ -2762,6 +2805,7 @@ This policy setting allows you to audit events generated by changes to the authe +Volume: Low. @@ -2822,6 +2866,7 @@ This policy setting allows you to audit events generated by changes to the autho +Volume: Low. @@ -2882,6 +2927,7 @@ This policy setting allows you to audit events generated by changes to the Windo +Volume: Low. @@ -2942,6 +2988,7 @@ This policy setting allows you to audit events generated by changes in policy ru +Volume: Low. @@ -3002,6 +3049,7 @@ This policy setting allows you to audit events generated by other security polic +Volume: Low. @@ -3064,6 +3112,7 @@ This policy setting allows you to audit changes in the security audit policy set +Volume: Low. @@ -3124,6 +3173,7 @@ This policy setting allows you to audit events generated by the use of non-sensi +Volume: Very High. @@ -3244,6 +3294,7 @@ This policy setting allows you to audit events generated when sensitive privileg +Volume: High. @@ -3304,6 +3355,7 @@ This policy setting allows you to audit events generated by the IPsec filter dri +Volume: Low. @@ -3364,6 +3416,7 @@ This policy setting allows you to audit any of the following events: Startup and +Volume: Low. @@ -3424,6 +3477,7 @@ This policy setting allows you to audit events generated by changes in the secur +Volume: Low. @@ -3484,6 +3538,7 @@ This policy setting allows you to audit events related to security system extens +Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers. @@ -3544,6 +3599,7 @@ This policy setting allows you to audit events that violate the integrity of the +Volume: Low. From 87de711c1754193068374fdeb4ed0b158765e878 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 9 Jan 2023 17:52:22 -0500 Subject: [PATCH 125/152] Updated all policy area CSPs --- .../mdm/policies-in-policy-csp-admx-backed.md | 3012 ++++++++++++++++- ...in-policy-csp-supported-by-group-policy.md | 922 ++++- .../policy-configuration-service-provider.md | 5 +- .../mdm/policy-csp-abovelock.md | 8 +- .../mdm/policy-csp-accounts.md | 17 +- .../mdm/policy-csp-activexcontrols.md | 17 +- .../policy-csp-admx-activexinstallservice.md | 17 +- .../mdm/policy-csp-admx-addremoveprograms.md | 75 +- .../mdm/policy-csp-admx-admpwd.md | 48 +- .../mdm/policy-csp-admx-appcompat.md | 53 +- .../mdm/policy-csp-admx-appxpackagemanager.md | 15 +- .../mdm/policy-csp-admx-appxruntime.md | 33 +- .../mdm/policy-csp-admx-attachmentmanager.md | 48 +- .../mdm/policy-csp-admx-auditsettings.md | 18 +- .../mdm/policy-csp-admx-bits.md | 129 +- .../mdm/policy-csp-admx-ciphersuiteorder.md | 20 +- .../mdm/policy-csp-admx-com.md | 144 +- .../mdm/policy-csp-admx-controlpanel.md | 49 +- .../policy-csp-admx-controlpaneldisplay.md | 961 +++--- .../mdm/policy-csp-admx-cpls.md | 17 +- .../policy-csp-admx-credentialproviders.md | 37 +- .../mdm/policy-csp-admx-credssp.md | 107 +- .../mdm/policy-csp-admx-credui.md | 23 +- .../mdm/policy-csp-admx-ctrlaltdel.md | 33 +- .../mdm/policy-csp-admx-datacollection.md | 16 +- .../mdm/policy-csp-admx-dcom.md | 26 +- .../mdm/policy-csp-admx-desktop.md | 291 +- .../mdm/policy-csp-admx-devicecompat.md | 12 +- .../mdm/policy-csp-admx-deviceguard.md | 10 +- .../mdm/policy-csp-admx-deviceinstallation.md | 61 +- .../mdm/policy-csp-admx-devicesetup.md | 22 +- .../mdm/policy-csp-admx-dfs.md | 17 +- .../mdm/policy-csp-admx-digitallocker.md | 140 +- .../mdm/policy-csp-admx-diskdiagnostic.md | 34 +- .../mdm/policy-csp-admx-disknvcache.md | 2 +- .../mdm/policy-csp-admx-diskquota.md | 2 +- ...policy-csp-admx-distributedlinktracking.md | 10 +- .../mdm/policy-csp-admx-dnsclient.md | 161 +- .../mdm/policy-csp-admx-dwm.md | 412 +-- .../mdm/policy-csp-admx-eaime.md | 107 +- .../mdm/policy-csp-admx-encryptfilesonmove.md | 14 +- .../mdm/policy-csp-admx-enhancedstorage.md | 44 +- .../mdm/policy-csp-admx-errorreporting.md | 1390 ++++---- .../mdm/policy-csp-admx-eventforwarding.md | 20 +- .../mdm/policy-csp-admx-eventlog.md | 209 +- .../mdm/policy-csp-admx-eventlogging.md | 14 +- .../mdm/policy-csp-admx-eventviewer.md | 14 +- .../mdm/policy-csp-admx-explorer.md | 150 +- .../mdm/policy-csp-admx-externalboot.md | 34 +- .../mdm/policy-csp-admx-filerecovery.md | 19 +- .../mdm/policy-csp-admx-filerevocation.md | 21 +- .../policy-csp-admx-fileservervssprovider.md | 13 +- .../mdm/policy-csp-admx-filesys.md | 24 +- .../mdm/policy-csp-admx-folderredirection.md | 315 +- .../mdm/policy-csp-admx-framepanes.md | 21 +- .../mdm/policy-csp-admx-fthsvc.md | 16 +- .../mdm/policy-csp-admx-globalization.md | 16 +- .../mdm/policy-csp-admx-grouppolicy.md | 1329 ++++---- .../mdm/policy-csp-admx-help.md | 166 +- .../mdm/policy-csp-admx-helpandsupport.md | 32 +- .../mdm/policy-csp-admx-hotspotauth.md | 14 +- .../mdm/policy-csp-admx-icm.md | 1159 +++---- .../mdm/policy-csp-admx-iis.md | 14 +- .../mdm/policy-csp-admx-iscsi.md | 40 +- .../mdm/policy-csp-admx-kdc.md | 58 +- .../mdm/policy-csp-admx-kerberos.md | 72 +- .../mdm/policy-csp-admx-lanmanserver.md | 34 +- .../mdm/policy-csp-admx-lanmanworkstation.md | 41 +- .../mdm/policy-csp-admx-leakdiagnostic.md | 21 +- ...icy-csp-admx-linklayertopologydiscovery.md | 20 +- .../policy-csp-admx-locationprovideradm.md | 16 +- .../mdm/policy-csp-admx-logon.md | 663 ++-- ...icy-csp-admx-microsoftdefenderantivirus.md | 12 +- .../mdm/policy-csp-admx-mmc.md | 2 +- .../mdm/policy-csp-admx-mmcsnapins.md | 1510 +++++---- .../policy-csp-admx-mobilepcmobilitycenter.md | 142 +- ...y-csp-admx-mobilepcpresentationsettings.md | 150 +- .../mdm/policy-csp-admx-msapolicy.md | 16 +- .../mdm/policy-csp-admx-msched.md | 26 +- .../mdm/policy-csp-admx-msdt.md | 33 +- .../mdm/policy-csp-admx-msi.md | 539 ++- .../mdm/policy-csp-admx-msifilerecovery.md | 19 +- .../mdm/policy-csp-admx-mss-legacy.md | 188 +- .../mdm/policy-csp-admx-nca.md | 46 +- .../mdm/policy-csp-admx-ncsi.md | 25 +- .../mdm/policy-csp-admx-netlogon.md | 4 +- .../mdm/policy-csp-admx-networkconnections.md | 977 +++--- .../mdm/policy-csp-admx-offlinefiles.md | 2358 ++++++------- .../mdm/policy-csp-admx-pca.md | 45 +- .../mdm/policy-csp-admx-peertopeercaching.md | 65 +- .../mdm/policy-csp-admx-pentraining.md | 136 +- .../policy-csp-admx-performancediagnostics.md | 48 +- .../mdm/policy-csp-admx-power.md | 310 +- ...licy-csp-admx-powershellexecutionpolicy.md | 48 +- .../mdm/policy-csp-admx-previousversions.md | 812 +++-- .../mdm/policy-csp-admx-printing.md | 1036 +++--- .../mdm/policy-csp-admx-printing2.md | 75 +- .../mdm/policy-csp-admx-programs.md | 42 +- .../mdm/policy-csp-admx-pushtoinstall.md | 2 +- .../mdm/policy-csp-admx-qos.md | 179 +- .../mdm/policy-csp-admx-radar.md | 2 +- .../mdm/policy-csp-admx-reliability.md | 53 +- .../mdm/policy-csp-admx-remoteassistance.md | 24 +- .../mdm/policy-csp-admx-removablestorage.md | 1845 +++++----- .../mdm/policy-csp-admx-rpc.md | 89 +- .../mdm/policy-csp-admx-sam.md | 28 +- .../mdm/policy-csp-admx-scripts.md | 4 +- .../mdm/policy-csp-admx-sdiageng.md | 28 +- .../mdm/policy-csp-admx-sdiagschd.md | 16 +- .../mdm/policy-csp-admx-securitycenter.md | 20 +- .../mdm/policy-csp-admx-sensors.md | 272 +- .../mdm/policy-csp-admx-servermanager.md | 43 +- .../mdm/policy-csp-admx-servicing.md | 18 +- .../mdm/policy-csp-admx-settingsync.md | 44 +- .../mdm/policy-csp-admx-sharedfolders.md | 26 +- .../mdm/policy-csp-admx-sharing.md | 20 +- ...csp-admx-shellcommandpromptregedittools.md | 47 +- .../mdm/policy-csp-admx-smartcard.md | 128 +- .../mdm/policy-csp-admx-snmp.md | 38 +- .../mdm/policy-csp-admx-soundrec.md | 2 +- .../mdm/policy-csp-admx-srmfci.md | 2 +- .../mdm/policy-csp-admx-startmenu.md | 8 +- .../mdm/policy-csp-admx-systemrestore.md | 14 +- .../mdm/policy-csp-admx-tabletpcinputpanel.md | 1176 +++---- .../mdm/policy-csp-admx-tabletshell.md | 1464 ++++---- .../mdm/policy-csp-admx-taskbar.md | 4 +- .../mdm/policy-csp-admx-tcpip.md | 89 +- .../mdm/policy-csp-admx-terminalserver.md | 18 +- .../mdm/policy-csp-admx-thumbnails.md | 26 +- .../mdm/policy-csp-admx-touchinput.md | 298 +- .../mdm/policy-csp-admx-tpm.md | 51 +- ...y-csp-admx-userexperiencevirtualization.md | 1044 +++--- .../mdm/policy-csp-admx-userprofiles.md | 34 +- .../mdm/policy-csp-admx-w32time.md | 33 +- .../mdm/policy-csp-admx-wcm.md | 30 +- .../mdm/policy-csp-admx-wdi.md | 22 +- .../mdm/policy-csp-admx-wincal.md | 140 +- .../mdm/policy-csp-admx-windowscolorsystem.md | 2 +- .../mdm/policy-csp-admx-windowsconnectnow.md | 144 +- .../mdm/policy-csp-admx-windowsexplorer.md | 1967 +++++------ .../mdm/policy-csp-admx-windowsmediadrm.md | 10 +- .../mdm/policy-csp-admx-windowsmediaplayer.md | 844 +++-- ...policy-csp-admx-windowsremotemanagement.md | 24 +- .../mdm/policy-csp-admx-windowsstore.md | 272 +- .../mdm/policy-csp-admx-wininit.md | 26 +- .../mdm/policy-csp-admx-winlogon.md | 406 +-- .../mdm/policy-csp-admx-winsrv.md | 15 +- .../mdm/policy-csp-admx-wlansvc.md | 26 +- .../mdm/policy-csp-admx-wordwheel.md | 14 +- .../mdm/policy-csp-admx-workfoldersclient.md | 32 +- .../mdm/policy-csp-admx-wpn.md | 186 +- .../mdm/policy-csp-applicationdefaults.md | 6 +- .../mdm/policy-csp-applicationmanagement.md | 65 +- .../mdm/policy-csp-appruntime.md | 8 +- .../mdm/policy-csp-appvirtualization.md | 80 +- .../mdm/policy-csp-attachmentmanager.md | 32 +- .../client-management/mdm/policy-csp-audit.md | 624 ++-- .../mdm/policy-csp-authentication.md | 122 +- .../mdm/policy-csp-autoplay.md | 29 +- .../mdm/policy-csp-bitlocker.md | 4 +- .../client-management/mdm/policy-csp-bits.md | 54 +- .../mdm/policy-csp-bluetooth.md | 10 +- .../mdm/policy-csp-browser.md | 208 +- .../mdm/policy-csp-camera.md | 8 +- .../mdm/policy-csp-cellular.md | 20 +- .../mdm/policy-csp-clouddesktop.md | 10 +- .../mdm/policy-csp-connectivity.md | 58 +- .../mdm/policy-csp-controlpolicyconflict.md | 7 +- .../mdm/policy-csp-credentialproviders.md | 25 +- .../mdm/policy-csp-credentialsdelegation.md | 14 +- .../mdm/policy-csp-credentialsui.md | 20 +- .../mdm/policy-csp-cryptography.md | 8 +- .../mdm/policy-csp-dataprotection.md | 9 +- .../mdm/policy-csp-datausage.md | 20 +- .../mdm/policy-csp-defender.md | 203 +- .../mdm/policy-csp-deliveryoptimization.md | 31 +- .../mdm/policy-csp-desktop.md | 12 +- .../mdm/policy-csp-desktopappinstaller.md | 56 +- .../mdm/policy-csp-deviceguard.md | 32 +- .../mdm/policy-csp-devicehealthmonitoring.md | 6 +- .../mdm/policy-csp-deviceinstallation.md | 42 +- .../mdm/policy-csp-devicelock.md | 50 +- .../mdm/policy-csp-display.md | 5 +- .../mdm/policy-csp-dmaguard.md | 14 +- .../client-management/mdm/policy-csp-eap.md | 6 +- .../mdm/policy-csp-education.md | 211 +- .../mdm/policy-csp-enterprisecloudprint.md | 4 +- .../mdm/policy-csp-errorreporting.md | 46 +- .../mdm/policy-csp-eventlogservice.md | 23 +- .../mdm/policy-csp-experience.md | 89 +- .../mdm/policy-csp-exploitguard.md | 4 +- .../mdm/policy-csp-federatedauthentication.md | 4 +- .../mdm/policy-csp-fileexplorer.md | 36 +- .../client-management/mdm/policy-csp-games.md | 4 +- .../mdm/policy-csp-handwriting.md | 4 +- .../mdm/policy-csp-humanpresence.md | 8 +- .../mdm/policy-csp-internetexplorer.md | 1509 +++++---- .../mdm/policy-csp-kerberos.md | 76 +- .../mdm/policy-csp-kioskbrowser.md | 16 +- .../mdm/policy-csp-lanmanworkstation.md | 12 +- .../mdm/policy-csp-licensing.md | 6 +- ...policy-csp-localpoliciessecurityoptions.md | 255 +- .../mdm/policy-csp-localusersandgroups.md | 15 +- .../mdm/policy-csp-lockdown.md | 8 +- .../client-management/mdm/policy-csp-lsa.md | 22 +- .../client-management/mdm/policy-csp-maps.md | 4 +- .../mdm/policy-csp-memorydump.md | 4 +- .../mdm/policy-csp-messaging.md | 17 +- .../mdm/policy-csp-mixedreality.md | 63 +- .../mdm/policy-csp-msslegacy.md | 60 +- .../mdm/policy-csp-multitasking.md | 13 +- .../mdm/policy-csp-networkisolation.md | 27 +- .../mdm/policy-csp-networklistmanager.md | 6 +- .../mdm/policy-csp-newsandinterests.md | 5 +- .../mdm/policy-csp-notifications.md | 141 +- .../client-management/mdm/policy-csp-power.md | 188 +- .../mdm/policy-csp-printers.md | 10 +- .../mdm/policy-csp-privacy.md | 64 +- .../mdm/policy-csp-remoteassistance.md | 48 +- .../mdm/policy-csp-remotedesktop.md | 108 +- .../mdm/policy-csp-remotedesktopservices.md | 62 +- .../mdm/policy-csp-remotemanagement.md | 118 +- .../mdm/policy-csp-remoteprocedurecall.md | 36 +- .../mdm/policy-csp-remoteshell.md | 44 +- .../mdm/policy-csp-restrictedgroups.md | 48 +- .../mdm/policy-csp-search.md | 56 +- .../mdm/policy-csp-security.md | 38 +- .../mdm/policy-csp-servicecontrolmanager.md | 15 +- .../mdm/policy-csp-settings.md | 174 +- .../mdm/policy-csp-settingssync.md | 65 +- .../mdm/policy-csp-smartscreen.md | 22 +- .../mdm/policy-csp-speech.md | 4 +- .../client-management/mdm/policy-csp-start.md | 316 +- .../mdm/policy-csp-stickers.md | 5 +- .../mdm/policy-csp-storage.md | 238 +- .../mdm/policy-csp-system.md | 126 +- .../mdm/policy-csp-systemservices.md | 28 +- .../mdm/policy-csp-taskmanager.md | 4 +- .../mdm/policy-csp-taskscheduler.md | 8 +- .../mdm/policy-csp-tenantdefinedtelemetry.md | 11 +- .../mdm/policy-csp-tenantrestrictions.md | 19 +- .../mdm/policy-csp-textinput.md | 80 +- .../mdm/policy-csp-timelanguagesettings.md | 12 +- .../mdm/policy-csp-troubleshooting.md | 7 +- .../mdm/policy-csp-update.md | 253 +- .../mdm/policy-csp-userrights.md | 72 +- ...olicy-csp-virtualizationbasedtechnology.md | 8 +- .../mdm/policy-csp-webthreatdefense.md | 42 +- .../client-management/mdm/policy-csp-wifi.md | 29 +- .../mdm/policy-csp-windowsautopilot.md | 8 +- .../policy-csp-windowsconnectionmanager.md | 14 +- ...olicy-csp-windowsdefendersecuritycenter.md | 24 +- .../mdm/policy-csp-windowsinkworkspace.md | 10 +- .../mdm/policy-csp-windowslogon.md | 84 +- .../mdm/policy-csp-windowspowershell.md | 19 +- .../mdm/policy-csp-windowssandbox.md | 48 +- .../mdm/policy-csp-wirelessdisplay.md | 38 +- windows/client-management/mdm/toc.yml | 28 +- 258 files changed, 22497 insertions(+), 17881 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a6b3e66295..83951a7148 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,10 +1,10 @@ --- title: ADMX-backed policies in Policy CSP -description: Learn about the ADMX-backed policies in Policy CSP. +description: Learn about the ADMX-backed policies in Policy CSP.. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,3014 @@ ms.topic: reference This article lists the ADMX-backed policies in Policy CSP. +## ActiveXControls + +- [ApprovedInstallationSites](policy-csp-activexcontrols.md) + +## ADMX_ActiveXInstallService + +- [AxISURLZonePolicies](policy-csp-admx-activexinstallservice.md) + +## ADMX_AddRemovePrograms + +- [NoServices](policy-csp-admx-addremoveprograms.md) +- [NoAddPage](policy-csp-admx-addremoveprograms.md) +- [NoWindowsSetupPage](policy-csp-admx-addremoveprograms.md) +- [NoRemovePage](policy-csp-admx-addremoveprograms.md) +- [NoAddFromCDorFloppy](policy-csp-admx-addremoveprograms.md) +- [NoAddFromInternet](policy-csp-admx-addremoveprograms.md) +- [NoAddFromNetwork](policy-csp-admx-addremoveprograms.md) +- [NoChooseProgramsPage](policy-csp-admx-addremoveprograms.md) +- [NoAddRemovePrograms](policy-csp-admx-addremoveprograms.md) +- [NoSupportInfo](policy-csp-admx-addremoveprograms.md) +- [DefaultCategory](policy-csp-admx-addremoveprograms.md) + +## ADMX_AdmPwd + +- [POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](policy-csp-admx-admpwd.md) +- [POL_AdmPwd_Enabled](policy-csp-admx-admpwd.md) +- [POL_AdmPwd_AdminName](policy-csp-admx-admpwd.md) +- [POL_AdmPwd](policy-csp-admx-admpwd.md) + +## ADMX_AppCompat + +- [AppCompatTurnOffProgramCompatibilityAssistant_1](policy-csp-admx-appcompat.md) +- [AppCompatPrevent16BitMach](policy-csp-admx-appcompat.md) +- [AppCompatRemoveProgramCompatPropPage](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffEngine](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffApplicationImpactTelemetry](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffProgramInventory](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffProgramCompatibilityAssistant_2](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffUserActionRecord](policy-csp-admx-appcompat.md) +- [AppCompatTurnOffSwitchBack](policy-csp-admx-appcompat.md) + +## ADMX_AppxPackageManager + +- [AllowDeploymentInSpecialProfiles](policy-csp-admx-appxpackagemanager.md) + +## ADMX_AppXRuntime + +- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md) +- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md) +- [AppxRuntimeApplicationContentUriRules](policy-csp-admx-appxruntime.md) + +## ADMX_AttachmentManager + +- [AM_SetFileRiskLevel](policy-csp-admx-attachmentmanager.md) +- [AM_SetHighRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_SetLowRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_SetModRiskInclusion](policy-csp-admx-attachmentmanager.md) +- [AM_EstimateFileHandlerRisk](policy-csp-admx-attachmentmanager.md) + +## ADMX_AuditSettings + +- [IncludeCmdLine](policy-csp-admx-auditsettings.md) + +## ADMX_Bits + +- [BITS_EnablePeercaching](policy-csp-admx-bits.md) +- [BITS_DisableBranchCache](policy-csp-admx-bits.md) +- [BITS_DisablePeercachingClient](policy-csp-admx-bits.md) +- [BITS_DisablePeercachingServer](policy-csp-admx-bits.md) +- [BITS_MaxContentAge](policy-csp-admx-bits.md) +- [BITS_MaxCacheSize](policy-csp-admx-bits.md) +- [BITS_MaxDownloadTime](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthServedForPeers](policy-csp-admx-bits.md) +- [BITS_MaxJobsPerUser](policy-csp-admx-bits.md) +- [BITS_MaxJobsPerMachine](policy-csp-admx-bits.md) +- [BITS_MaxFilesPerJob](policy-csp-admx-bits.md) +- [BITS_MaxRangesPerFile](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthV2_Maintenance](policy-csp-admx-bits.md) +- [BITS_MaxBandwidthV2_Work](policy-csp-admx-bits.md) + +## ADMX_CipherSuiteOrder + +- [SSLCurveOrder](policy-csp-admx-ciphersuiteorder.md) +- [SSLCipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) + +## ADMX_COM + +- [AppMgmt_COM_SearchForCLSID_1](policy-csp-admx-com.md) +- [AppMgmt_COM_SearchForCLSID_2](policy-csp-admx-com.md) + +## ADMX_ControlPanel + +- [ForceClassicControlPanel](policy-csp-admx-controlpanel.md) +- [DisallowCpls](policy-csp-admx-controlpanel.md) +- [NoControlPanel](policy-csp-admx-controlpanel.md) +- [RestrictCpls](policy-csp-admx-controlpanel.md) + +## ADMX_ControlPanelDisplay + +- [CPL_Display_Disable](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Display_HideSettings](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_EnableScreenSaver](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetVisualStyle](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetScreenSaver](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ScreenSaverIsSecure](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoColorAppearanceUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableColorSchemeChoice](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoDesktopBackgroundUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoDesktopIconsUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoMousePointersUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoScreenSaverUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoSoundSchemeUI](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableThemeChange](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_DisableVisualStyle](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_LockFontSize](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ScreenSaverTimeOut](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md) +- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md) + +## ADMX_Cpls + +- [UseDefaultTile](policy-csp-admx-cpls.md) + +## ADMX_CredentialProviders + +- [AllowDomainDelayLock](policy-csp-admx-credentialproviders.md) +- [DefaultCredentialProvider](policy-csp-admx-credentialproviders.md) +- [ExcludedCredentialProviders](policy-csp-admx-credentialproviders.md) + +## ADMX_CredSsp + +- [AllowDefaultCredentials](policy-csp-admx-credssp.md) +- [AllowDefCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [AllowFreshCredentials](policy-csp-admx-credssp.md) +- [AllowFreshCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [AllowSavedCredentials](policy-csp-admx-credssp.md) +- [AllowSavedCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md) +- [DenyDefaultCredentials](policy-csp-admx-credssp.md) +- [DenyFreshCredentials](policy-csp-admx-credssp.md) +- [DenySavedCredentials](policy-csp-admx-credssp.md) +- [AllowEncryptionOracle](policy-csp-admx-credssp.md) +- [RestrictedRemoteAdministration](policy-csp-admx-credssp.md) + +## ADMX_CredUI + +- [NoLocalPasswordResetQuestions](policy-csp-admx-credui.md) +- [EnableSecureCredentialPrompting](policy-csp-admx-credui.md) + +## ADMX_CtrlAltDel + +- [DisableChangePassword](policy-csp-admx-ctrlaltdel.md) +- [DisableLockComputer](policy-csp-admx-ctrlaltdel.md) +- [NoLogoff](policy-csp-admx-ctrlaltdel.md) +- [DisableTaskMgr](policy-csp-admx-ctrlaltdel.md) + +## ADMX_DataCollection + +- [CommercialIdPolicy](policy-csp-admx-datacollection.md) + +## ADMX_DCOM + +- [DCOMActivationSecurityCheckAllowLocalList](policy-csp-admx-dcom.md) +- [DCOMActivationSecurityCheckExemptionList](policy-csp-admx-dcom.md) + +## ADMX_Desktop + +- [AD_EnableFilter](policy-csp-admx-desktop.md) +- [AD_HideDirectoryFolder](policy-csp-admx-desktop.md) +- [AD_QueryLimit](policy-csp-admx-desktop.md) +- [sz_AdminComponents_Title](policy-csp-admx-desktop.md) +- [sz_DWP_NoHTMLPaper](policy-csp-admx-desktop.md) +- [Wallpaper](policy-csp-admx-desktop.md) +- [NoActiveDesktop](policy-csp-admx-desktop.md) +- [sz_ATC_NoComponents](policy-csp-admx-desktop.md) +- [ForceActiveDesktopOn](policy-csp-admx-desktop.md) +- [sz_ATC_DisableAdd](policy-csp-admx-desktop.md) +- [NoActiveDesktopChanges](policy-csp-admx-desktop.md) +- [sz_ATC_DisableClose](policy-csp-admx-desktop.md) +- [sz_ATC_DisableDel](policy-csp-admx-desktop.md) +- [sz_ATC_DisableEdit](policy-csp-admx-desktop.md) +- [NoRecentDocsNetHood](policy-csp-admx-desktop.md) +- [NoSaveSettings](policy-csp-admx-desktop.md) +- [NoDesktop](policy-csp-admx-desktop.md) +- [NoInternetIcon](policy-csp-admx-desktop.md) +- [NoNetHood](policy-csp-admx-desktop.md) +- [sz_DB_DragDropClose](policy-csp-admx-desktop.md) +- [sz_DB_Moving](policy-csp-admx-desktop.md) +- [NoMyComputerIcon](policy-csp-admx-desktop.md) +- [NoMyDocumentsIcon](policy-csp-admx-desktop.md) +- [NoPropertiesMyComputer](policy-csp-admx-desktop.md) +- [NoPropertiesMyDocuments](policy-csp-admx-desktop.md) +- [NoRecycleBinProperties](policy-csp-admx-desktop.md) +- [NoRecycleBinIcon](policy-csp-admx-desktop.md) +- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md) +- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md) +- [NoDesktop](policy-csp-admx-desktop.md) + +## ADMX_DeviceCompat + +- [DeviceFlags](policy-csp-admx-devicecompat.md) +- [DriverShims](policy-csp-admx-devicecompat.md) + +## ADMX_DeviceGuard + +- [ConfigCIPolicy](policy-csp-admx-deviceguard.md) + +## ADMX_DeviceInstallation + +- [DeviceInstall_InstallTimeout](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_AllowAdminInstall](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_DeniedPolicy_SimpleText](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_DeniedPolicy_DetailText](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_Policy_RebootTime](policy-csp-admx-deviceinstallation.md) +- [DeviceInstall_SystemRestore](policy-csp-admx-deviceinstallation.md) +- [DriverInstall_Classes_AllowUser](policy-csp-admx-deviceinstallation.md) + +## ADMX_DeviceSetup + +- [DriverSearchPlaces_SearchOrderConfiguration](policy-csp-admx-devicesetup.md) +- [DeviceInstall_BalloonTips](policy-csp-admx-devicesetup.md) + +## ADMX_DFS + +- [DFSDiscoverDC](policy-csp-admx-dfs.md) + +## ADMX_DigitalLocker + +- [Digitalx_DiableApplication_TitleText_1](policy-csp-admx-digitallocker.md) +- [Digitalx_DiableApplication_TitleText_2](policy-csp-admx-digitallocker.md) + +## ADMX_DiskDiagnostic + +- [DfdAlertPolicy](policy-csp-admx-diskdiagnostic.md) +- [WdiScenarioExecutionPolicy](policy-csp-admx-diskdiagnostic.md) + +## ADMX_DiskNVCache + +- [BootResumePolicy](policy-csp-admx-disknvcache.md) +- [CachePowerModePolicy](policy-csp-admx-disknvcache.md) +- [FeatureOffPolicy](policy-csp-admx-disknvcache.md) +- [SolidStatePolicy](policy-csp-admx-disknvcache.md) + +## ADMX_DiskQuota + +- [DQ_RemovableMedia](policy-csp-admx-diskquota.md) +- [DQ_Enable](policy-csp-admx-diskquota.md) +- [DQ_Enforce](policy-csp-admx-diskquota.md) +- [DQ_LogEventOverLimit](policy-csp-admx-diskquota.md) +- [DQ_LogEventOverThreshold](policy-csp-admx-diskquota.md) +- [DQ_Limit](policy-csp-admx-diskquota.md) + +## ADMX_DistributedLinkTracking + +- [DLT_AllowDomainMode](policy-csp-admx-distributedlinktracking.md) + +## ADMX_DnsClient + +- [DNS_AppendToMultiLabelName](policy-csp-admx-dnsclient.md) +- [DNS_AllowFQDNNetBiosQueries](policy-csp-admx-dnsclient.md) +- [DNS_Domain](policy-csp-admx-dnsclient.md) +- [DNS_NameServer](policy-csp-admx-dnsclient.md) +- [DNS_SearchList](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationEnabled](policy-csp-admx-dnsclient.md) +- [DNS_IdnMapping](policy-csp-admx-dnsclient.md) +- [DNS_PreferLocalResponsesOverLowerOrderDns](policy-csp-admx-dnsclient.md) +- [DNS_PrimaryDnsSuffix](policy-csp-admx-dnsclient.md) +- [DNS_UseDomainNameDevolution](policy-csp-admx-dnsclient.md) +- [DNS_DomainNameDevolutionLevel](policy-csp-admx-dnsclient.md) +- [DNS_RegisterAdapterName](policy-csp-admx-dnsclient.md) +- [DNS_RegisterReverseLookup](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationRefreshInterval](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationOverwritesInConflict](policy-csp-admx-dnsclient.md) +- [DNS_RegistrationTtl](policy-csp-admx-dnsclient.md) +- [DNS_IdnEncoding](policy-csp-admx-dnsclient.md) +- [Turn_Off_Multicast](policy-csp-admx-dnsclient.md) +- [DNS_SmartMultiHomedNameResolution](policy-csp-admx-dnsclient.md) +- [DNS_SmartProtocolReorder](policy-csp-admx-dnsclient.md) +- [DNS_UpdateSecurityLevel](policy-csp-admx-dnsclient.md) +- [DNS_UpdateTopLevelDomainZones](policy-csp-admx-dnsclient.md) + +## ADMX_DWM + +- [DwmDisallowAnimations_1](policy-csp-admx-dwm.md) +- [DwmDisallowColorizationColorChanges_1](policy-csp-admx-dwm.md) +- [DwmDefaultColorizationColor_1](policy-csp-admx-dwm.md) +- [DwmDisallowAnimations_2](policy-csp-admx-dwm.md) +- [DwmDisallowColorizationColorChanges_2](policy-csp-admx-dwm.md) +- [DwmDefaultColorizationColor_2](policy-csp-admx-dwm.md) + +## ADMX_EAIME + +- [L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](policy-csp-admx-eaime.md) +- [L_RestrictCharacterCodeRangeOfConversion](policy-csp-admx-eaime.md) +- [L_TurnOffCustomDictionary](policy-csp-admx-eaime.md) +- [L_TurnOffHistorybasedPredictiveInput](policy-csp-admx-eaime.md) +- [L_TurnOffInternetSearchIntegration](policy-csp-admx-eaime.md) +- [L_TurnOffOpenExtendedDictionary](policy-csp-admx-eaime.md) +- [L_TurnOffSavingAutoTuningDataToFile](policy-csp-admx-eaime.md) +- [L_TurnOnCloudCandidate](policy-csp-admx-eaime.md) +- [L_TurnOnCloudCandidateCHS](policy-csp-admx-eaime.md) +- [L_TurnOnLexiconUpdate](policy-csp-admx-eaime.md) +- [L_TurnOnLiveStickers](policy-csp-admx-eaime.md) +- [L_TurnOnMisconversionLoggingForMisconversionReport](policy-csp-admx-eaime.md) + +## ADMX_EncryptFilesonMove + +- [NoEncryptOnMove](policy-csp-admx-encryptfilesonmove.md) + +## ADMX_EnhancedStorage + +- [RootHubConnectedEnStorDevices](policy-csp-admx-enhancedstorage.md) +- [ApprovedEnStorDevices](policy-csp-admx-enhancedstorage.md) +- [ApprovedSilos](policy-csp-admx-enhancedstorage.md) +- [DisallowLegacyDiskDevices](policy-csp-admx-enhancedstorage.md) +- [DisablePasswordAuthentication](policy-csp-admx-enhancedstorage.md) +- [LockDeviceOnMachineLock](policy-csp-admx-enhancedstorage.md) + +## ADMX_ErrorReporting + +- [WerArchive_1](policy-csp-admx-errorreporting.md) +- [WerQueue_1](policy-csp-admx-errorreporting.md) +- [WerExlusion_1](policy-csp-admx-errorreporting.md) +- [WerAutoApproveOSDumps_1](policy-csp-admx-errorreporting.md) +- [WerDefaultConsent_1](policy-csp-admx-errorreporting.md) +- [WerConsentCustomize_1](policy-csp-admx-errorreporting.md) +- [WerConsentOverride_1](policy-csp-admx-errorreporting.md) +- [WerNoLogging_1](policy-csp-admx-errorreporting.md) +- [WerDisable_1](policy-csp-admx-errorreporting.md) +- [WerNoSecondLevelData_1](policy-csp-admx-errorreporting.md) +- [WerBypassDataThrottling_1](policy-csp-admx-errorreporting.md) +- [WerBypassPowerThrottling_1](policy-csp-admx-errorreporting.md) +- [WerBypassNetworkCostThrottling_1](policy-csp-admx-errorreporting.md) +- [WerCER](policy-csp-admx-errorreporting.md) +- [WerArchive_2](policy-csp-admx-errorreporting.md) +- [WerQueue_2](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneDef](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneInc](policy-csp-admx-errorreporting.md) +- [WerExlusion_2](policy-csp-admx-errorreporting.md) +- [PCH_AllOrNoneEx](policy-csp-admx-errorreporting.md) +- [PCH_ReportOperatingSystemFaults](policy-csp-admx-errorreporting.md) +- [WerAutoApproveOSDumps_2](policy-csp-admx-errorreporting.md) +- [PCH_ConfigureReport](policy-csp-admx-errorreporting.md) +- [WerDefaultConsent_2](policy-csp-admx-errorreporting.md) +- [WerConsentOverride_2](policy-csp-admx-errorreporting.md) +- [WerNoLogging_2](policy-csp-admx-errorreporting.md) +- [WerBypassDataThrottling_2](policy-csp-admx-errorreporting.md) +- [WerBypassPowerThrottling_2](policy-csp-admx-errorreporting.md) +- [WerBypassNetworkCostThrottling_2](policy-csp-admx-errorreporting.md) + +## ADMX_EventForwarding + +- [ForwarderResourceUsage](policy-csp-admx-eventforwarding.md) +- [SubscriptionManager](policy-csp-admx-eventforwarding.md) + +## ADMX_EventLog + +- [Channel_Log_AutoBackup_1](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_1](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_5](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_1](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_2](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_2](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_6](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_2](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_2](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_3](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_3](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_7](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_3](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_3](policy-csp-admx-eventlog.md) +- [Channel_LogMaxSize_3](policy-csp-admx-eventlog.md) +- [Channel_LogEnabled](policy-csp-admx-eventlog.md) +- [Channel_Log_AutoBackup_4](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_4](policy-csp-admx-eventlog.md) +- [Channel_Log_FileLogAccess_8](policy-csp-admx-eventlog.md) +- [Channel_Log_Retention_4](policy-csp-admx-eventlog.md) +- [Channel_LogFilePath_4](policy-csp-admx-eventlog.md) + +## ADMX_EventLogging + +- [EnableProtectedEventLogging](policy-csp-admx-eventlogging.md) + +## ADMX_EventViewer + +- [EventViewer_RedirectionProgram](policy-csp-admx-eventviewer.md) +- [EventViewer_RedirectionProgramCommandLineParameters](policy-csp-admx-eventviewer.md) +- [EventViewer_RedirectionURL](policy-csp-admx-eventviewer.md) + +## ADMX_Explorer + +- [AlwaysShowClassicMenu](policy-csp-admx-explorer.md) +- [PreventItemCreationInUsersFilesFolder](policy-csp-admx-explorer.md) +- [TurnOffSPIAnimations](policy-csp-admx-explorer.md) +- [DisableRoamedProfileInit](policy-csp-admx-explorer.md) +- [AdminInfoUrl](policy-csp-admx-explorer.md) + +## ADMX_ExternalBoot + +- [PortableOperatingSystem_Hibernate](policy-csp-admx-externalboot.md) +- [PortableOperatingSystem_Sleep](policy-csp-admx-externalboot.md) +- [PortableOperatingSystem_Launcher](policy-csp-admx-externalboot.md) + +## ADMX_FileRecovery + +- [WdiScenarioExecutionPolicy](policy-csp-admx-filerecovery.md) + +## ADMX_FileRevocation + +- [DelegatedPackageFamilyNames](policy-csp-admx-filerevocation.md) + +## ADMX_FileServerVSSProvider + +- [Pol_EncryptProtocol](policy-csp-admx-fileservervssprovider.md) + +## ADMX_FileSys + +- [DisableDeleteNotification](policy-csp-admx-filesys.md) +- [LongPathsEnabled](policy-csp-admx-filesys.md) +- [DisableCompression](policy-csp-admx-filesys.md) +- [DisableEncryption](policy-csp-admx-filesys.md) +- [TxfDeprecatedFunctionality](policy-csp-admx-filesys.md) +- [EnablePagefileEncryption](policy-csp-admx-filesys.md) +- [ShortNameCreationSettings](policy-csp-admx-filesys.md) +- [SymlinkEvaluation](policy-csp-admx-filesys.md) + +## ADMX_FolderRedirection + +- [DisableFRAdminPin](policy-csp-admx-folderredirection.md) +- [DisableFRAdminPinByFolder](policy-csp-admx-folderredirection.md) +- [FolderRedirectionEnableCacheRename](policy-csp-admx-folderredirection.md) +- [PrimaryComputer_FR_1](policy-csp-admx-folderredirection.md) +- [LocalizeXPRelativePaths_1](policy-csp-admx-folderredirection.md) +- [PrimaryComputer_FR_2](policy-csp-admx-folderredirection.md) +- [LocalizeXPRelativePaths_2](policy-csp-admx-folderredirection.md) + +## ADMX_FramePanes + +- [NoReadingPane](policy-csp-admx-framepanes.md) +- [NoPreviewPane](policy-csp-admx-framepanes.md) + +## ADMX_fthsvc + +- [WdiScenarioExecutionPolicy](policy-csp-admx-fthsvc.md) + +## ADMX_Globalization + +- [ImplicitDataCollectionOff_1](policy-csp-admx-globalization.md) +- [HideAdminOptions](policy-csp-admx-globalization.md) +- [HideCurrentLocation](policy-csp-admx-globalization.md) +- [HideLanguageSelection](policy-csp-admx-globalization.md) +- [HideLocaleSelectAndCustomize](policy-csp-admx-globalization.md) +- [RestrictUILangSelect](policy-csp-admx-globalization.md) +- [LockUserUILanguage](policy-csp-admx-globalization.md) +- [TurnOffAutocorrectMisspelledWords](policy-csp-admx-globalization.md) +- [TurnOffHighlightMisspelledWords](policy-csp-admx-globalization.md) +- [TurnOffInsertSpace](policy-csp-admx-globalization.md) +- [TurnOffOfferTextPredictions](policy-csp-admx-globalization.md) +- [Y2K](policy-csp-admx-globalization.md) +- [PreventGeoIdChange_1](policy-csp-admx-globalization.md) +- [CustomLocalesNoSelect_1](policy-csp-admx-globalization.md) +- [PreventUserOverrides_1](policy-csp-admx-globalization.md) +- [LocaleUserRestrict_1](policy-csp-admx-globalization.md) +- [ImplicitDataCollectionOff_2](policy-csp-admx-globalization.md) +- [LockMachineUILanguage](policy-csp-admx-globalization.md) +- [PreventGeoIdChange_2](policy-csp-admx-globalization.md) +- [BlockUserInputMethodsForSignIn](policy-csp-admx-globalization.md) +- [CustomLocalesNoSelect_2](policy-csp-admx-globalization.md) +- [PreventUserOverrides_2](policy-csp-admx-globalization.md) +- [LocaleSystemRestrict](policy-csp-admx-globalization.md) +- [LocaleUserRestrict_2](policy-csp-admx-globalization.md) + +## ADMX_GroupPolicy + +- [GPDCOptions](policy-csp-admx-grouppolicy.md) +- [GPTransferRate_1](policy-csp-admx-grouppolicy.md) +- [NewGPOLinksDisabled](policy-csp-admx-grouppolicy.md) +- [DenyRsopToInteractiveUser_1](policy-csp-admx-grouppolicy.md) +- [EnforcePoliciesOnly](policy-csp-admx-grouppolicy.md) +- [NewGPODisplayName](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRateUser](policy-csp-admx-grouppolicy.md) +- [DisableAutoADMUpdate](policy-csp-admx-grouppolicy.md) +- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) +- [AllowX-ForestPolicy-and-RUP](policy-csp-admx-grouppolicy.md) +- [OnlyUseLocalAdminFiles](policy-csp-admx-grouppolicy.md) +- [SlowlinkDefaultToAsync](policy-csp-admx-grouppolicy.md) +- [SlowLinkDefaultForDirectAccess](policy-csp-admx-grouppolicy.md) +- [CSE_DiskQuota](policy-csp-admx-grouppolicy.md) +- [CSE_EFSRecovery](policy-csp-admx-grouppolicy.md) +- [CSE_FolderRedirection](policy-csp-admx-grouppolicy.md) +- [EnableLogonOptimization](policy-csp-admx-grouppolicy.md) +- [GPTransferRate_2](policy-csp-admx-grouppolicy.md) +- [CSE_IEM](policy-csp-admx-grouppolicy.md) +- [CSE_IPSecurity](policy-csp-admx-grouppolicy.md) +- [LogonScriptDelay](policy-csp-admx-grouppolicy.md) +- [CSE_Registry](policy-csp-admx-grouppolicy.md) +- [CSE_Scripts](policy-csp-admx-grouppolicy.md) +- [CSE_Security](policy-csp-admx-grouppolicy.md) +- [CSE_AppMgmt](policy-csp-admx-grouppolicy.md) +- [UserPolicyMode](policy-csp-admx-grouppolicy.md) +- [CSE_Wired](policy-csp-admx-grouppolicy.md) +- [CSE_Wireless](policy-csp-admx-grouppolicy.md) +- [EnableCDP](policy-csp-admx-grouppolicy.md) +- [DenyRsopToInteractiveUser_2](policy-csp-admx-grouppolicy.md) +- [ResetDfsClientInfoDuringRefreshPolicy](policy-csp-admx-grouppolicy.md) +- [EnableLogonOptimizationOnServerSKU](policy-csp-admx-grouppolicy.md) +- [EnableMMX](policy-csp-admx-grouppolicy.md) +- [DisableUsersFromMachGP](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRate](policy-csp-admx-grouppolicy.md) +- [GroupPolicyRefreshRateDC](policy-csp-admx-grouppolicy.md) +- [SyncWaitTime](policy-csp-admx-grouppolicy.md) +- [CorpConnSyncWaitTime](policy-csp-admx-grouppolicy.md) +- [DisableBackgroundPolicy](policy-csp-admx-grouppolicy.md) +- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md) +- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md) +- [RSoPLogging](policy-csp-admx-grouppolicy.md) +- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md) +- [FontMitigation](policy-csp-admx-grouppolicy.md) + +## ADMX_Help + +- [RestrictRunFromHelp](policy-csp-admx-help.md) +- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md) +- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md) +- [DisableHHDEP](policy-csp-admx-help.md) + +## ADMX_HelpAndSupport + +- [HPImplicitFeedback](policy-csp-admx-helpandsupport.md) +- [HPExplicitFeedback](policy-csp-admx-helpandsupport.md) +- [HPOnlineAssistance](policy-csp-admx-helpandsupport.md) +- [ActiveHelp](policy-csp-admx-helpandsupport.md) + +## ADMX_hotspotauth + +- [HotspotAuth_Enable](policy-csp-admx-hotspotauth.md) + +## ADMX_ICM + +- [ShellNoUseStoreOpenWith_1](policy-csp-admx-icm.md) +- [DisableWebPnPDownload_1](policy-csp-admx-icm.md) +- [ShellPreventWPWDownload_1](policy-csp-admx-icm.md) +- [ShellNoUseInternetOpenWith_1](policy-csp-admx-icm.md) +- [DisableHTTPPrinting_1](policy-csp-admx-icm.md) +- [ShellRemoveOrderPrints_1](policy-csp-admx-icm.md) +- [ShellRemovePublishToWeb_1](policy-csp-admx-icm.md) +- [WinMSG_NoInstrumentation_1](policy-csp-admx-icm.md) +- [InternetManagement_RestrictCommunication_1](policy-csp-admx-icm.md) +- [RemoveWindowsUpdate_ICM](policy-csp-admx-icm.md) +- [ShellNoUseStoreOpenWith_2](policy-csp-admx-icm.md) +- [CertMgr_DisableAutoRootUpdates](policy-csp-admx-icm.md) +- [EventViewer_DisableLinks](policy-csp-admx-icm.md) +- [HSS_HeadlinesPolicy](policy-csp-admx-icm.md) +- [HSS_KBSearchPolicy](policy-csp-admx-icm.md) +- [NC_ExitOnISP](policy-csp-admx-icm.md) +- [ShellNoUseInternetOpenWith_2](policy-csp-admx-icm.md) +- [NC_NoRegistration](policy-csp-admx-icm.md) +- [SearchCompanion_DisableFileUpdates](policy-csp-admx-icm.md) +- [ShellRemoveOrderPrints_2](policy-csp-admx-icm.md) +- [ShellRemovePublishToWeb_2](policy-csp-admx-icm.md) +- [WinMSG_NoInstrumentation_2](policy-csp-admx-icm.md) +- [CEIPEnable](policy-csp-admx-icm.md) +- [PCH_DoNotReport](policy-csp-admx-icm.md) +- [DriverSearchPlaces_DontSearchWindowsUpdate](policy-csp-admx-icm.md) +- [InternetManagement_RestrictCommunication_2](policy-csp-admx-icm.md) + +## ADMX_IIS + +- [PreventIISInstall](policy-csp-admx-iis.md) + +## ADMX_iSCSI + +- [iSCSIGeneral_RestrictAdditionalLogins](policy-csp-admx-iscsi.md) +- [iSCSIGeneral_ChangeIQNName](policy-csp-admx-iscsi.md) +- [iSCSISecurity_ChangeCHAPSecret](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireIPSec](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireMutualCHAP](policy-csp-admx-iscsi.md) +- [iSCSISecurity_RequireOneWayCHAP](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_NewStaticTargets](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureTargets](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureiSNSServers](policy-csp-admx-iscsi.md) +- [iSCSIDiscovery_ConfigureTargetPortals](policy-csp-admx-iscsi.md) + +## ADMX_kdc + +- [CbacAndArmor](policy-csp-admx-kdc.md) +- [PKINITFreshness](policy-csp-admx-kdc.md) +- [emitlili](policy-csp-admx-kdc.md) +- [RequestCompoundId](policy-csp-admx-kdc.md) +- [ForestSearch](policy-csp-admx-kdc.md) +- [TicketSizeThreshold](policy-csp-admx-kdc.md) + +## ADMX_Kerberos + +- [AlwaysSendCompoundId](policy-csp-admx-kerberos.md) +- [HostToRealm](policy-csp-admx-kerberos.md) +- [MitRealms](policy-csp-admx-kerberos.md) +- [KdcProxyDisableServerRevocationCheck](policy-csp-admx-kerberos.md) +- [StrictTarget](policy-csp-admx-kerberos.md) +- [KdcProxyServer](policy-csp-admx-kerberos.md) +- [ServerAcceptsCompound](policy-csp-admx-kerberos.md) +- [DevicePKInitEnabled](policy-csp-admx-kerberos.md) + +## ADMX_LanmanServer + +- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanserver.md) +- [Pol_HashPublication](policy-csp-admx-lanmanserver.md) +- [Pol_HashSupportVersion](policy-csp-admx-lanmanserver.md) +- [Pol_HonorCipherSuiteOrder](policy-csp-admx-lanmanserver.md) + +## ADMX_LanmanWorkstation + +- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanworkstation.md) +- [Pol_EnableHandleCachingForCAFiles](policy-csp-admx-lanmanworkstation.md) +- [Pol_EnableOfflineFilesforCAShares](policy-csp-admx-lanmanworkstation.md) + +## ADMX_LeakDiagnostic + +- [WdiScenarioExecutionPolicy](policy-csp-admx-leakdiagnostic.md) + +## ADMX_LinkLayerTopologyDiscovery + +- [LLTD_EnableLLTDIO](policy-csp-admx-linklayertopologydiscovery.md) +- [LLTD_EnableRspndr](policy-csp-admx-linklayertopologydiscovery.md) + +## ADMX_LocationProviderAdm + +- [DisableWindowsLocationProvider_1](policy-csp-admx-locationprovideradm.md) + +## ADMX_Logon + +- [NoWelcomeTips_1](policy-csp-admx-logon.md) +- [DisableExplorerRunLegacy_1](policy-csp-admx-logon.md) +- [DisableExplorerRunOnceLegacy_1](policy-csp-admx-logon.md) +- [Run_1](policy-csp-admx-logon.md) +- [VerboseStatus](policy-csp-admx-logon.md) +- [UseOEMBackground](policy-csp-admx-logon.md) +- [SyncForegroundPolicy](policy-csp-admx-logon.md) +- [BlockUserFromShowingAccountDetailsOnSignin](policy-csp-admx-logon.md) +- [NoWelcomeTips_2](policy-csp-admx-logon.md) +- [DontEnumerateConnectedUsers](policy-csp-admx-logon.md) +- [DisableExplorerRunLegacy_2](policy-csp-admx-logon.md) +- [DisableExplorerRunOnceLegacy_2](policy-csp-admx-logon.md) +- [Run_2](policy-csp-admx-logon.md) +- [DisableAcrylicBackgroundOnLogon](policy-csp-admx-logon.md) +- [DisableStatusMessages](policy-csp-admx-logon.md) + +## ADMX_MicrosoftDefenderAntivirus + +- [ServiceKeepAlive](policy-csp-admx-microsoftdefenderantivirus.md) +- [AllowFastServiceStartup](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_CustomDefaultActionToastString](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_UILockdown](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_Notification_Suppress](policy-csp-admx-microsoftdefenderantivirus.md) +- [UX_Configuration_SuppressRebootNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableLocalAdminMerge](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyBypass](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyPacUrl](policy-csp-admx-microsoftdefenderantivirus.md) +- [ProxyServer](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Extensions](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Paths](policy-csp-admx-microsoftdefenderantivirus.md) +- [Exclusions_Processes](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableAutoExclusions](policy-csp-admx-microsoftdefenderantivirus.md) +- [Spynet_LocalSettingOverrideSpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableBlockAtFirstSeen](policy-csp-admx-microsoftdefenderantivirus.md) +- [SpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ASR_Rules](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ASR_ASROnlyExclusions](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ControlledFolderAccess_AllowedApplications](policy-csp-admx-microsoftdefenderantivirus.md) +- [ExploitGuard_ControlledFolderAccess_ProtectedFolders](policy-csp-admx-microsoftdefenderantivirus.md) +- [MpEngine_EnableFileHashComputation](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_Consumers_IPS_DisableSignatureRetirement](policy-csp-admx-microsoftdefenderantivirus.md) +- [Nis_DisableProtocolRecognition](policy-csp-admx-microsoftdefenderantivirus.md) +- [Quarantine_LocalSettingOverridePurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Quarantine_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [RandomizeScheduleTaskTimes](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_IOAVMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableScanOnRealtimeEnable](policy-csp-admx-microsoftdefenderantivirus.md) +- [RealtimeProtection_DisableRawWriteNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_LocalSettingOverrideScan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Remediation_Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_CriticalFailureTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_NonCriticalTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_RecentlyCleanedTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_AdditionalActionTimeout](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_DisablegenericrePorts](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_WppTracingComponents](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_WppTracingLevel](policy-csp-admx-microsoftdefenderantivirus.md) +- [Reporting_DisableEnhancedNotifications](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_AllowPause](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideAvgCPULoadFactor](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleQuickScantime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LocalSettingOverrideScanParameters](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_LowCpuPriority](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableRestorePoint](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_MissedScheduledScanCountBeforeCatchup](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableScanningMappedNetworkDrivesForFullScan](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableArchiveScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableScanningNetworkFiles](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisablePackedExeScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableRemovableDriveScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_QuickScanInterval](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ArchiveMaxDepth](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ArchiveMaxSize](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_ScanOnlyIfIdle](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableEmailScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableHeuristics](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md) +- [Scan_DisableReparsePointScanning](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SignatureDisableNotification](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_RealtimeSignatureDelivery](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ForceUpdateFromMU](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableScheduledSignatureUpdateonBattery](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_UpdateOnStartup](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DefinitionUpdateFileSharesSources](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SharedSignaturesLocation](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_SignatureUpdateCatchupInterval](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ASSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_AVSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_FallbackOrder](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableUpdateOnStartupWithoutEngine](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md) +- [SignatureUpdate_DisableScanOnUpdate](policy-csp-admx-microsoftdefenderantivirus.md) +- [Threats_ThreatIdDefaultAction](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableAntiSpywareDefender](policy-csp-admx-microsoftdefenderantivirus.md) +- [DisableRoutinelyTakingAction](policy-csp-admx-microsoftdefenderantivirus.md) + +## ADMX_MMC + +- [MMC_Restrict_Author](policy-csp-admx-mmc.md) +- [MMC_Restrict_To_Permitted_Snapins](policy-csp-admx-mmc.md) +- [MMC_ActiveXControl](policy-csp-admx-mmc.md) +- [MMC_ExtendView](policy-csp-admx-mmc.md) +- [MMC_LinkToWeb](policy-csp-admx-mmc.md) + +## ADMX_MMCSnapins + +- [MMC_Net_Framework](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirDomTrusts](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirSitesServices](policy-csp-admx-mmcsnapins.md) +- [MMC_ActiveDirUsersComp](policy-csp-admx-mmcsnapins.md) +- [MMC_ADSI](policy-csp-admx-mmcsnapins.md) +- [MMC_CertsTemplate](policy-csp-admx-mmcsnapins.md) +- [MMC_Certs](policy-csp-admx-mmcsnapins.md) +- [MMC_CertAuth](policy-csp-admx-mmcsnapins.md) +- [MMC_ComponentServices](policy-csp-admx-mmcsnapins.md) +- [MMC_ComputerManagement](policy-csp-admx-mmcsnapins.md) +- [MMC_DeviceManager_2](policy-csp-admx-mmcsnapins.md) +- [MMC_DiskDefrag](policy-csp-admx-mmcsnapins.md) +- [MMC_DiskMgmt](policy-csp-admx-mmcsnapins.md) +- [MMC_DFS](policy-csp-admx-mmcsnapins.md) +- [MMC_EnterprisePKI](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_3](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_4](policy-csp-admx-mmcsnapins.md) +- [MMC_AppleTalkRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_AuthMan](policy-csp-admx-mmcsnapins.md) +- [MMC_CertAuthPolSet](policy-csp-admx-mmcsnapins.md) +- [MMC_ConnectionSharingNAT](policy-csp-admx-mmcsnapins.md) +- [MMC_DCOMCFG](policy-csp-admx-mmcsnapins.md) +- [MMC_DeviceManager_1](policy-csp-admx-mmcsnapins.md) +- [MMC_DHCPRelayMgmt](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_1](policy-csp-admx-mmcsnapins.md) +- [MMC_EventViewer_2](policy-csp-admx-mmcsnapins.md) +- [MMC_IASLogging](policy-csp-admx-mmcsnapins.md) +- [MMC_IGMPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXRIPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_IPXSAPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_LogicalMappedDrives](policy-csp-admx-mmcsnapins.md) +- [MMC_OSPFRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_PublicKey](policy-csp-admx-mmcsnapins.md) +- [MMC_RAS_DialinUser](policy-csp-admx-mmcsnapins.md) +- [MMC_RemoteAccess](policy-csp-admx-mmcsnapins.md) +- [MMC_RemStore](policy-csp-admx-mmcsnapins.md) +- [MMC_RIPRouting](policy-csp-admx-mmcsnapins.md) +- [MMC_Routing](policy-csp-admx-mmcsnapins.md) +- [MMC_SendConsoleMessage](policy-csp-admx-mmcsnapins.md) +- [MMC_ServiceDependencies](policy-csp-admx-mmcsnapins.md) +- [MMC_SharedFolders_Ext](policy-csp-admx-mmcsnapins.md) +- [MMC_SMTPProtocol](policy-csp-admx-mmcsnapins.md) +- [MMC_SNMP](policy-csp-admx-mmcsnapins.md) +- [MMC_SysProp](policy-csp-admx-mmcsnapins.md) +- [MMC_FailoverClusters](policy-csp-admx-mmcsnapins.md) +- [MMC_FAXService](policy-csp-admx-mmcsnapins.md) +- [MMC_FrontPageExt](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicyManagementSnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicySnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMComputers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMUsers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_FolderRedirection_1](policy-csp-admx-mmcsnapins.md) +- [MMC_IEMaintenance_1](policy-csp-admx-mmcsnapins.md) +- [MMC_IPSecManage_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_NapSnap_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_RIS](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsUser_1](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsMachine_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SecuritySettings_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstalationComputers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstallationUsers_1](policy-csp-admx-mmcsnapins.md) +- [MMC_WindowsFirewall_GP](policy-csp-admx-mmcsnapins.md) +- [MMC_WiredNetworkPolicy](policy-csp-admx-mmcsnapins.md) +- [MMC_WirelessNetworkPolicy](policy-csp-admx-mmcsnapins.md) +- [MMC_GroupPolicyTab](policy-csp-admx-mmcsnapins.md) +- [MMC_ResultantSetOfPolicySnapIn](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMComputers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ADMUsers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_FolderRedirection_2](policy-csp-admx-mmcsnapins.md) +- [MMC_IEMaintenance_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsUser_2](policy-csp-admx-mmcsnapins.md) +- [MMC_ScriptsMachine_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SecuritySettings_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstalationComputers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_SoftwareInstallationUsers_2](policy-csp-admx-mmcsnapins.md) +- [MMC_HRA](policy-csp-admx-mmcsnapins.md) +- [MMC_IndexingService](policy-csp-admx-mmcsnapins.md) +- [MMC_IAS](policy-csp-admx-mmcsnapins.md) +- [MMC_IIS](policy-csp-admx-mmcsnapins.md) +- [MMC_IpSecMonitor](policy-csp-admx-mmcsnapins.md) +- [MMC_IpSecManage](policy-csp-admx-mmcsnapins.md) +- [MMC_LocalUsersGroups](policy-csp-admx-mmcsnapins.md) +- [MMC_NapSnap](policy-csp-admx-mmcsnapins.md) +- [MMC_NPSUI](policy-csp-admx-mmcsnapins.md) +- [MMC_OCSP](policy-csp-admx-mmcsnapins.md) +- [MMC_PerfLogsAlerts](policy-csp-admx-mmcsnapins.md) +- [MMC_QoSAdmission](policy-csp-admx-mmcsnapins.md) +- [MMC_TerminalServices](policy-csp-admx-mmcsnapins.md) +- [MMC_RemoteDesktop](policy-csp-admx-mmcsnapins.md) +- [MMC_RSM](policy-csp-admx-mmcsnapins.md) +- [MMC_RRA](policy-csp-admx-mmcsnapins.md) +- [MMC_SCA](policy-csp-admx-mmcsnapins.md) +- [MMC_SecurityTemplates](policy-csp-admx-mmcsnapins.md) +- [MMC_ServerManager](policy-csp-admx-mmcsnapins.md) +- [MMC_Services](policy-csp-admx-mmcsnapins.md) +- [MMC_SharedFolders](policy-csp-admx-mmcsnapins.md) +- [MMC_SysInfo](policy-csp-admx-mmcsnapins.md) +- [MMC_Telephony](policy-csp-admx-mmcsnapins.md) +- [MMC_TPMManagement](policy-csp-admx-mmcsnapins.md) +- [MMC_WindowsFirewall](policy-csp-admx-mmcsnapins.md) +- [MMC_WirelessMon](policy-csp-admx-mmcsnapins.md) +- [MMC_WMI](policy-csp-admx-mmcsnapins.md) + +## ADMX_MobilePCMobilityCenter + +- [MobilityCenterEnable_1](policy-csp-admx-mobilepcmobilitycenter.md) +- [MobilityCenterEnable_2](policy-csp-admx-mobilepcmobilitycenter.md) + +## ADMX_MobilePCPresentationSettings + +- [PresentationSettingsEnable_1](policy-csp-admx-mobilepcpresentationsettings.md) +- [PresentationSettingsEnable_2](policy-csp-admx-mobilepcpresentationsettings.md) + +## ADMX_MSAPolicy + +- [MicrosoftAccount_DisableUserAuth](policy-csp-admx-msapolicy.md) + +## ADMX_msched + +- [ActivationBoundaryPolicy](policy-csp-admx-msched.md) +- [RandomDelayPolicy](policy-csp-admx-msched.md) + +## ADMX_MSDT + +- [WdiScenarioExecutionPolicy](policy-csp-admx-msdt.md) +- [MsdtToolDownloadPolicy](policy-csp-admx-msdt.md) +- [MsdtSupportProvider](policy-csp-admx-msdt.md) + +## ADMX_MSI + +- [DisableMedia](policy-csp-admx-msi.md) +- [DisableRollback_1](policy-csp-admx-msi.md) +- [SearchOrder](policy-csp-admx-msi.md) +- [AllowLockdownBrowse](policy-csp-admx-msi.md) +- [AllowLockdownPatch](policy-csp-admx-msi.md) +- [AllowLockdownMedia](policy-csp-admx-msi.md) +- [MSI_MaxPatchCacheSize](policy-csp-admx-msi.md) +- [MSI_EnforceUpgradeComponentRules](policy-csp-admx-msi.md) +- [MsiDisableEmbeddedUI](policy-csp-admx-msi.md) +- [SafeForScripting](policy-csp-admx-msi.md) +- [DisablePatch](policy-csp-admx-msi.md) +- [DisableFlyweightPatching](policy-csp-admx-msi.md) +- [MSI_DisableLUAPatching](policy-csp-admx-msi.md) +- [MSI_DisablePatchUninstall](policy-csp-admx-msi.md) +- [DisableRollback_2](policy-csp-admx-msi.md) +- [DisableAutomaticApplicationShutdown](policy-csp-admx-msi.md) +- [MSI_DisableUserInstalls](policy-csp-admx-msi.md) +- [DisableBrowse](policy-csp-admx-msi.md) +- [TransformsSecure](policy-csp-admx-msi.md) +- [MSILogging](policy-csp-admx-msi.md) +- [MSI_DisableSRCheckPoints](policy-csp-admx-msi.md) +- [DisableLoggingFromPackage](policy-csp-admx-msi.md) +- [DisableSharedComponent](policy-csp-admx-msi.md) +- [DisableMSI](policy-csp-admx-msi.md) + +## ADMX_MsiFileRecovery + +- [WdiScenarioExecutionPolicy](policy-csp-admx-msifilerecovery.md) + +## ADMX_MSS-legacy + +- [Pol_MSS_AutoAdminLogon](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoReboot](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoShareServer](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_AutoShareWks](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_DisableSavePassword](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_EnableDeadGWDetect](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_HideFromBrowseList](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_KeepAliveTime](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_NoDefaultExempt](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_NtfsDisable8dot3NameCreation](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_PerformRouterDiscovery](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_SafeDllSearchMode](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_ScreenSaverGracePeriod](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_SynAttackProtect](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxConnectResponseRetransmissions](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxDataRetransmissionsIPv6](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_TcpMaxDataRetransmissions](policy-csp-admx-mss-legacy.md) +- [Pol_MSS_WarningLevel](policy-csp-admx-mss-legacy.md) + +## ADMX_nca + +- [CorporateResources](policy-csp-admx-nca.md) +- [CustomCommands](policy-csp-admx-nca.md) +- [PassiveMode](policy-csp-admx-nca.md) +- [FriendlyName](policy-csp-admx-nca.md) +- [DTEs](policy-csp-admx-nca.md) +- [LocalNamesOn](policy-csp-admx-nca.md) +- [SupportEmail](policy-csp-admx-nca.md) +- [ShowUI](policy-csp-admx-nca.md) + +## ADMX_NCSI + +- [NCSI_CorpDnsProbeContent](policy-csp-admx-ncsi.md) +- [NCSI_CorpDnsProbeHost](policy-csp-admx-ncsi.md) +- [NCSI_CorpSitePrefixes](policy-csp-admx-ncsi.md) +- [NCSI_CorpWebProbeUrl](policy-csp-admx-ncsi.md) +- [NCSI_DomainLocationDeterminationUrl](policy-csp-admx-ncsi.md) +- [NCSI_GlobalDns](policy-csp-admx-ncsi.md) +- [NCSI_PassivePolling](policy-csp-admx-ncsi.md) + +## ADMX_Netlogon + +- [Netlogon_AllowNT4Crypto](policy-csp-admx-netlogon.md) +- [Netlogon_AvoidPdcOnWan](policy-csp-admx-netlogon.md) +- [Netlogon_IgnoreIncomingMailslotMessages](policy-csp-admx-netlogon.md) +- [Netlogon_AvoidFallbackNetbiosDiscovery](policy-csp-admx-netlogon.md) +- [Netlogon_ForceRediscoveryInterval](policy-csp-admx-netlogon.md) +- [Netlogon_AddressTypeReturned](policy-csp-admx-netlogon.md) +- [Netlogon_LdapSrvPriority](policy-csp-admx-netlogon.md) +- [Netlogon_DnsTtl](policy-csp-admx-netlogon.md) +- [Netlogon_LdapSrvWeight](policy-csp-admx-netlogon.md) +- [Netlogon_AddressLookupOnPingBehavior](policy-csp-admx-netlogon.md) +- [Netlogon_DnsAvoidRegisterRecords](policy-csp-admx-netlogon.md) +- [Netlogon_UseDynamicDns](policy-csp-admx-netlogon.md) +- [Netlogon_DnsRefreshInterval](policy-csp-admx-netlogon.md) +- [Netlogon_NdncSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_SiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_GcSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_TryNextClosestSite](policy-csp-admx-netlogon.md) +- [Netlogon_AutoSiteCoverage](policy-csp-admx-netlogon.md) +- [Netlogon_AllowDnsSuffixSearch](policy-csp-admx-netlogon.md) +- [Netlogon_AllowSingleLabelDnsDomain](policy-csp-admx-netlogon.md) +- [Netlogon_DnsSrvRecordUseLowerCaseHostNames](policy-csp-admx-netlogon.md) +- [Netlogon_NetlogonShareCompatibilityMode](policy-csp-admx-netlogon.md) +- [Netlogon_ScavengeInterval](policy-csp-admx-netlogon.md) +- [Netlogon_SysvolShareCompatibilityMode](policy-csp-admx-netlogon.md) +- [Netlogon_ExpectedDialupDelay](policy-csp-admx-netlogon.md) +- [Netlogon_DebugFlag](policy-csp-admx-netlogon.md) +- [Netlogon_MaximumLogFileSize](policy-csp-admx-netlogon.md) +- [Netlogon_NegativeCachePeriod](policy-csp-admx-netlogon.md) +- [Netlogon_NonBackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_SiteName](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryQuitTime](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryInitialPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundRetryMaximumPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_BackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md) +- [Netlogon_PingUrgencyMode](policy-csp-admx-netlogon.md) + +## ADMX_NetworkConnections + +- [NC_RasAllUserProperties](policy-csp-admx-networkconnections.md) +- [NC_DeleteAllUserConnection](policy-csp-admx-networkconnections.md) +- [NC_LanConnect](policy-csp-admx-networkconnections.md) +- [NC_RenameAllUserRasConnection](policy-csp-admx-networkconnections.md) +- [NC_RenameLanConnection](policy-csp-admx-networkconnections.md) +- [NC_RenameConnection](policy-csp-admx-networkconnections.md) +- [NC_EnableAdminProhibits](policy-csp-admx-networkconnections.md) +- [NC_LanProperties](policy-csp-admx-networkconnections.md) +- [NC_LanChangeProperties](policy-csp-admx-networkconnections.md) +- [NC_RasChangeProperties](policy-csp-admx-networkconnections.md) +- [NC_AdvancedSettings](policy-csp-admx-networkconnections.md) +- [NC_NewConnectionWizard](policy-csp-admx-networkconnections.md) +- [NC_DialupPrefs](policy-csp-admx-networkconnections.md) +- [NC_AddRemoveComponents](policy-csp-admx-networkconnections.md) +- [NC_RasMyProperties](policy-csp-admx-networkconnections.md) +- [NC_RasConnect](policy-csp-admx-networkconnections.md) +- [NC_DeleteConnection](policy-csp-admx-networkconnections.md) +- [NC_ChangeBindState](policy-csp-admx-networkconnections.md) +- [NC_RenameMyRasConnection](policy-csp-admx-networkconnections.md) +- [NC_AllowAdvancedTCPIPConfig](policy-csp-admx-networkconnections.md) +- [NC_Statistics](policy-csp-admx-networkconnections.md) +- [NC_IpStateChecking](policy-csp-admx-networkconnections.md) +- [NC_DoNotShowLocalOnlyIcon](policy-csp-admx-networkconnections.md) +- [NC_PersonalFirewallConfig](policy-csp-admx-networkconnections.md) +- [NC_ShowSharedAccessUI](policy-csp-admx-networkconnections.md) +- [NC_StdDomainUserSetLocation](policy-csp-admx-networkconnections.md) +- [NC_ForceTunneling](policy-csp-admx-networkconnections.md) + +## ADMX_OfflineFiles + +- [Pol_GoOfflineAction_1](policy-csp-admx-offlinefiles.md) +- [Pol_EventLoggingLevel_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderInitTimeout_1](policy-csp-admx-offlinefiles.md) +- [Pol_CustomGoOfflineActions_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoCacheViewer_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoConfigCache_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderFreq_1](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderTimeout_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoMakeAvailableOffline_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoPinFiles_1](policy-csp-admx-offlinefiles.md) +- [Pol_WorkOfflineDisabled_1](policy-csp-admx-offlinefiles.md) +- [Pol_AssignedOfflineFiles_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogoff_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogon_1](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtSuspend_1](policy-csp-admx-offlinefiles.md) +- [Pol_NoReminders_1](policy-csp-admx-offlinefiles.md) +- [Pol_GoOfflineAction_2](policy-csp-admx-offlinefiles.md) +- [Pol_Enabled](policy-csp-admx-offlinefiles.md) +- [Pol_PurgeAtLogoff](policy-csp-admx-offlinefiles.md) +- [Pol_BackgroundSyncSettings](policy-csp-admx-offlinefiles.md) +- [Pol_SlowLinkSpeed](policy-csp-admx-offlinefiles.md) +- [Pol_SlowLinkSettings](policy-csp-admx-offlinefiles.md) +- [Pol_DefCacheSize](policy-csp-admx-offlinefiles.md) +- [Pol_ExclusionListSettings](policy-csp-admx-offlinefiles.md) +- [Pol_SyncOnCostedNetwork](policy-csp-admx-offlinefiles.md) +- [Pol_OnlineCachingSettings](policy-csp-admx-offlinefiles.md) +- [Pol_EncryptOfflineFiles](policy-csp-admx-offlinefiles.md) +- [Pol_EventLoggingLevel_2](policy-csp-admx-offlinefiles.md) +- [Pol_ExtExclusionList](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderInitTimeout_2](policy-csp-admx-offlinefiles.md) +- [Pol_CacheSize](policy-csp-admx-offlinefiles.md) +- [Pol_CustomGoOfflineActions_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoCacheViewer_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoConfigCache_2](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderFreq_2](policy-csp-admx-offlinefiles.md) +- [Pol_ReminderTimeout_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoMakeAvailableOffline_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoPinFiles_2](policy-csp-admx-offlinefiles.md) +- [Pol_WorkOfflineDisabled_2](policy-csp-admx-offlinefiles.md) +- [Pol_AssignedOfflineFiles_2](policy-csp-admx-offlinefiles.md) +- [Pol_AlwaysPinSubFolders](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogoff_2](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtLogon_2](policy-csp-admx-offlinefiles.md) +- [Pol_SyncAtSuspend_2](policy-csp-admx-offlinefiles.md) +- [Pol_NoReminders_2](policy-csp-admx-offlinefiles.md) +- [Pol_QuickAdimPin](policy-csp-admx-offlinefiles.md) + +## ADMX_pca + +- [DetectDeprecatedCOMComponentFailuresPolicy](policy-csp-admx-pca.md) +- [DetectDeprecatedComponentFailuresPolicy](policy-csp-admx-pca.md) +- [DetectInstallFailuresPolicy](policy-csp-admx-pca.md) +- [DetectUndetectedInstallersPolicy](policy-csp-admx-pca.md) +- [DetectUpdateFailuresPolicy](policy-csp-admx-pca.md) +- [DisablePcaUIPolicy](policy-csp-admx-pca.md) +- [DetectBlockedDriversPolicy](policy-csp-admx-pca.md) + +## ADMX_PeerToPeerCaching + +- [EnableWindowsBranchCache_SMB](policy-csp-admx-peertopeercaching.md) +- [SetDowngrading](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_HostedMultipleServers](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_HostedCacheDiscovery](policy-csp-admx-peertopeercaching.md) +- [SetDataCacheEntryMaxAge](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_Distributed](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache_Hosted](policy-csp-admx-peertopeercaching.md) +- [SetCachePercent](policy-csp-admx-peertopeercaching.md) +- [EnableWindowsBranchCache](policy-csp-admx-peertopeercaching.md) + +## ADMX_PenTraining + +- [PenTrainingOff_1](policy-csp-admx-pentraining.md) +- [PenTrainingOff_2](policy-csp-admx-pentraining.md) + +## ADMX_PerformanceDiagnostics + +- [WdiScenarioExecutionPolicy_1](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_3](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_4](policy-csp-admx-performancediagnostics.md) +- [WdiScenarioExecutionPolicy_2](policy-csp-admx-performancediagnostics.md) + +## ADMX_Power + +- [PW_PromptPasswordOnResume](policy-csp-admx-power.md) +- [Dont_PowerOff_AfterShutdown](policy-csp-admx-power.md) +- [DCStartMenuButtonAction_2](policy-csp-admx-power.md) +- [ACStartMenuButtonAction_2](policy-csp-admx-power.md) +- [DiskDCPowerDownTimeOut_2](policy-csp-admx-power.md) +- [DiskACPowerDownTimeOut_2](policy-csp-admx-power.md) +- [DCBatteryDischargeAction0_2](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel0_2](policy-csp-admx-power.md) +- [DCBatteryDischargeAction1_2](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel1_2](policy-csp-admx-power.md) +- [ReserveBatteryNotificationLevel](policy-csp-admx-power.md) +- [DCBatteryDischargeLevel1UINotification_2](policy-csp-admx-power.md) +- [PowerThrottlingTurnOff](policy-csp-admx-power.md) +- [InboxActiveSchemeOverride_2](policy-csp-admx-power.md) +- [AllowSystemPowerRequestDC](policy-csp-admx-power.md) +- [AllowSystemPowerRequestAC](policy-csp-admx-power.md) +- [AllowSystemSleepWithRemoteFilesOpenDC](policy-csp-admx-power.md) +- [AllowSystemSleepWithRemoteFilesOpenAC](policy-csp-admx-power.md) +- [DCConnectivityInStandby_2](policy-csp-admx-power.md) +- [ACConnectivityInStandby_2](policy-csp-admx-power.md) +- [DCCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) +- [ACCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md) +- [CustomActiveSchemeOverride_2](policy-csp-admx-power.md) +- [EnableDesktopSlideShowDC](policy-csp-admx-power.md) +- [EnableDesktopSlideShowAC](policy-csp-admx-power.md) + +## ADMX_PowerShellExecutionPolicy + +- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md) +- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md) + +## ADMX_PreviousVersions + +- [DisableLocalPage_1](policy-csp-admx-previousversions.md) +- [DisableRemotePage_1](policy-csp-admx-previousversions.md) +- [HideBackupEntries_1](policy-csp-admx-previousversions.md) +- [DisableLocalRestore_1](policy-csp-admx-previousversions.md) +- [DisableBackupRestore_1](policy-csp-admx-previousversions.md) +- [DisableRemoteRestore_1](policy-csp-admx-previousversions.md) +- [DisableLocalPage_2](policy-csp-admx-previousversions.md) +- [DisableRemotePage_2](policy-csp-admx-previousversions.md) +- [HideBackupEntries_2](policy-csp-admx-previousversions.md) +- [DisableLocalRestore_2](policy-csp-admx-previousversions.md) +- [DisableBackupRestore_2](policy-csp-admx-previousversions.md) +- [DisableRemoteRestore_2](policy-csp-admx-previousversions.md) + +## ADMX_Printing + +- [IntranetPrintersUrl](policy-csp-admx-printing.md) +- [DownlevelBrowse](policy-csp-admx-printing.md) +- [PrinterDirectorySearchScope](policy-csp-admx-printing.md) +- [PackagePointAndPrintOnly](policy-csp-admx-printing.md) +- [PackagePointAndPrintServerList](policy-csp-admx-printing.md) +- [NoDeletePrinter](policy-csp-admx-printing.md) +- [LegacyDefaultPrinterMode](policy-csp-admx-printing.md) +- [AllowWebPrinting](policy-csp-admx-printing.md) +- [DomainPrinters](policy-csp-admx-printing.md) +- [NonDomainPrinters](policy-csp-admx-printing.md) +- [ShowJobTitleInEventLogs](policy-csp-admx-printing.md) +- [ForceSoftwareRasterization](policy-csp-admx-printing.md) +- [EMFDespooling](policy-csp-admx-printing.md) +- [MXDWUseLegacyOutputFormatMSXPS](policy-csp-admx-printing.md) +- [PhysicalLocation](policy-csp-admx-printing.md) +- [CustomizedSupportUrl](policy-csp-admx-printing.md) +- [KMPrintersAreBlocked](policy-csp-admx-printing.md) +- [V4DriverDisallowPrinterExtension](policy-csp-admx-printing.md) +- [PrintDriverIsolationExecutionPolicy](policy-csp-admx-printing.md) +- [DoNotInstallCompatibleDriverFromWindowsUpdate](policy-csp-admx-printing.md) +- [ApplicationDriverIsolation](policy-csp-admx-printing.md) +- [PackagePointAndPrintOnly_Win7](policy-csp-admx-printing.md) +- [PrintDriverIsolationOverrideCompat](policy-csp-admx-printing.md) +- [PackagePointAndPrintServerList_Win7](policy-csp-admx-printing.md) +- [PhysicalLocationSupport](policy-csp-admx-printing.md) +- [PrinterServerThread](policy-csp-admx-printing.md) + +## ADMX_Printing2 + +- [RegisterSpoolerRemoteRpcEndPoint](policy-csp-admx-printing2.md) +- [ImmortalPrintQueue](policy-csp-admx-printing2.md) +- [AutoPublishing](policy-csp-admx-printing2.md) +- [VerifyPublishedState](policy-csp-admx-printing2.md) +- [PruningInterval](policy-csp-admx-printing2.md) +- [PruningPriority](policy-csp-admx-printing2.md) +- [PruningRetries](policy-csp-admx-printing2.md) +- [PruningRetryLog](policy-csp-admx-printing2.md) +- [PruneDownlevel](policy-csp-admx-printing2.md) + +## ADMX_Programs + +- [NoGetPrograms](policy-csp-admx-programs.md) +- [NoInstalledUpdates](policy-csp-admx-programs.md) +- [NoProgramsAndFeatures](policy-csp-admx-programs.md) +- [NoDefaultPrograms](policy-csp-admx-programs.md) +- [NoWindowsFeatures](policy-csp-admx-programs.md) +- [NoWindowsMarketplace](policy-csp-admx-programs.md) +- [NoProgramsCPL](policy-csp-admx-programs.md) + +## ADMX_PushToInstall + +- [DisablePushToInstall](policy-csp-admx-pushtoinstall.md) + +## ADMX_QOS + +- [QosServiceTypeBestEffort_C](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_C](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_C](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_C](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_C](policy-csp-admx-qos.md) +- [QosServiceTypeBestEffort_NC](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_NC](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_NC](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_NC](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_NC](policy-csp-admx-qos.md) +- [QosServiceTypeBestEffort_PV](policy-csp-admx-qos.md) +- [QosServiceTypeControlledLoad_PV](policy-csp-admx-qos.md) +- [QosServiceTypeGuaranteed_PV](policy-csp-admx-qos.md) +- [QosServiceTypeNetworkControl_PV](policy-csp-admx-qos.md) +- [QosServiceTypeNonConforming](policy-csp-admx-qos.md) +- [QosServiceTypeQualitative_PV](policy-csp-admx-qos.md) +- [QosMaxOutstandingSends](policy-csp-admx-qos.md) +- [QosNonBestEffortLimit](policy-csp-admx-qos.md) +- [QosTimerResolution](policy-csp-admx-qos.md) + +## ADMX_Radar + +- [WdiScenarioExecutionPolicy](policy-csp-admx-radar.md) + +## ADMX_Reliability + +- [ShutdownEventTrackerStateFile](policy-csp-admx-reliability.md) +- [ShutdownReason](policy-csp-admx-reliability.md) +- [EE_EnablePersistentTimeStamp](policy-csp-admx-reliability.md) +- [PCH_ReportShutdownEvents](policy-csp-admx-reliability.md) + +## ADMX_RemoteAssistance + +- [RA_EncryptedTicketOnly](policy-csp-admx-remoteassistance.md) +- [RA_Optimize_Bandwidth](policy-csp-admx-remoteassistance.md) + +## ADMX_RemovableStorage + +- [RemovableStorageClasses_DenyAll_Access_1](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [AccessRights_RebootTime_1](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyRead_Access_1](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyWrite_Access_1](policy-csp-admx-removablestorage.md) +- [RemovableStorageClasses_DenyAll_Access_2](policy-csp-admx-removablestorage.md) +- [Removable_Remote_Allow_Access](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [CDandDVD_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [CustomClasses_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [FloppyDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [RemovableDisks_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [AccessRights_RebootTime_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [TapeDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyRead_Access_2](policy-csp-admx-removablestorage.md) +- [WPDDevices_DenyWrite_Access_2](policy-csp-admx-removablestorage.md) + +## ADMX_RPC + +- [RpcIgnoreDelegationFailure](policy-csp-admx-rpc.md) +- [RpcStateInformation](policy-csp-admx-rpc.md) +- [RpcExtendedErrorInformation](policy-csp-admx-rpc.md) +- [RpcMinimumHttpConnectionTimeout](policy-csp-admx-rpc.md) + +## ADMX_sam + +- [SamNGCKeyROCAValidation](policy-csp-admx-sam.md) + +## ADMX_Scripts + +- [Run_Logoff_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Legacy_Logon_Script_Hidden](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Sync_1](policy-csp-admx-scripts.md) +- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) +- [Allow_Logon_Script_NetbiosDisabled](policy-csp-admx-scripts.md) +- [Run_Shutdown_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Startup_Script_Visible](policy-csp-admx-scripts.md) +- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md) +- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md) +- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md) +- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md) +- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md) + +## ADMX_sdiageng + +- [ScriptedDiagnosticsSecurityPolicy](policy-csp-admx-sdiageng.md) +- [ScriptedDiagnosticsExecutionPolicy](policy-csp-admx-sdiageng.md) +- [BetterWhenConnected](policy-csp-admx-sdiageng.md) + +## ADMX_sdiagschd + +- [ScheduledDiagnosticsExecutionPolicy](policy-csp-admx-sdiagschd.md) + +## ADMX_Securitycenter + +- [SecurityCenter_SecurityCenterInDomain](policy-csp-admx-securitycenter.md) + +## ADMX_Sensors + +- [DisableLocation_1](policy-csp-admx-sensors.md) +- [DisableLocationScripting_1](policy-csp-admx-sensors.md) +- [DisableSensors_1](policy-csp-admx-sensors.md) +- [DisableLocationScripting_2](policy-csp-admx-sensors.md) +- [DisableSensors_2](policy-csp-admx-sensors.md) + +## ADMX_ServerManager + +- [Do_not_display_Manage_Your_Server_page](policy-csp-admx-servermanager.md) +- [ServerManagerAutoRefreshRate](policy-csp-admx-servermanager.md) +- [DoNotLaunchInitialConfigurationTasks](policy-csp-admx-servermanager.md) +- [DoNotLaunchServerManager](policy-csp-admx-servermanager.md) + +## ADMX_Servicing + +- [Servicing](policy-csp-admx-servicing.md) + +## ADMX_SettingSync + +- [DisableSettingSync](policy-csp-admx-settingsync.md) +- [DisableApplicationSettingSync](policy-csp-admx-settingsync.md) +- [DisableAppSyncSettingSync](policy-csp-admx-settingsync.md) +- [DisableDesktopThemeSettingSync](policy-csp-admx-settingsync.md) +- [DisableSyncOnPaidNetwork](policy-csp-admx-settingsync.md) +- [DisableWindowsSettingSync](policy-csp-admx-settingsync.md) +- [DisableCredentialsSettingSync](policy-csp-admx-settingsync.md) +- [DisablePersonalizationSettingSync](policy-csp-admx-settingsync.md) +- [DisableStartLayoutSettingSync](policy-csp-admx-settingsync.md) + +## ADMX_SharedFolders + +- [PublishDfsRoots](policy-csp-admx-sharedfolders.md) +- [PublishSharedFolders](policy-csp-admx-sharedfolders.md) + +## ADMX_Sharing + +- [NoInplaceSharing](policy-csp-admx-sharing.md) +- [DisableHomeGroup](policy-csp-admx-sharing.md) + +## ADMX_ShellCommandPromptRegEditTools + +- [DisallowApps](policy-csp-admx-shellcommandpromptregedittools.md) +- [DisableRegedit](policy-csp-admx-shellcommandpromptregedittools.md) +- [DisableCMD](policy-csp-admx-shellcommandpromptregedittools.md) +- [RestrictApps](policy-csp-admx-shellcommandpromptregedittools.md) + +## ADMX_Smartcard + +- [AllowCertificatesWithNoEKU](policy-csp-admx-smartcard.md) +- [EnumerateECCCerts](policy-csp-admx-smartcard.md) +- [AllowIntegratedUnblock](policy-csp-admx-smartcard.md) +- [AllowSignatureOnlyKeys](policy-csp-admx-smartcard.md) +- [AllowTimeInvalidCertificates](policy-csp-admx-smartcard.md) +- [X509HintsNeeded](policy-csp-admx-smartcard.md) +- [CertPropRootCleanupString](policy-csp-admx-smartcard.md) +- [IntegratedUnblockPromptString](policy-csp-admx-smartcard.md) +- [FilterDuplicateCerts](policy-csp-admx-smartcard.md) +- [ForceReadingAllCertificates](policy-csp-admx-smartcard.md) +- [SCPnPNotification](policy-csp-admx-smartcard.md) +- [DisallowPlaintextPin](policy-csp-admx-smartcard.md) +- [ReverseSubject](policy-csp-admx-smartcard.md) +- [CertPropEnabledString](policy-csp-admx-smartcard.md) +- [CertPropRootEnabledString](policy-csp-admx-smartcard.md) +- [SCPnPEnabled](policy-csp-admx-smartcard.md) + +## ADMX_Snmp + +- [SNMP_Communities](policy-csp-admx-snmp.md) +- [SNMP_PermittedManagers](policy-csp-admx-snmp.md) +- [SNMP_Traps_Public](policy-csp-admx-snmp.md) + +## ADMX_SoundRec + +- [Soundrec_DiableApplication_TitleText_1](policy-csp-admx-soundrec.md) +- [Soundrec_DiableApplication_TitleText_2](policy-csp-admx-soundrec.md) + +## ADMX_srmfci + +- [AccessDeniedConfiguration](policy-csp-admx-srmfci.md) +- [EnableShellAccessCheck](policy-csp-admx-srmfci.md) +- [EnableManualUX](policy-csp-admx-srmfci.md) +- [CentralClassificationList](policy-csp-admx-srmfci.md) + +## ADMX_StartMenu + +- [MemCheckBoxInRunDlg](policy-csp-admx-startmenu.md) +- [ForceStartMenuLogOff](policy-csp-admx-startmenu.md) +- [AddSearchInternetLinkInStartMenu](policy-csp-admx-startmenu.md) +- [ShowRunInStartMenu](policy-csp-admx-startmenu.md) +- [PowerButtonAction](policy-csp-admx-startmenu.md) +- [ClearRecentDocsOnExit](policy-csp-admx-startmenu.md) +- [ClearRecentProgForNewUserInStartMenu](policy-csp-admx-startmenu.md) +- [ClearTilesOnExit](policy-csp-admx-startmenu.md) +- [NoToolbarsOnTaskbar](policy-csp-admx-startmenu.md) +- [NoSearchCommInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchFilesInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchInternetInStartMenu](policy-csp-admx-startmenu.md) +- [NoSearchProgramsInStartMenu](policy-csp-admx-startmenu.md) +- [NoResolveSearch](policy-csp-admx-startmenu.md) +- [NoResolveTrack](policy-csp-admx-startmenu.md) +- [NoStartPage](policy-csp-admx-startmenu.md) +- [GoToDesktopOnSignIn](policy-csp-admx-startmenu.md) +- [GreyMSIAds](policy-csp-admx-startmenu.md) +- [NoTrayItemsDisplay](policy-csp-admx-startmenu.md) +- [DesktopAppsFirstInAppsView](policy-csp-admx-startmenu.md) +- [LockTaskbar](policy-csp-admx-startmenu.md) +- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) +- [NoSetTaskbar](policy-csp-admx-startmenu.md) +- [NoTaskGrouping](policy-csp-admx-startmenu.md) +- [NoChangeStartMenu](policy-csp-admx-startmenu.md) +- [NoUninstallFromStart](policy-csp-admx-startmenu.md) +- [NoTrayContextMenu](policy-csp-admx-startmenu.md) +- [NoMoreProgramsList](policy-csp-admx-startmenu.md) +- [NoClose](policy-csp-admx-startmenu.md) +- [NoBalloonTip](policy-csp-admx-startmenu.md) +- [NoTaskBarClock](policy-csp-admx-startmenu.md) +- [NoCommonGroups](policy-csp-admx-startmenu.md) +- [NoSMConfigurePrograms](policy-csp-admx-startmenu.md) +- [NoSMMyDocuments](policy-csp-admx-startmenu.md) +- [NoStartMenuDownload](policy-csp-admx-startmenu.md) +- [NoFavoritesMenu](policy-csp-admx-startmenu.md) +- [NoGamesFolderOnStartMenu](policy-csp-admx-startmenu.md) +- [NoHelp](policy-csp-admx-startmenu.md) +- [NoStartMenuHomegroup](policy-csp-admx-startmenu.md) +- [NoWindowsUpdate](policy-csp-admx-startmenu.md) +- [StartMenuLogOff](policy-csp-admx-startmenu.md) +- [NoSMMyMusic](policy-csp-admx-startmenu.md) +- [NoNetAndDialupConnect](policy-csp-admx-startmenu.md) +- [NoSMMyNetworkPlaces](policy-csp-admx-startmenu.md) +- [NoSMMyPictures](policy-csp-admx-startmenu.md) +- [NoPinnedPrograms](policy-csp-admx-startmenu.md) +- [NoSetFolders](policy-csp-admx-startmenu.md) +- [NoRecentDocsMenu](policy-csp-admx-startmenu.md) +- [NoStartMenuRecordedTV](policy-csp-admx-startmenu.md) +- [NoRun](policy-csp-admx-startmenu.md) +- [NoSearchComputerLinkInStartMenu](policy-csp-admx-startmenu.md) +- [NoFind](policy-csp-admx-startmenu.md) +- [NoSearchEverywhereLinkInStartMenu](policy-csp-admx-startmenu.md) +- [RemoveUnDockPCButton](policy-csp-admx-startmenu.md) +- [NoUserFolderOnStartMenu](policy-csp-admx-startmenu.md) +- [NoUserNameOnStartMenu](policy-csp-admx-startmenu.md) +- [NoStartMenuSubFolders](policy-csp-admx-startmenu.md) +- [NoStartMenuVideos](policy-csp-admx-startmenu.md) +- [DisableGlobalSearchOnAppsView](policy-csp-admx-startmenu.md) +- [ShowRunAsDifferentUserInStart](policy-csp-admx-startmenu.md) +- [QuickLaunchEnabled](policy-csp-admx-startmenu.md) +- [ShowStartOnDisplayWithForegroundOnWinKey](policy-csp-admx-startmenu.md) +- [ShowAppsViewOnStart](policy-csp-admx-startmenu.md) +- [NoAutoTrayNotify](policy-csp-admx-startmenu.md) +- [Intellimenus](policy-csp-admx-startmenu.md) +- [NoInstrumentation](policy-csp-admx-startmenu.md) +- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md) +- [NoSetTaskbar](policy-csp-admx-startmenu.md) +- [NoChangeStartMenu](policy-csp-admx-startmenu.md) +- [NoUninstallFromStart](policy-csp-admx-startmenu.md) +- [NoTrayContextMenu](policy-csp-admx-startmenu.md) +- [NoMoreProgramsList](policy-csp-admx-startmenu.md) +- [HidePowerOptions](policy-csp-admx-startmenu.md) +- [NoRun](policy-csp-admx-startmenu.md) + +## ADMX_SystemRestore + +- [SR_DisableConfig](policy-csp-admx-systemrestore.md) + +## ADMX_TabletPCInputPanel + +- [Prediction_1](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTouchTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [RareChar_1](policy-csp-admx-tabletpcinputpanel.md) +- [EdgeTarget_1](policy-csp-admx-tabletpcinputpanel.md) +- [AutoComplete_1](policy-csp-admx-tabletpcinputpanel.md) +- [PasswordSecurity_1](policy-csp-admx-tabletpcinputpanel.md) +- [ScratchOut_1](policy-csp-admx-tabletpcinputpanel.md) +- [Prediction_2](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [IPTIPTouchTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [RareChar_2](policy-csp-admx-tabletpcinputpanel.md) +- [EdgeTarget_2](policy-csp-admx-tabletpcinputpanel.md) +- [AutoComplete_2](policy-csp-admx-tabletpcinputpanel.md) +- [PasswordSecurity_2](policy-csp-admx-tabletpcinputpanel.md) +- [ScratchOut_2](policy-csp-admx-tabletpcinputpanel.md) + +## ADMX_TabletShell + +- [DisableInkball_1](policy-csp-admx-tabletshell.md) +- [DisableNoteWriterPrinting_1](policy-csp-admx-tabletshell.md) +- [DisableSnippingTool_1](policy-csp-admx-tabletshell.md) +- [DisableJournal_1](policy-csp-admx-tabletshell.md) +- [TurnOffFeedback_1](policy-csp-admx-tabletshell.md) +- [PreventBackEscMapping_1](policy-csp-admx-tabletshell.md) +- [PreventLaunchApp_1](policy-csp-admx-tabletshell.md) +- [PreventPressAndHold_1](policy-csp-admx-tabletshell.md) +- [TurnOffButtons_1](policy-csp-admx-tabletshell.md) +- [PreventFlicksLearningMode_1](policy-csp-admx-tabletshell.md) +- [PreventFlicks_1](policy-csp-admx-tabletshell.md) +- [DisableInkball_2](policy-csp-admx-tabletshell.md) +- [DisableNoteWriterPrinting_2](policy-csp-admx-tabletshell.md) +- [DisableSnippingTool_2](policy-csp-admx-tabletshell.md) +- [DisableJournal_2](policy-csp-admx-tabletshell.md) +- [TurnOffFeedback_2](policy-csp-admx-tabletshell.md) +- [PreventBackEscMapping_2](policy-csp-admx-tabletshell.md) +- [PreventLaunchApp_2](policy-csp-admx-tabletshell.md) +- [PreventPressAndHold_2](policy-csp-admx-tabletshell.md) +- [TurnOffButtons_2](policy-csp-admx-tabletshell.md) +- [PreventFlicksLearningMode_2](policy-csp-admx-tabletshell.md) +- [PreventFlicks_2](policy-csp-admx-tabletshell.md) + +## ADMX_Taskbar + +- [EnableLegacyBalloonNotifications](policy-csp-admx-taskbar.md) +- [NoPinningToDestinations](policy-csp-admx-taskbar.md) +- [NoPinningToTaskbar](policy-csp-admx-taskbar.md) +- [NoPinningStoreToTaskbar](policy-csp-admx-taskbar.md) +- [TaskbarNoMultimon](policy-csp-admx-taskbar.md) +- [NoRemoteDestinations](policy-csp-admx-taskbar.md) +- [TaskbarLockAll](policy-csp-admx-taskbar.md) +- [TaskbarNoAddRemoveToolbar](policy-csp-admx-taskbar.md) +- [TaskbarNoRedock](policy-csp-admx-taskbar.md) +- [TaskbarNoDragToolbar](policy-csp-admx-taskbar.md) +- [TaskbarNoResize](policy-csp-admx-taskbar.md) +- [DisableNotificationCenter](policy-csp-admx-taskbar.md) +- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) +- [HideSCAPower](policy-csp-admx-taskbar.md) +- [HideSCANetwork](policy-csp-admx-taskbar.md) +- [HideSCAHealth](policy-csp-admx-taskbar.md) +- [HideSCAVolume](policy-csp-admx-taskbar.md) +- [ShowWindowsStoreAppsOnTaskbar](policy-csp-admx-taskbar.md) +- [TaskbarNoNotification](policy-csp-admx-taskbar.md) +- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md) +- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md) +- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md) +- [DisableNotificationCenter](policy-csp-admx-taskbar.md) +- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md) + +## ADMX_tcpip + +- [6to4_Router_Name](policy-csp-admx-tcpip.md) +- [6to4_Router_Name_Resolution_Interval](policy-csp-admx-tcpip.md) +- [6to4_State](policy-csp-admx-tcpip.md) +- [IPHTTPS_ClientState](policy-csp-admx-tcpip.md) +- [ISATAP_Router_Name](policy-csp-admx-tcpip.md) +- [ISATAP_State](policy-csp-admx-tcpip.md) +- [Teredo_Client_Port](policy-csp-admx-tcpip.md) +- [Teredo_Default_Qualified](policy-csp-admx-tcpip.md) +- [Teredo_Refresh_Rate](policy-csp-admx-tcpip.md) +- [Teredo_Server_Name](policy-csp-admx-tcpip.md) +- [Teredo_State](policy-csp-admx-tcpip.md) +- [IP_Stateless_Autoconfiguration_Limits_State](policy-csp-admx-tcpip.md) +- [Windows_Scaling_Heuristics_State](policy-csp-admx-tcpip.md) + +## ADMX_TerminalServer + +- [TS_GATEWAY_POLICY_ENABLE](policy-csp-admx-terminalserver.md) +- [TS_GATEWAY_POLICY_AUTH_METHOD](policy-csp-admx-terminalserver.md) +- [TS_GATEWAY_POLICY_SERVER](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_UNSIGNED_FILES_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_SIGNED_FILES_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DISABLE_PASSWORD_SAVING_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](policy-csp-admx-terminalserver.md) +- [TS_RemoteControl_1](policy-csp-admx-terminalserver.md) +- [TS_EASY_PRINT_User](policy-csp-admx-terminalserver.md) +- [TS_START_PROGRAM_1](policy-csp-admx-terminalserver.md) +- [TS_Session_End_On_Limit_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Idle_Limit_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Limits_1](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Disconnected_Timeout_1](policy-csp-admx-terminalserver.md) +- [TS_RADC_DefaultConnection](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_SECGROUP](policy-csp-admx-terminalserver.md) +- [TS_PreventLicenseUpgrade](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_UNSIGNED_FILES_2](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_ALLOW_SIGNED_FILES_2](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AUTH](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DISABLE_HARDWARE_MODE](policy-csp-admx-terminalserver.md) +- [TS_PROMT_CREDS_CLIENT_COMP](policy-csp-admx-terminalserver.md) +- [TS_USB_REDIRECTION_DISABLE](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_TURN_OFF_UDP](policy-csp-admx-terminalserver.md) +- [TS_AUTO_RECONNECT](policy-csp-admx-terminalserver.md) +- [TS_KEEP_ALIVE](policy-csp-admx-terminalserver.md) +- [TS_FORCIBLE_LOGOFF](policy-csp-admx-terminalserver.md) +- [TS_MAX_CON_POLICY](policy-csp-admx-terminalserver.md) +- [TS_SINGLE_SESSION](policy-csp-admx-terminalserver.md) +- [TS_SELECT_NETWORK_DETECT](policy-csp-admx-terminalserver.md) +- [TS_SELECT_TRANSPORT](policy-csp-admx-terminalserver.md) +- [TS_RemoteControl_2](policy-csp-admx-terminalserver.md) +- [TS_RDSAppX_WaitForRegistration](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO_CAPTURE](policy-csp-admx-terminalserver.md) +- [TS_TIME_ZONE](policy-csp-admx-terminalserver.md) +- [TS_UIA](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_CLIPBOARD](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_COM](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_LPT](policy-csp-admx-terminalserver.md) +- [TS_SMART_CARD](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_PNP](policy-csp-admx-terminalserver.md) +- [TS_CAMERA_REDIRECTION](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_AUDIO_QUALITY](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_TOOLTIP](policy-csp-admx-terminalserver.md) +- [TS_LICENSING_MODE](policy-csp-admx-terminalserver.md) +- [TS_LICENSE_SERVERS](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_PRINTER](policy-csp-admx-terminalserver.md) +- [TS_CLIENT_DEFAULT_M](policy-csp-admx-terminalserver.md) +- [TS_FALLBACKPRINTDRIVERTYPE](policy-csp-admx-terminalserver.md) +- [TS_EASY_PRINT](policy-csp-admx-terminalserver.md) +- [TS_DELETE_ROAMING_USER_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_USER_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_USER_HOME](policy-csp-admx-terminalserver.md) +- [TS_USER_MANDATORY_PROFILES](policy-csp-admx-terminalserver.md) +- [TS_SD_ClustName](policy-csp-admx-terminalserver.md) +- [TS_SD_Loc](policy-csp-admx-terminalserver.md) +- [TS_JOIN_SESSION_DIRECTORY](policy-csp-admx-terminalserver.md) +- [TS_SD_EXPOSE_ADDRESS](policy-csp-admx-terminalserver.md) +- [TS_TURNOFF_SINGLEAPP](policy-csp-admx-terminalserver.md) +- [TS_SERVER_COMPRESSOR](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AVC_HW_ENCODE_PREFERRED](policy-csp-admx-terminalserver.md) +- [TS_SERVER_IMAGE_QUALITY](policy-csp-admx-terminalserver.md) +- [TS_SERVER_PROFILE](policy-csp-admx-terminalserver.md) +- [TS_SERVER_LEGACY_RFX](policy-csp-admx-terminalserver.md) +- [TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](policy-csp-admx-terminalserver.md) +- [TS_COLORDEPTH](policy-csp-admx-terminalserver.md) +- [TS_MAXDISPLAYRES](policy-csp-admx-terminalserver.md) +- [TS_MAXMONITOR](policy-csp-admx-terminalserver.md) +- [TS_SERVER_AVC444_MODE_PREFERRED](policy-csp-admx-terminalserver.md) +- [TS_EnableVirtualGraphics](policy-csp-admx-terminalserver.md) +- [TS_SERVER_VISEXP](policy-csp-admx-terminalserver.md) +- [TS_RemoteDesktopVirtualGraphics](policy-csp-admx-terminalserver.md) +- [TS_NoDisconnectMenu](policy-csp-admx-terminalserver.md) +- [TS_NoSecurityMenu](policy-csp-admx-terminalserver.md) +- [TS_START_PROGRAM_2](policy-csp-admx-terminalserver.md) +- [TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](policy-csp-admx-terminalserver.md) +- [TS_DX_USE_FULL_HWGPU](policy-csp-admx-terminalserver.md) +- [TS_SERVER_WDDM_GRAPHICS_DRIVER](policy-csp-admx-terminalserver.md) +- [TS_TSCC_PERMISSIONS_POLICY](policy-csp-admx-terminalserver.md) +- [TS_SECURITY_LAYER_POLICY](policy-csp-admx-terminalserver.md) +- [TS_USER_AUTHENTICATION_POLICY](policy-csp-admx-terminalserver.md) +- [TS_CERTIFICATE_TEMPLATE_POLICY](policy-csp-admx-terminalserver.md) +- [TS_Session_End_On_Limit_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Idle_Limit_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Limits_2](policy-csp-admx-terminalserver.md) +- [TS_SESSIONS_Disconnected_Timeout_2](policy-csp-admx-terminalserver.md) +- [TS_TEMP_DELETE](policy-csp-admx-terminalserver.md) +- [TS_TEMP_PER_SESSION](policy-csp-admx-terminalserver.md) + +## ADMX_Thumbnails + +- [DisableThumbsDBOnNetworkFolders](policy-csp-admx-thumbnails.md) +- [DisableThumbnailsOnNetworkFolders](policy-csp-admx-thumbnails.md) +- [DisableThumbnails](policy-csp-admx-thumbnails.md) + +## ADMX_TouchInput + +- [TouchInputOff_1](policy-csp-admx-touchinput.md) +- [PanningEverywhereOff_1](policy-csp-admx-touchinput.md) +- [TouchInputOff_2](policy-csp-admx-touchinput.md) +- [PanningEverywhereOff_2](policy-csp-admx-touchinput.md) + +## ADMX_TPM + +- [OptIntoDSHA_Name](policy-csp-admx-tpm.md) +- [OSManagedAuth_Name](policy-csp-admx-tpm.md) +- [BlockedCommandsList_Name](policy-csp-admx-tpm.md) +- [ClearTPMIfNotReady_Name](policy-csp-admx-tpm.md) +- [UseLegacyDAP_Name](policy-csp-admx-tpm.md) +- [IgnoreDefaultList_Name](policy-csp-admx-tpm.md) +- [IgnoreLocalList_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureIndividualThreshold_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureDuration_Name](policy-csp-admx-tpm.md) +- [StandardUserAuthorizationFailureTotalThreshold_Name](policy-csp-admx-tpm.md) + +## ADMX_UserExperienceVirtualization + +- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Calculator](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) +- [Notepad](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) +- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) +- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) +- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) +- [Finance](policy-csp-admx-userexperiencevirtualization.md) +- [Games](policy-csp-admx-userexperiencevirtualization.md) +- [Maps](policy-csp-admx-userexperiencevirtualization.md) +- [Music](policy-csp-admx-userexperiencevirtualization.md) +- [News](policy-csp-admx-userexperiencevirtualization.md) +- [Reader](policy-csp-admx-userexperiencevirtualization.md) +- [Sports](policy-csp-admx-userexperiencevirtualization.md) +- [Travel](policy-csp-admx-userexperiencevirtualization.md) +- [Video](policy-csp-admx-userexperiencevirtualization.md) +- [Weather](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Calculator](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md) +- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md) +- [Notepad](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md) +- [Wordpad](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md) +- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md) +- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md) +- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md) +- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md) +- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md) +- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md) +- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md) +- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md) +- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md) +- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md) +- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md) +- [Finance](policy-csp-admx-userexperiencevirtualization.md) +- [Games](policy-csp-admx-userexperiencevirtualization.md) +- [Maps](policy-csp-admx-userexperiencevirtualization.md) +- [Music](policy-csp-admx-userexperiencevirtualization.md) +- [News](policy-csp-admx-userexperiencevirtualization.md) +- [Reader](policy-csp-admx-userexperiencevirtualization.md) +- [Sports](policy-csp-admx-userexperiencevirtualization.md) +- [Travel](policy-csp-admx-userexperiencevirtualization.md) +- [Video](policy-csp-admx-userexperiencevirtualization.md) +- [Weather](policy-csp-admx-userexperiencevirtualization.md) + +## ADMX_UserProfiles + +- [LimitSize](policy-csp-admx-userprofiles.md) +- [SlowLinkTimeOut](policy-csp-admx-userprofiles.md) +- [CleanupProfiles](policy-csp-admx-userprofiles.md) +- [DontForceUnloadHive](policy-csp-admx-userprofiles.md) +- [ProfileErrorAction](policy-csp-admx-userprofiles.md) +- [LeaveAppMgmtData](policy-csp-admx-userprofiles.md) +- [USER_HOME](policy-csp-admx-userprofiles.md) +- [UserInfoAccessAction](policy-csp-admx-userprofiles.md) + +## ADMX_W32Time + +- [W32TIME_POLICY_CONFIG](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_CONFIGURE_NTPCLIENT](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_ENABLE_NTPCLIENT](policy-csp-admx-w32time.md) +- [W32TIME_POLICY_ENABLE_NTPSERVER](policy-csp-admx-w32time.md) + +## ADMX_WCM + +- [WCM_DisablePowerManagement](policy-csp-admx-wcm.md) +- [WCM_EnableSoftDisconnect](policy-csp-admx-wcm.md) +- [WCM_MinimizeConnections](policy-csp-admx-wcm.md) + +## ADMX_WDI + +- [WdiDpsScenarioExecutionPolicy](policy-csp-admx-wdi.md) +- [WdiDpsScenarioDataSizeLimitPolicy](policy-csp-admx-wdi.md) + +## ADMX_WinCal + +- [TurnOffWinCal_1](policy-csp-admx-wincal.md) +- [TurnOffWinCal_2](policy-csp-admx-wincal.md) + +## ADMX_WindowsColorSystem + +- [ProhibitChangingInstalledProfileList_1](policy-csp-admx-windowscolorsystem.md) +- [ProhibitChangingInstalledProfileList_2](policy-csp-admx-windowscolorsystem.md) + +## ADMX_WindowsConnectNow + +- [WCN_DisableWcnUi_1](policy-csp-admx-windowsconnectnow.md) +- [WCN_EnableRegistrar](policy-csp-admx-windowsconnectnow.md) +- [WCN_DisableWcnUi_2](policy-csp-admx-windowsconnectnow.md) + +## ADMX_WindowsExplorer + +- [EnforceShellExtensionSecurity](policy-csp-admx-windowsexplorer.md) +- [NoBackButton](policy-csp-admx-windowsexplorer.md) +- [NoPlacesBar](policy-csp-admx-windowsexplorer.md) +- [NoFileMRU](policy-csp-admx-windowsexplorer.md) +- [PlacesBar](policy-csp-admx-windowsexplorer.md) +- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) +- [DisableKnownFolders](policy-csp-admx-windowsexplorer.md) +- [ConfirmFileDelete](policy-csp-admx-windowsexplorer.md) +- [NoFolderOptions](policy-csp-admx-windowsexplorer.md) +- [NoRecycleFiles](policy-csp-admx-windowsexplorer.md) +- [NoRunAsInstallPrompt](policy-csp-admx-windowsexplorer.md) +- [LinkResolveIgnoreLinkInfo](policy-csp-admx-windowsexplorer.md) +- [NoDrives](policy-csp-admx-windowsexplorer.md) +- [NoManageMyComputerVerb](policy-csp-admx-windowsexplorer.md) +- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) +- [RecycleBinSize](policy-csp-admx-windowsexplorer.md) +- [MaxRecentDocs](policy-csp-admx-windowsexplorer.md) +- [NoWorkgroupContents](policy-csp-admx-windowsexplorer.md) +- [NoEntireNetwork](policy-csp-admx-windowsexplorer.md) +- [TryHarderPinnedOpenSearch](policy-csp-admx-windowsexplorer.md) +- [TryHarderPinnedLibrary](policy-csp-admx-windowsexplorer.md) +- [NoViewOnDrive](policy-csp-admx-windowsexplorer.md) +- [NoNetConnectDisconnect](policy-csp-admx-windowsexplorer.md) +- [NoCDBurning](policy-csp-admx-windowsexplorer.md) +- [NoDFSTab](policy-csp-admx-windowsexplorer.md) +- [NoViewContextMenu](policy-csp-admx-windowsexplorer.md) +- [NoFileMenu](policy-csp-admx-windowsexplorer.md) +- [NoHardwareTab](policy-csp-admx-windowsexplorer.md) +- [NoShellSearchButton](policy-csp-admx-windowsexplorer.md) +- [NoSecurityTab](policy-csp-admx-windowsexplorer.md) +- [NoMyComputerSharedDocuments](policy-csp-admx-windowsexplorer.md) +- [NoSearchInternetTryHarderButton](policy-csp-admx-windowsexplorer.md) +- [NoChangeKeyboardNavigationIndicators](policy-csp-admx-windowsexplorer.md) +- [NoChangeAnimation](policy-csp-admx-windowsexplorer.md) +- [PromptRunasInstallNetPath](policy-csp-admx-windowsexplorer.md) +- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) +- [NoCacheThumbNailPictures](policy-csp-admx-windowsexplorer.md) +- [DisableSearchBoxSuggestions](policy-csp-admx-windowsexplorer.md) +- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) +- [ShellProtocolProtectedModeTitle_1](policy-csp-admx-windowsexplorer.md) +- [HideContentViewModeSnippets](policy-csp-admx-windowsexplorer.md) +- [NoWindowsHotKeys](policy-csp-admx-windowsexplorer.md) +- [DisableIndexedLibraryExperience](policy-csp-admx-windowsexplorer.md) +- [ClassicShell](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) +- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md) +- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md) +- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md) +- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md) +- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md) +- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md) +- [ShowSleepOption](policy-csp-admx-windowsexplorer.md) +- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md) +- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md) +- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md) +- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md) +- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md) + +## ADMX_WindowsMediaDRM + +- [DisableOnline](policy-csp-admx-windowsmediadrm.md) + +## ADMX_WindowsMediaPlayer + +- [ConfigureHTTPProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [ConfigureMMSProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [NetworkBuffering](policy-csp-admx-windowsmediaplayer.md) +- [ConfigureRTSPProxySettings](policy-csp-admx-windowsmediaplayer.md) +- [DisableNetworkSettings](policy-csp-admx-windowsmediaplayer.md) +- [WindowsStreamingMediaProtocols](policy-csp-admx-windowsmediaplayer.md) +- [EnableScreenSaver](policy-csp-admx-windowsmediaplayer.md) +- [PolicyCodecUpdate](policy-csp-admx-windowsmediaplayer.md) +- [PreventCDDVDMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [PreventMusicFileMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [PreventRadioPresetsRetrieval](policy-csp-admx-windowsmediaplayer.md) +- [DoNotShowAnchor](policy-csp-admx-windowsmediaplayer.md) +- [HidePrivacyTab](policy-csp-admx-windowsmediaplayer.md) +- [HideSecurityTab](policy-csp-admx-windowsmediaplayer.md) +- [SkinLockDown](policy-csp-admx-windowsmediaplayer.md) +- [DisableSetupFirstUseConfiguration](policy-csp-admx-windowsmediaplayer.md) +- [DisableAutoUpdate](policy-csp-admx-windowsmediaplayer.md) +- [PreventWMPDeskTopShortcut](policy-csp-admx-windowsmediaplayer.md) +- [PreventLibrarySharing](policy-csp-admx-windowsmediaplayer.md) +- [PreventQuickLaunchShortcut](policy-csp-admx-windowsmediaplayer.md) +- [DontUseFrameInterpolation](policy-csp-admx-windowsmediaplayer.md) + +## ADMX_WindowsRemoteManagement + +- [DisallowKerberos_2](policy-csp-admx-windowsremotemanagement.md) +- [DisallowKerberos_1](policy-csp-admx-windowsremotemanagement.md) + +## ADMX_WindowsStore + +- [DisableOSUpgrade_1](policy-csp-admx-windowsstore.md) +- [RemoveWindowsStore_1](policy-csp-admx-windowsstore.md) +- [DisableAutoDownloadWin8](policy-csp-admx-windowsstore.md) +- [DisableOSUpgrade_2](policy-csp-admx-windowsstore.md) +- [RemoveWindowsStore_2](policy-csp-admx-windowsstore.md) + +## ADMX_WinInit + +- [Hiberboot](policy-csp-admx-wininit.md) +- [ShutdownTimeoutHungSessionsDescription](policy-csp-admx-wininit.md) +- [DisableNamedPipeShutdownPolicyDescription](policy-csp-admx-wininit.md) + +## ADMX_WinLogon + +- [CustomShell](policy-csp-admx-winlogon.md) +- [LogonHoursNotificationPolicyDescription](policy-csp-admx-winlogon.md) +- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) +- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md) +- [SoftwareSASGeneration](policy-csp-admx-winlogon.md) +- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md) +- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md) + +## ADMX_Winsrv + +- [AllowBlockingAppsAtShutdown](policy-csp-admx-winsrv.md) + +## ADMX_wlansvc + +- [SetPINPreferred](policy-csp-admx-wlansvc.md) +- [SetPINEnforced](policy-csp-admx-wlansvc.md) +- [SetCost](policy-csp-admx-wlansvc.md) + +## ADMX_WordWheel + +- [CustomSearch](policy-csp-admx-wordwheel.md) + +## ADMX_WorkFoldersClient + +- [Pol_UserEnableTokenBroker](policy-csp-admx-workfoldersclient.md) +- [Pol_UserEnableWorkFolders](policy-csp-admx-workfoldersclient.md) +- [Pol_MachineEnableWorkFolders](policy-csp-admx-workfoldersclient.md) + +## ADMX_WPN + +- [QuietHoursDailyBeginMinute](policy-csp-admx-wpn.md) +- [QuietHoursDailyEndMinute](policy-csp-admx-wpn.md) +- [NoCallsDuringQuietHours](policy-csp-admx-wpn.md) +- [NoQuietHours](policy-csp-admx-wpn.md) +- [NoToastNotification](policy-csp-admx-wpn.md) +- [NoLockScreenToastNotification](policy-csp-admx-wpn.md) +- [NoToastNotification](policy-csp-admx-wpn.md) + +## AppRuntime + +- [AllowMicrosoftAccountsToBeOptional](policy-csp-appruntime.md) + +## AppVirtualization + +- [AllowAppVClient](policy-csp-appvirtualization.md) +- [ClientCoexistenceAllowMigrationmode](policy-csp-appvirtualization.md) +- [IntegrationAllowRootUser](policy-csp-appvirtualization.md) +- [IntegrationAllowRootGlobal](policy-csp-appvirtualization.md) +- [AllowRoamingFileExclusions](policy-csp-appvirtualization.md) +- [AllowRoamingRegistryExclusions](policy-csp-appvirtualization.md) +- [AllowPackageCleanup](policy-csp-appvirtualization.md) +- [AllowPublishingRefreshUX](policy-csp-appvirtualization.md) +- [PublishingAllowServer1](policy-csp-appvirtualization.md) +- [PublishingAllowServer2](policy-csp-appvirtualization.md) +- [PublishingAllowServer3](policy-csp-appvirtualization.md) +- [PublishingAllowServer4](policy-csp-appvirtualization.md) +- [PublishingAllowServer5](policy-csp-appvirtualization.md) +- [AllowReportingServer](policy-csp-appvirtualization.md) +- [AllowPackageScripts](policy-csp-appvirtualization.md) +- [StreamingAllowHighCostLaunch](policy-csp-appvirtualization.md) +- [StreamingAllowCertificateFilterForClient_SSL](policy-csp-appvirtualization.md) +- [StreamingSupportBranchCache](policy-csp-appvirtualization.md) +- [StreamingAllowLocationProvider](policy-csp-appvirtualization.md) +- [StreamingAllowPackageInstallationRoot](policy-csp-appvirtualization.md) +- [StreamingAllowPackageSourceRoot](policy-csp-appvirtualization.md) +- [StreamingAllowReestablishmentInterval](policy-csp-appvirtualization.md) +- [StreamingAllowReestablishmentRetries](policy-csp-appvirtualization.md) +- [StreamingSharedContentStoreMode](policy-csp-appvirtualization.md) +- [AllowStreamingAutoload](policy-csp-appvirtualization.md) +- [StreamingVerifyCertificateRevocationList](policy-csp-appvirtualization.md) +- [AllowDynamicVirtualization](policy-csp-appvirtualization.md) +- [VirtualComponentsAllowList](policy-csp-appvirtualization.md) + +## AttachmentManager + +- [DoNotPreserveZoneInformation](policy-csp-attachmentmanager.md) +- [HideZoneInfoMechanism](policy-csp-attachmentmanager.md) +- [NotifyAntivirusPrograms](policy-csp-attachmentmanager.md) + +## Autoplay + +- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) +- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) +- [TurnOffAutoPlay](policy-csp-autoplay.md) +- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md) +- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md) +- [TurnOffAutoPlay](policy-csp-autoplay.md) + +## Cellular + +- [ShowAppCellularAccessUI](policy-csp-cellular.md) + +## Connectivity + +- [HardenedUNCPaths](policy-csp-connectivity.md) +- [ProhibitInstallationAndConfigurationOfNetworkBridge](policy-csp-connectivity.md) +- [DisableDownloadingOfPrintDriversOverHTTP](policy-csp-connectivity.md) +- [DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](policy-csp-connectivity.md) +- [DiablePrintingOverHTTP](policy-csp-connectivity.md) + +## CredentialProviders + +- [BlockPicturePassword](policy-csp-credentialproviders.md) +- [AllowPINLogon](policy-csp-credentialproviders.md) + +## CredentialsDelegation + +- [RemoteHostAllowsDelegationOfNonExportableCredentials](policy-csp-credentialsdelegation.md) + +## CredentialsUI + +- [DisablePasswordReveal](policy-csp-credentialsui.md) +- [DisablePasswordReveal](policy-csp-credentialsui.md) +- [EnumerateAdministrators](policy-csp-credentialsui.md) + +## DataUsage + +- [SetCost3G](policy-csp-datausage.md) +- [SetCost4G](policy-csp-datausage.md) + +## DeliveryOptimization + +- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) + +## Desktop + +- [PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md) + +## DesktopAppInstaller + +- [EnableAppInstaller](policy-csp-desktopappinstaller.md) +- [EnableSettings](policy-csp-desktopappinstaller.md) +- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md) +- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md) +- [EnableHashOverride](policy-csp-desktopappinstaller.md) +- [EnableDefaultSource](policy-csp-desktopappinstaller.md) +- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md) +- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md) +- [EnableAdditionalSources](policy-csp-desktopappinstaller.md) +- [EnableAllowedSources](policy-csp-desktopappinstaller.md) +- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md) + +## DeviceInstallation + +- [PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) +- [PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) +- [PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) +- [PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) +- [EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) +- [AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) +- [PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) + +## DeviceLock + +- [PreventLockScreenSlideShow](policy-csp-devicelock.md) +- [PreventEnablingLockScreenCamera](policy-csp-devicelock.md) + +## ErrorReporting + +- [DisableWindowsErrorReporting](policy-csp-errorreporting.md) +- [DisplayErrorNotification](policy-csp-errorreporting.md) +- [DoNotSendAdditionalData](policy-csp-errorreporting.md) +- [PreventCriticalErrorDisplay](policy-csp-errorreporting.md) +- [CustomizeConsentSettings](policy-csp-errorreporting.md) + +## EventLogService + +- [ControlEventLogBehavior](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeApplicationLog](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeSecurityLog](policy-csp-eventlogservice.md) +- [SpecifyMaximumFileSizeSystemLog](policy-csp-eventlogservice.md) + +## FileExplorer + +- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md) +- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md) + +## InternetExplorer + +- [AddSearchProvider](policy-csp-internetexplorer.md) +- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) +- [DisableProxyChange](policy-csp-internetexplorer.md) +- [DisableSearchProviderChange](policy-csp-internetexplorer.md) +- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) +- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) +- [AllowSuggestedSites](policy-csp-internetexplorer.md) +- [DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md) +- [DisableCompatView](policy-csp-internetexplorer.md) +- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) +- [DisableFirstRunWizard](policy-csp-internetexplorer.md) +- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) +- [DisableGeolocation](policy-csp-internetexplorer.md) +- [DisableHomePageChange](policy-csp-internetexplorer.md) +- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) +- [NewTabDefaultPage](policy-csp-internetexplorer.md) +- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) +- [SearchProviderList](policy-csp-internetexplorer.md) +- [AllowActiveXFiltering](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) +- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) +- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) +- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) +- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) +- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) +- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) +- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) +- [JScriptReplacement](policy-csp-internetexplorer.md) +- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) +- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) +- [DisableEncryptionSupport](policy-csp-internetexplorer.md) +- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) +- [IncludeAllLocalSites](policy-csp-internetexplorer.md) +- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) +- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) +- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [AllowAddOnList](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) +- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) +- [AllowOneWordEntry](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) +- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) +- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) +- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) +- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) +- [DisableConfiguringHistory](policy-csp-internetexplorer.md) +- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) +- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) +- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) +- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) +- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) +- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) +- [DisableCrashDetection](policy-csp-internetexplorer.md) +- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) +- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) +- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) +- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) +- [AllowAutoComplete](policy-csp-internetexplorer.md) +- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [DisableHTMLApplication](policy-csp-internetexplorer.md) +- [AddSearchProvider](policy-csp-internetexplorer.md) +- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md) +- [DisableUpdateCheck](policy-csp-internetexplorer.md) +- [DisableProxyChange](policy-csp-internetexplorer.md) +- [DisableSearchProviderChange](policy-csp-internetexplorer.md) +- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md) +- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md) +- [AllowSuggestedSites](policy-csp-internetexplorer.md) +- [DisableCompatView](policy-csp-internetexplorer.md) +- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md) +- [DisableFirstRunWizard](policy-csp-internetexplorer.md) +- [DisableFlipAheadFeature](policy-csp-internetexplorer.md) +- [DisableGeolocation](policy-csp-internetexplorer.md) +- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md) +- [NewTabDefaultPage](policy-csp-internetexplorer.md) +- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md) +- [SearchProviderList](policy-csp-internetexplorer.md) +- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md) +- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md) +- [AllowActiveXFiltering](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md) +- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md) +- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md) +- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md) +- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md) +- [DisableInternetExplorerApp](policy-csp-internetexplorer.md) +- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md) +- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md) +- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md) +- [JScriptReplacement](policy-csp-internetexplorer.md) +- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md) +- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md) +- [DisableEncryptionSupport](policy-csp-internetexplorer.md) +- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md) +- [IncludeAllLocalSites](policy-csp-internetexplorer.md) +- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md) +- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md) +- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md) +- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md) +- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md) +- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md) +- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md) +- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md) +- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md) +- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md) +- [AllowAddOnList](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md) +- [DisableEnclosureDownloading](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md) +- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md) +- [AllowOneWordEntry](policy-csp-internetexplorer.md) +- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md) +- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md) +- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md) +- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md) +- [AllowFallbackToSSL3](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md) +- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md) +- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md) +- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md) +- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md) +- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md) +- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md) +- [DisableConfiguringHistory](policy-csp-internetexplorer.md) +- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md) +- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md) +- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md) +- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md) +- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md) +- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md) +- [InternetZoneLogonOptions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md) +- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md) +- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md) +- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md) +- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md) +- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md) +- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md) +- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md) +- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md) +- [DisableCrashDetection](policy-csp-internetexplorer.md) +- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md) +- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md) +- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md) +- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md) +- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md) +- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md) +- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md) +- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md) +- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md) +- [DisableHTMLApplication](policy-csp-internetexplorer.md) + +## Kerberos + +- [RequireKerberosArmoring](policy-csp-kerberos.md) +- [KerberosClientSupportsClaimsCompoundArmor](policy-csp-kerberos.md) +- [RequireStrictKDCValidation](policy-csp-kerberos.md) +- [SetMaximumContextTokenSize](policy-csp-kerberos.md) +- [AllowForestSearchOrder](policy-csp-kerberos.md) + +## LocalSecurityAuthority + +- [AllowCustomSSPsAPs](policy-csp-lsa.md) + +## MixedReality + +- [ConfigureNtpClient](policy-csp-mixedreality.md) +- [NtpClientEnabled](policy-csp-mixedreality.md) + +## MSSecurityGuide + +- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md) +- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md) +- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md) +- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md) +- [WDigestAuthentication](policy-csp-mssecurityguide.md) +- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md) + +## MSSLegacy + +- [IPv6SourceRoutingProtectionLevel](policy-csp-msslegacy.md) +- [IPSourceRoutingProtectionLevel](policy-csp-msslegacy.md) +- [AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](policy-csp-msslegacy.md) +- [AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](policy-csp-msslegacy.md) + +## Power + +- [AllowStandbyWhenSleepingPluggedIn](policy-csp-power.md) +- [RequirePasswordWhenComputerWakesOnBattery](policy-csp-power.md) +- [RequirePasswordWhenComputerWakesPluggedIn](policy-csp-power.md) +- [StandbyTimeoutPluggedIn](policy-csp-power.md) +- [StandbyTimeoutOnBattery](policy-csp-power.md) +- [HibernateTimeoutPluggedIn](policy-csp-power.md) +- [HibernateTimeoutOnBattery](policy-csp-power.md) +- [DisplayOffTimeoutPluggedIn](policy-csp-power.md) +- [DisplayOffTimeoutOnBattery](policy-csp-power.md) +- [AllowStandbyStatesWhenSleepingOnBattery](policy-csp-power.md) + +## Printers + +- [PointAndPrintRestrictions_User](policy-csp-printers.md) +- [EnableDeviceControlUser](policy-csp-printers.md) +- [ApprovedUsbPrintDevicesUser](policy-csp-printers.md) +- [PointAndPrintRestrictions](policy-csp-printers.md) +- [PublishPrinters](policy-csp-printers.md) +- [EnableDeviceControl](policy-csp-printers.md) +- [ApprovedUsbPrintDevices](policy-csp-printers.md) +- [RestrictDriverInstallationToAdministrators](policy-csp-printers.md) +- [ConfigureCopyFilesPolicy](policy-csp-printers.md) +- [ConfigureDriverValidationLevel](policy-csp-printers.md) +- [ManageDriverExclusionList](policy-csp-printers.md) +- [ConfigureRpcListenerPolicy](policy-csp-printers.md) +- [ConfigureRpcConnectionPolicy](policy-csp-printers.md) +- [ConfigureRpcTcpPort](policy-csp-printers.md) +- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md) +- [ConfigureIppPageCountsPolicy](policy-csp-printers.md) +- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md) + +## RemoteAssistance + +- [UnsolicitedRemoteAssistance](policy-csp-remoteassistance.md) +- [SolicitedRemoteAssistance](policy-csp-remoteassistance.md) +- [CustomizeWarningMessages](policy-csp-remoteassistance.md) +- [SessionLogging](policy-csp-remoteassistance.md) + +## RemoteDesktopServices + +- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md) +- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md) +- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md) +- [PromptForPasswordUponConnection](policy-csp-remotedesktopservices.md) +- [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md) +- [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md) +- [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md) + +## RemoteManagement + +- [AllowBasicAuthentication_Client](policy-csp-remotemanagement.md) +- [AllowBasicAuthentication_Service](policy-csp-remotemanagement.md) +- [AllowUnencryptedTraffic_Client](policy-csp-remotemanagement.md) +- [AllowUnencryptedTraffic_Service](policy-csp-remotemanagement.md) +- [DisallowDigestAuthentication](policy-csp-remotemanagement.md) +- [DisallowStoringOfRunAsCredentials](policy-csp-remotemanagement.md) +- [AllowCredSSPAuthenticationClient](policy-csp-remotemanagement.md) +- [AllowCredSSPAuthenticationService](policy-csp-remotemanagement.md) +- [DisallowNegotiateAuthenticationClient](policy-csp-remotemanagement.md) +- [DisallowNegotiateAuthenticationService](policy-csp-remotemanagement.md) +- [TrustedHosts](policy-csp-remotemanagement.md) +- [AllowRemoteServerManagement](policy-csp-remotemanagement.md) +- [SpecifyChannelBindingTokenHardeningLevel](policy-csp-remotemanagement.md) +- [TurnOnCompatibilityHTTPListener](policy-csp-remotemanagement.md) +- [TurnOnCompatibilityHTTPSListener](policy-csp-remotemanagement.md) + +## RemoteProcedureCall + +- [RPCEndpointMapperClientAuthentication](policy-csp-remoteprocedurecall.md) +- [RestrictUnauthenticatedRPCClients](policy-csp-remoteprocedurecall.md) + +## RemoteShell + +- [AllowRemoteShellAccess](policy-csp-remoteshell.md) +- [SpecifyIdleTimeout](policy-csp-remoteshell.md) +- [MaxConcurrentUsers](policy-csp-remoteshell.md) +- [SpecifyMaxMemory](policy-csp-remoteshell.md) +- [SpecifyMaxProcesses](policy-csp-remoteshell.md) +- [SpecifyMaxRemoteShells](policy-csp-remoteshell.md) +- [SpecifyShellTimeout](policy-csp-remoteshell.md) + +## ServiceControlManager + +- [SvchostProcessMitigation](policy-csp-servicecontrolmanager.md) + +## SettingsSync + +- [DisableAccessibilitySettingSync](policy-csp-settingssync.md) +- [DisableLanguageSettingSync](policy-csp-settingssync.md) + +## Storage + +- [WPDDevicesDenyReadAccessPerUser](policy-csp-storage.md) +- [WPDDevicesDenyWriteAccessPerUser](policy-csp-storage.md) +- [EnhancedStorageDevices](policy-csp-storage.md) +- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md) +- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md) + +## System + +- [BootStartDriverInitialization](policy-csp-system.md) +- [DisableSystemRestore](policy-csp-system.md) + +## TenantRestrictions + +- [ConfigureTenantRestrictions](policy-csp-tenantrestrictions.md) + +## WindowsConnectionManager + +- [ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](policy-csp-windowsconnectionmanager.md) + +## WindowsLogon + +- [DontDisplayNetworkSelectionUI](policy-csp-windowslogon.md) +- [DisableLockScreenAppNotifications](policy-csp-windowslogon.md) +- [EnumerateLocalUsersOnDomainJoinedComputers](policy-csp-windowslogon.md) +- [AllowAutomaticRestartSignOn](policy-csp-windowslogon.md) +- [ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md) +- [EnableMPRNotifications](policy-csp-windowslogon.md) + +## WindowsPowerShell + +- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) +- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md) + ## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index dfa2574c13..7deb3ca9d1 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,10 +1,10 @@ --- title: Policies in Policy CSP supported by Group Policy -description: Learn about the policies in Policy CSP supported by Group Policy. +description: Learn about the policies in Policy CSP supported by Group Policy.. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,924 @@ ms.topic: reference This article lists the policies in Policy CSP that have a group policy mapping. +## AboveLock + +- [AllowCortanaAboveLock](policy-csp-abovelock.md) + +## Accounts + +- [RestrictToEnterpriseDeviceAuthenticationOnly](policy-csp-accounts.md) + +## ApplicationDefaults + +- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md) +- [EnableAppUriHandlers](policy-csp-applicationdefaults.md) + +## ApplicationManagement + +- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) +- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) +- [AllowAllTrustedApps](policy-csp-applicationmanagement.md) +- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md) +- [AllowAutomaticAppArchiving](policy-csp-applicationmanagement.md) +- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md) +- [AllowGameDVR](policy-csp-applicationmanagement.md) +- [AllowSharedUserAppData](policy-csp-applicationmanagement.md) +- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md) +- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md) +- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md) +- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md) +- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md) +- [DisableStoreOriginatedApps](policy-csp-applicationmanagement.md) +- [BlockNonAdminUserInstall](policy-csp-applicationmanagement.md) + +## Audit + +- [AccountLogon_AuditCredentialValidation](policy-csp-audit.md) +- [AccountLogon_AuditKerberosAuthenticationService](policy-csp-audit.md) +- [AccountLogon_AuditKerberosServiceTicketOperations](policy-csp-audit.md) +- [AccountLogon_AuditOtherAccountLogonEvents](policy-csp-audit.md) +- [AccountManagement_AuditApplicationGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditComputerAccountManagement](policy-csp-audit.md) +- [AccountManagement_AuditDistributionGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditOtherAccountManagementEvents](policy-csp-audit.md) +- [AccountManagement_AuditSecurityGroupManagement](policy-csp-audit.md) +- [AccountManagement_AuditUserAccountManagement](policy-csp-audit.md) +- [DetailedTracking_AuditDPAPIActivity](policy-csp-audit.md) +- [DetailedTracking_AuditPNPActivity](policy-csp-audit.md) +- [DetailedTracking_AuditProcessCreation](policy-csp-audit.md) +- [DetailedTracking_AuditProcessTermination](policy-csp-audit.md) +- [DetailedTracking_AuditRPCEvents](policy-csp-audit.md) +- [DetailedTracking_AuditTokenRightAdjusted](policy-csp-audit.md) +- [DSAccess_AuditDetailedDirectoryServiceReplication](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceAccess](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceChanges](policy-csp-audit.md) +- [DSAccess_AuditDirectoryServiceReplication](policy-csp-audit.md) +- [AccountLogonLogoff_AuditAccountLockout](policy-csp-audit.md) +- [AccountLogonLogoff_AuditUserDeviceClaims](policy-csp-audit.md) +- [AccountLogonLogoff_AuditGroupMembership](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecExtendedMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecMainMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditIPsecQuickMode](policy-csp-audit.md) +- [AccountLogonLogoff_AuditLogoff](policy-csp-audit.md) +- [AccountLogonLogoff_AuditLogon](policy-csp-audit.md) +- [AccountLogonLogoff_AuditNetworkPolicyServer](policy-csp-audit.md) +- [AccountLogonLogoff_AuditOtherLogonLogoffEvents](policy-csp-audit.md) +- [AccountLogonLogoff_AuditSpecialLogon](policy-csp-audit.md) +- [ObjectAccess_AuditApplicationGenerated](policy-csp-audit.md) +- [ObjectAccess_AuditCertificationServices](policy-csp-audit.md) +- [ObjectAccess_AuditDetailedFileShare](policy-csp-audit.md) +- [ObjectAccess_AuditFileShare](policy-csp-audit.md) +- [ObjectAccess_AuditFileSystem](policy-csp-audit.md) +- [ObjectAccess_AuditFilteringPlatformConnection](policy-csp-audit.md) +- [ObjectAccess_AuditFilteringPlatformPacketDrop](policy-csp-audit.md) +- [ObjectAccess_AuditHandleManipulation](policy-csp-audit.md) +- [ObjectAccess_AuditKernelObject](policy-csp-audit.md) +- [ObjectAccess_AuditOtherObjectAccessEvents](policy-csp-audit.md) +- [ObjectAccess_AuditRegistry](policy-csp-audit.md) +- [ObjectAccess_AuditRemovableStorage](policy-csp-audit.md) +- [ObjectAccess_AuditSAM](policy-csp-audit.md) +- [ObjectAccess_AuditCentralAccessPolicyStaging](policy-csp-audit.md) +- [PolicyChange_AuditPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditAuthenticationPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditAuthorizationPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditFilteringPlatformPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditMPSSVCRuleLevelPolicyChange](policy-csp-audit.md) +- [PolicyChange_AuditOtherPolicyChangeEvents](policy-csp-audit.md) +- [PrivilegeUse_AuditNonSensitivePrivilegeUse](policy-csp-audit.md) +- [PrivilegeUse_AuditOtherPrivilegeUseEvents](policy-csp-audit.md) +- [PrivilegeUse_AuditSensitivePrivilegeUse](policy-csp-audit.md) +- [System_AuditIPsecDriver](policy-csp-audit.md) +- [System_AuditOtherSystemEvents](policy-csp-audit.md) +- [System_AuditSecurityStateChange](policy-csp-audit.md) +- [System_AuditSecuritySystemExtension](policy-csp-audit.md) +- [System_AuditSystemIntegrity](policy-csp-audit.md) + +## Authentication + +- [AllowSecondaryAuthenticationDevice](policy-csp-authentication.md) + +## BITS + +- [JobInactivityTimeout](policy-csp-bits.md) +- [BandwidthThrottlingStartTime](policy-csp-bits.md) +- [BandwidthThrottlingEndTime](policy-csp-bits.md) +- [BandwidthThrottlingTransferRate](policy-csp-bits.md) +- [CostedNetworkBehaviorForegroundPriority](policy-csp-bits.md) +- [CostedNetworkBehaviorBackgroundPriority](policy-csp-bits.md) + +## Browser + +- [AllowAddressBarDropdown](policy-csp-browser.md) +- [AllowAutofill](policy-csp-browser.md) +- [AllowCookies](policy-csp-browser.md) +- [AllowDeveloperTools](policy-csp-browser.md) +- [AllowDoNotTrack](policy-csp-browser.md) +- [AllowExtensions](policy-csp-browser.md) +- [AllowFlash](policy-csp-browser.md) +- [AllowFlashClickToRun](policy-csp-browser.md) +- [AllowFullScreenMode](policy-csp-browser.md) +- [AllowInPrivate](policy-csp-browser.md) +- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) +- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) +- [AllowPasswordManager](policy-csp-browser.md) +- [AllowPopups](policy-csp-browser.md) +- [AllowPrinting](policy-csp-browser.md) +- [AllowSavingHistory](policy-csp-browser.md) +- [AllowSearchEngineCustomization](policy-csp-browser.md) +- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) +- [AllowSideloadingOfExtensions](policy-csp-browser.md) +- [AllowSmartScreen](policy-csp-browser.md) +- [AllowWebContentOnNewTabPage](policy-csp-browser.md) +- [AlwaysEnableBooksLibrary](policy-csp-browser.md) +- [ClearBrowsingDataOnExit](policy-csp-browser.md) +- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) +- [ConfigureFavoritesBar](policy-csp-browser.md) +- [ConfigureHomeButton](policy-csp-browser.md) +- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) +- [DisableLockdownOfStartPages](policy-csp-browser.md) +- [EnableExtendedBooksTelemetry](policy-csp-browser.md) +- [AllowTabPreloading](policy-csp-browser.md) +- [AllowPrelaunch](policy-csp-browser.md) +- [EnterpriseModeSiteList](policy-csp-browser.md) +- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) +- [HomePages](policy-csp-browser.md) +- [LockdownFavorites](policy-csp-browser.md) +- [ConfigureKioskMode](policy-csp-browser.md) +- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) +- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) +- [PreventFirstRunPage](policy-csp-browser.md) +- [PreventCertErrorOverrides](policy-csp-browser.md) +- [PreventSmartScreenPromptOverride](policy-csp-browser.md) +- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) +- [PreventLiveTileDataCollection](policy-csp-browser.md) +- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) +- [ProvisionFavorites](policy-csp-browser.md) +- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) +- [SetDefaultSearchEngine](policy-csp-browser.md) +- [SetHomeButtonURL](policy-csp-browser.md) +- [SetNewTabPageURL](policy-csp-browser.md) +- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) +- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) +- [UnlockHomeButton](policy-csp-browser.md) +- [UseSharedFolderForBooks](policy-csp-browser.md) +- [AllowAddressBarDropdown](policy-csp-browser.md) +- [AllowAutofill](policy-csp-browser.md) +- [AllowCookies](policy-csp-browser.md) +- [AllowDeveloperTools](policy-csp-browser.md) +- [AllowDoNotTrack](policy-csp-browser.md) +- [AllowExtensions](policy-csp-browser.md) +- [AllowFlash](policy-csp-browser.md) +- [AllowFlashClickToRun](policy-csp-browser.md) +- [AllowFullScreenMode](policy-csp-browser.md) +- [AllowInPrivate](policy-csp-browser.md) +- [AllowMicrosoftCompatibilityList](policy-csp-browser.md) +- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md) +- [AllowPasswordManager](policy-csp-browser.md) +- [AllowPopups](policy-csp-browser.md) +- [AllowPrinting](policy-csp-browser.md) +- [AllowSavingHistory](policy-csp-browser.md) +- [AllowSearchEngineCustomization](policy-csp-browser.md) +- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md) +- [AllowSideloadingOfExtensions](policy-csp-browser.md) +- [AllowSmartScreen](policy-csp-browser.md) +- [AllowWebContentOnNewTabPage](policy-csp-browser.md) +- [AlwaysEnableBooksLibrary](policy-csp-browser.md) +- [ClearBrowsingDataOnExit](policy-csp-browser.md) +- [ConfigureAdditionalSearchEngines](policy-csp-browser.md) +- [ConfigureFavoritesBar](policy-csp-browser.md) +- [ConfigureHomeButton](policy-csp-browser.md) +- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md) +- [DisableLockdownOfStartPages](policy-csp-browser.md) +- [EnableExtendedBooksTelemetry](policy-csp-browser.md) +- [AllowTabPreloading](policy-csp-browser.md) +- [AllowPrelaunch](policy-csp-browser.md) +- [EnterpriseModeSiteList](policy-csp-browser.md) +- [PreventTurningOffRequiredExtensions](policy-csp-browser.md) +- [HomePages](policy-csp-browser.md) +- [LockdownFavorites](policy-csp-browser.md) +- [ConfigureKioskMode](policy-csp-browser.md) +- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md) +- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md) +- [PreventFirstRunPage](policy-csp-browser.md) +- [PreventCertErrorOverrides](policy-csp-browser.md) +- [PreventSmartScreenPromptOverride](policy-csp-browser.md) +- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md) +- [PreventLiveTileDataCollection](policy-csp-browser.md) +- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md) +- [ProvisionFavorites](policy-csp-browser.md) +- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md) +- [SetDefaultSearchEngine](policy-csp-browser.md) +- [SetHomeButtonURL](policy-csp-browser.md) +- [SetNewTabPageURL](policy-csp-browser.md) +- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md) +- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md) +- [UnlockHomeButton](policy-csp-browser.md) +- [UseSharedFolderForBooks](policy-csp-browser.md) + +## Camera + +- [AllowCamera](policy-csp-camera.md) + +## Cellular + +- [LetAppsAccessCellularData](policy-csp-cellular.md) +- [LetAppsAccessCellularData_ForceAllowTheseApps](policy-csp-cellular.md) +- [LetAppsAccessCellularData_ForceDenyTheseApps](policy-csp-cellular.md) +- [LetAppsAccessCellularData_UserInControlOfTheseApps](policy-csp-cellular.md) + +## Connectivity + +- [AllowCellularDataRoaming](policy-csp-connectivity.md) +- [AllowPhonePCLinking](policy-csp-connectivity.md) +- [DisallowNetworkConnectivityActiveTests](policy-csp-connectivity.md) + +## Cryptography + +- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md) + +## Defender + +- [AllowArchiveScanning](policy-csp-defender.md) +- [AllowBehaviorMonitoring](policy-csp-defender.md) +- [AllowCloudProtection](policy-csp-defender.md) +- [AllowEmailScanning](policy-csp-defender.md) +- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md) +- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md) +- [AllowIOAVProtection](policy-csp-defender.md) +- [AllowOnAccessProtection](policy-csp-defender.md) +- [AllowRealtimeMonitoring](policy-csp-defender.md) +- [AllowScanningNetworkFiles](policy-csp-defender.md) +- [AllowUserUIAccess](policy-csp-defender.md) +- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md) +- [AttackSurfaceReductionRules](policy-csp-defender.md) +- [AvgCPULoadFactor](policy-csp-defender.md) +- [CloudBlockLevel](policy-csp-defender.md) +- [CloudExtendedTimeout](policy-csp-defender.md) +- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md) +- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md) +- [SecurityIntelligenceLocation](policy-csp-defender.md) +- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md) +- [DaysToRetainCleanedMalware](policy-csp-defender.md) +- [DisableCatchupFullScan](policy-csp-defender.md) +- [DisableCatchupQuickScan](policy-csp-defender.md) +- [EnableControlledFolderAccess](policy-csp-defender.md) +- [EnableLowCPUPriority](policy-csp-defender.md) +- [EnableNetworkProtection](policy-csp-defender.md) +- [ExcludedPaths](policy-csp-defender.md) +- [ExcludedExtensions](policy-csp-defender.md) +- [ExcludedProcesses](policy-csp-defender.md) +- [PUAProtection](policy-csp-defender.md) +- [RealTimeScanDirection](policy-csp-defender.md) +- [ScanParameter](policy-csp-defender.md) +- [ScheduleQuickScanTime](policy-csp-defender.md) +- [ScheduleScanDay](policy-csp-defender.md) +- [ScheduleScanTime](policy-csp-defender.md) +- [SignatureUpdateFallbackOrder](policy-csp-defender.md) +- [SignatureUpdateFileSharesSources](policy-csp-defender.md) +- [SignatureUpdateInterval](policy-csp-defender.md) +- [SubmitSamplesConsent](policy-csp-defender.md) +- [ThreatSeverityDefaultAction](policy-csp-defender.md) + +## DeliveryOptimization + +- [DODownloadMode](policy-csp-deliveryoptimization.md) +- [DOGroupId](policy-csp-deliveryoptimization.md) +- [DOMaxCacheSize](policy-csp-deliveryoptimization.md) +- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md) +- [DOMaxCacheAge](policy-csp-deliveryoptimization.md) +- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md) +- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md) +- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md) +- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md) +- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md) +- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md) +- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md) +- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md) +- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md) +- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md) +- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md) +- [DOCacheHost](policy-csp-deliveryoptimization.md) +- [DOCacheHostSource](policy-csp-deliveryoptimization.md) +- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md) +- [DOGroupIdSource](policy-csp-deliveryoptimization.md) +- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md) +- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md) +- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md) +- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md) +- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md) +- [DOVpnKeywords](policy-csp-deliveryoptimization.md) + +## DeviceGuard + +- [EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) +- [RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) +- [LsaCfgFlags](policy-csp-deviceguard.md) +- [ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) + +## DeviceLock + +- [MinimumPasswordAge](policy-csp-devicelock.md) +- [MaximumPasswordAge](policy-csp-devicelock.md) +- [ClearTextPassword](policy-csp-devicelock.md) +- [PasswordComplexity](policy-csp-devicelock.md) +- [PasswordHistorySize](policy-csp-devicelock.md) + +## Display + +- [EnablePerProcessDpi](policy-csp-display.md) +- [TurnOnGdiDPIScalingForApps](policy-csp-display.md) +- [TurnOffGdiDPIScalingForApps](policy-csp-display.md) +- [EnablePerProcessDpi](policy-csp-display.md) +- [EnablePerProcessDpiForApps](policy-csp-display.md) +- [DisablePerProcessDpiForApps](policy-csp-display.md) + +## DmaGuard + +- [DeviceEnumerationPolicy](policy-csp-dmaguard.md) + +## Education + +- [AllowGraphingCalculator](policy-csp-education.md) +- [PreventAddingNewPrinters](policy-csp-education.md) + +## Experience + +- [AllowSpotlightCollection](policy-csp-experience.md) +- [AllowThirdPartySuggestionsInWindowsSpotlight](policy-csp-experience.md) +- [AllowWindowsSpotlight](policy-csp-experience.md) +- [AllowWindowsSpotlightOnActionCenter](policy-csp-experience.md) +- [AllowWindowsSpotlightOnSettings](policy-csp-experience.md) +- [AllowWindowsSpotlightWindowsWelcomeExperience](policy-csp-experience.md) +- [AllowTailoredExperiencesWithDiagnosticData](policy-csp-experience.md) +- [ConfigureWindowsSpotlightOnLockScreen](policy-csp-experience.md) +- [AllowCortana](policy-csp-experience.md) +- [AllowWindowsConsumerFeatures](policy-csp-experience.md) +- [AllowWindowsTips](policy-csp-experience.md) +- [DoNotShowFeedbackNotifications](policy-csp-experience.md) +- [AllowFindMyDevice](policy-csp-experience.md) +- [AllowClipboardHistory](policy-csp-experience.md) +- [DoNotSyncBrowserSettings](policy-csp-experience.md) +- [PreventUsersFromTurningOnBrowserSyncing](policy-csp-experience.md) +- [ShowLockOnUserTile](policy-csp-experience.md) +- [DisableCloudOptimizedContent](policy-csp-experience.md) +- [DisableConsumerAccountStateContent](policy-csp-experience.md) +- [ConfigureChatIcon](policy-csp-experience.md) + +## ExploitGuard + +- [ExploitProtectionSettings](policy-csp-exploitguard.md) + +## FileExplorer + +- [DisableGraphRecentItems](policy-csp-fileexplorer.md) + +## Handwriting + +- [PanelDefaultModeDocked](policy-csp-handwriting.md) + +## HumanPresence + +- [ForceInstantWake](policy-csp-humanpresence.md) +- [ForceInstantLock](policy-csp-humanpresence.md) +- [ForceLockTimeout](policy-csp-humanpresence.md) +- [ForceInstantDim](policy-csp-humanpresence.md) + +## Kerberos + +- [PKInitHashAlgorithmConfiguration](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA1](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA256](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA384](policy-csp-kerberos.md) +- [PKInitHashAlgorithmSHA512](policy-csp-kerberos.md) +- [CloudKerberosTicketRetrievalEnabled](policy-csp-kerberos.md) + +## LanmanWorkstation + +- [EnableInsecureGuestLogons](policy-csp-lanmanworkstation.md) + +## Licensing + +- [AllowWindowsEntitlementReactivation](policy-csp-licensing.md) +- [DisallowKMSClientOnlineAVSValidation](policy-csp-licensing.md) + +## LocalPoliciesSecurityOptions + +- [Accounts_EnableAdministratorAccountStatus](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_BlockMicrosoftAccounts](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_EnableGuestAccountStatus](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_RenameAdministratorAccount](policy-csp-localpoliciessecurityoptions.md) +- [Accounts_RenameGuestAccount](policy-csp-localpoliciessecurityoptions.md) +- [Devices_AllowUndockWithoutHavingToLogon](policy-csp-localpoliciessecurityoptions.md) +- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md) +- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md) +- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [InteractiveLogon_SmartCardRemovalBehavior](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md) +- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md) +- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_AllowPKU2UAuthenticationRequests](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_LANManagerAuthenticationLevel](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md) +- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md) +- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md) +- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md) +- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md) + +## LocalSecurityAuthority + +- [ConfigureLsaProtectedProcess](policy-csp-lsa.md) + +## LockDown + +- [AllowEdgeSwipe](policy-csp-lockdown.md) + +## Maps + +- [EnableOfflineMapsAutoUpdate](policy-csp-maps.md) + +## Messaging + +- [AllowMessageSync](policy-csp-messaging.md) + +## Multitasking + +- [BrowserAltTabBlowout](policy-csp-multitasking.md) + +## NetworkIsolation + +- [EnterpriseCloudResources](policy-csp-networkisolation.md) +- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md) +- [EnterpriseIPRange](policy-csp-networkisolation.md) +- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md) +- [EnterpriseProxyServers](policy-csp-networkisolation.md) +- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md) +- [NeutralResources](policy-csp-networkisolation.md) + +## NewsAndInterests + +- [AllowNewsAndInterests](policy-csp-newsandinterests.md) + +## Notifications + +- [DisallowNotificationMirroring](policy-csp-notifications.md) +- [DisallowTileNotification](policy-csp-notifications.md) +- [DisallowCloudNotification](policy-csp-notifications.md) +- [WnsEndpoint](policy-csp-notifications.md) + +## Power + +- [EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md) +- [EnergySaverBatteryThresholdOnBattery](policy-csp-power.md) +- [SelectPowerButtonActionPluggedIn](policy-csp-power.md) +- [SelectPowerButtonActionOnBattery](policy-csp-power.md) +- [SelectSleepButtonActionPluggedIn](policy-csp-power.md) +- [SelectSleepButtonActionOnBattery](policy-csp-power.md) +- [SelectLidCloseActionPluggedIn](policy-csp-power.md) +- [SelectLidCloseActionOnBattery](policy-csp-power.md) +- [TurnOffHybridSleepPluggedIn](policy-csp-power.md) +- [TurnOffHybridSleepOnBattery](policy-csp-power.md) +- [UnattendedSleepTimeoutPluggedIn](policy-csp-power.md) +- [UnattendedSleepTimeoutOnBattery](policy-csp-power.md) + +## Privacy + +- [DisablePrivacyExperience](policy-csp-privacy.md) +- [DisableAdvertisingId](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground](policy-csp-privacy.md) +- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md) +- [AllowInputPersonalization](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar](policy-csp-privacy.md) +- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera](policy-csp-privacy.md) +- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts](policy-csp-privacy.md) +- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail](policy-csp-privacy.md) +- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation](policy-csp-privacy.md) +- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging](policy-csp-privacy.md) +- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion](policy-csp-privacy.md) +- [LetAppsAccessMotion_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessMotion_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications](policy-csp-privacy.md) +- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone](policy-csp-privacy.md) +- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios](policy-csp-privacy.md) +- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks](policy-csp-privacy.md) +- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md) +- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md) +- [EnableActivityFeed](policy-csp-privacy.md) +- [PublishUserActivities](policy-csp-privacy.md) +- [UploadUserActivities](policy-csp-privacy.md) +- [AllowCrossDeviceClipboard](policy-csp-privacy.md) +- [DisablePrivacyExperience](policy-csp-privacy.md) +- [LetAppsActivateWithVoice](policy-csp-privacy.md) +- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md) + +## RemoteDesktop + +- [AutoSubscription](policy-csp-remotedesktop.md) + +## Search + +- [AllowIndexingEncryptedStoresOrItems](policy-csp-search.md) +- [AllowSearchToUseLocation](policy-csp-search.md) +- [AllowUsingDiacritics](policy-csp-search.md) +- [AlwaysUseAutoLangDetection](policy-csp-search.md) +- [DisableBackoff](policy-csp-search.md) +- [DisableRemovableDriveIndexing](policy-csp-search.md) +- [DisableSearch](policy-csp-search.md) +- [PreventIndexingLowDiskSpaceMB](policy-csp-search.md) +- [PreventRemoteQueries](policy-csp-search.md) +- [AllowCloudSearch](policy-csp-search.md) +- [DoNotUseWebResults](policy-csp-search.md) +- [AllowCortanaInAAD](policy-csp-search.md) +- [AllowFindMyFiles](policy-csp-search.md) +- [AllowSearchHighlights](policy-csp-search.md) + +## Security + +- [ClearTPMIfNotReady](policy-csp-security.md) + +## Settings + +- [ConfigureTaskbarCalendar](policy-csp-settings.md) +- [PageVisibilityList](policy-csp-settings.md) +- [PageVisibilityList](policy-csp-settings.md) +- [AllowOnlineTips](policy-csp-settings.md) + +## SmartScreen + +- [EnableSmartScreenInShell](policy-csp-smartscreen.md) +- [PreventOverrideForFilesInShell](policy-csp-smartscreen.md) +- [EnableAppInstallControl](policy-csp-smartscreen.md) + +## Speech + +- [AllowSpeechModelUpdate](policy-csp-speech.md) + +## Start + +- [ForceStartSize](policy-csp-start.md) +- [DisableContextMenus](policy-csp-start.md) +- [ShowOrHideMostUsedApps](policy-csp-start.md) +- [HideFrequentlyUsedApps](policy-csp-start.md) +- [HideRecentlyAddedApps](policy-csp-start.md) +- [HidePeopleBar](policy-csp-start.md) +- [StartLayout](policy-csp-start.md) +- [ConfigureStartPins](policy-csp-start.md) +- [HideRecommendedSection](policy-csp-start.md) +- [HideTaskViewButton](policy-csp-start.md) +- [DisableControlCenter](policy-csp-start.md) +- [ForceStartSize](policy-csp-start.md) +- [DisableContextMenus](policy-csp-start.md) +- [ShowOrHideMostUsedApps](policy-csp-start.md) +- [HideFrequentlyUsedApps](policy-csp-start.md) +- [HideRecentlyAddedApps](policy-csp-start.md) +- [StartLayout](policy-csp-start.md) +- [ConfigureStartPins](policy-csp-start.md) +- [HideRecommendedSection](policy-csp-start.md) +- [SimplifyQuickSettings](policy-csp-start.md) +- [DisableEditingQuickSettings](policy-csp-start.md) +- [HideTaskViewButton](policy-csp-start.md) + +## Storage + +- [AllowDiskHealthModelUpdates](policy-csp-storage.md) +- [RemovableDiskDenyWriteAccess](policy-csp-storage.md) +- [AllowStorageSenseGlobal](policy-csp-storage.md) +- [ConfigStorageSenseGlobalCadence](policy-csp-storage.md) +- [AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md) +- [ConfigStorageSenseRecycleBinCleanupThreshold](policy-csp-storage.md) +- [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md) +- [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md) + +## System + +- [AllowTelemetry](policy-csp-system.md) +- [AllowBuildPreview](policy-csp-system.md) +- [AllowFontProviders](policy-csp-system.md) +- [AllowLocation](policy-csp-system.md) +- [AllowTelemetry](policy-csp-system.md) +- [TelemetryProxy](policy-csp-system.md) +- [DisableOneDriveFileSync](policy-csp-system.md) +- [AllowWUfBCloudProcessing](policy-csp-system.md) +- [AllowUpdateComplianceProcessing](policy-csp-system.md) +- [AllowDesktopAnalyticsProcessing](policy-csp-system.md) +- [DisableEnterpriseAuthProxy](policy-csp-system.md) +- [LimitEnhancedDiagnosticDataWindowsAnalytics](policy-csp-system.md) +- [AllowDeviceNameInDiagnosticData](policy-csp-system.md) +- [ConfigureTelemetryOptInSettingsUx](policy-csp-system.md) +- [ConfigureTelemetryOptInChangeNotification](policy-csp-system.md) +- [DisableDeviceDelete](policy-csp-system.md) +- [DisableDiagnosticDataViewer](policy-csp-system.md) +- [ConfigureMicrosoft365UploadEndpoint](policy-csp-system.md) +- [TurnOffFileHistory](policy-csp-system.md) +- [DisableDirectXDatabaseUpdate](policy-csp-system.md) +- [AllowCommercialDataPipeline](policy-csp-system.md) +- [LimitDiagnosticLogCollection](policy-csp-system.md) +- [LimitDumpCollection](policy-csp-system.md) +- [EnableOneSettingsAuditing](policy-csp-system.md) +- [DisableOneSettingsDownloads](policy-csp-system.md) +- [HideUnsupportedHardwareNotifications](policy-csp-system.md) + +## SystemServices + +- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md) +- [ConfigureXboxLiveNetworkingServiceStartupMode](policy-csp-systemservices.md) + +## TextInput + +- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md) +- [AllowLinguisticDataCollection](policy-csp-textinput.md) +- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md) +- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md) +- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md) +- [ConfigureKoreanIMEVersion](policy-csp-textinput.md) + +## TimeLanguageSettings + +- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) +- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md) +- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md) +- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md) + +## Troubleshooting + +- [AllowRecommendations](policy-csp-troubleshooting.md) + +## Update + +- [ActiveHoursEnd](policy-csp-update.md) +- [ActiveHoursStart](policy-csp-update.md) +- [ActiveHoursMaxRange](policy-csp-update.md) +- [AutoRestartRequiredNotificationDismissal](policy-csp-update.md) +- [AutoRestartNotificationSchedule](policy-csp-update.md) +- [SetAutoRestartNotificationDisable](policy-csp-update.md) +- [ScheduleRestartWarning](policy-csp-update.md) +- [ScheduleImminentRestartWarning](policy-csp-update.md) +- [AllowAutoUpdate](policy-csp-update.md) +- [AutoRestartDeadlinePeriodInDays](policy-csp-update.md) +- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartTransitionSchedule](policy-csp-update.md) +- [EngagedRestartSnoozeSchedule](policy-csp-update.md) +- [EngagedRestartDeadline](policy-csp-update.md) +- [EngagedRestartTransitionScheduleForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartSnoozeScheduleForFeatureUpdates](policy-csp-update.md) +- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md) +- [DetectionFrequency](policy-csp-update.md) +- [ManagePreviewBuilds](policy-csp-update.md) +- [BranchReadinessLevel](policy-csp-update.md) +- [ProductVersion](policy-csp-update.md) +- [TargetReleaseVersion](policy-csp-update.md) +- [AllowUpdateService](policy-csp-update.md) +- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md) +- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md) +- [DeferUpdatePeriod](policy-csp-update.md) +- [DeferUpgradePeriod](policy-csp-update.md) +- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md) +- [PauseDeferrals](policy-csp-update.md) +- [PauseFeatureUpdates](policy-csp-update.md) +- [PauseQualityUpdates](policy-csp-update.md) +- [PauseFeatureUpdatesStartTime](policy-csp-update.md) +- [PauseQualityUpdatesStartTime](policy-csp-update.md) +- [RequireDeferUpgrade](policy-csp-update.md) +- [AllowMUUpdateService](policy-csp-update.md) +- [ScheduledInstallDay](policy-csp-update.md) +- [ScheduledInstallTime](policy-csp-update.md) +- [ScheduledInstallEveryWeek](policy-csp-update.md) +- [ScheduledInstallFirstWeek](policy-csp-update.md) +- [ScheduledInstallSecondWeek](policy-csp-update.md) +- [ScheduledInstallThirdWeek](policy-csp-update.md) +- [ScheduledInstallFourthWeek](policy-csp-update.md) +- [UpdateServiceUrl](policy-csp-update.md) +- [UpdateServiceUrlAlternate](policy-csp-update.md) +- [FillEmptyContentUrls](policy-csp-update.md) +- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md) +- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md) +- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) +- [SetEDURestart](policy-csp-update.md) +- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) +- [SetDisableUXWUAccess](policy-csp-update.md) +- [SetDisablePauseUXAccess](policy-csp-update.md) +- [UpdateNotificationLevel](policy-csp-update.md) +- [NoUpdateNotificationsDuringActiveHours](policy-csp-update.md) +- [DisableDualScan](policy-csp-update.md) +- [AutomaticMaintenanceWakeUp](policy-csp-update.md) +- [ConfigureDeadlineForQualityUpdates](policy-csp-update.md) +- [ConfigureDeadlineForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineGracePeriod](policy-csp-update.md) +- [ConfigureDeadlineGracePeriodForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md) +- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md) +- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md) + +## UserRights + +- [AccessCredentialManagerAsTrustedCaller](policy-csp-userrights.md) +- [AccessFromNetwork](policy-csp-userrights.md) +- [ActAsPartOfTheOperatingSystem](policy-csp-userrights.md) +- [AllowLocalLogOn](policy-csp-userrights.md) +- [BackupFilesAndDirectories](policy-csp-userrights.md) +- [ChangeSystemTime](policy-csp-userrights.md) +- [CreatePageFile](policy-csp-userrights.md) +- [CreateToken](policy-csp-userrights.md) +- [CreateGlobalObjects](policy-csp-userrights.md) +- [CreatePermanentSharedObjects](policy-csp-userrights.md) +- [CreateSymbolicLinks](policy-csp-userrights.md) +- [DebugPrograms](policy-csp-userrights.md) +- [DenyAccessFromNetwork](policy-csp-userrights.md) +- [DenyLocalLogOn](policy-csp-userrights.md) +- [DenyRemoteDesktopServicesLogOn](policy-csp-userrights.md) +- [EnableDelegation](policy-csp-userrights.md) +- [RemoteShutdown](policy-csp-userrights.md) +- [GenerateSecurityAudits](policy-csp-userrights.md) +- [ImpersonateClient](policy-csp-userrights.md) +- [IncreaseSchedulingPriority](policy-csp-userrights.md) +- [LoadUnloadDeviceDrivers](policy-csp-userrights.md) +- [LockMemory](policy-csp-userrights.md) +- [ManageAuditingAndSecurityLog](policy-csp-userrights.md) +- [ModifyObjectLabel](policy-csp-userrights.md) +- [ModifyFirmwareEnvironment](policy-csp-userrights.md) +- [ManageVolume](policy-csp-userrights.md) +- [ProfileSingleProcess](policy-csp-userrights.md) +- [RestoreFilesAndDirectories](policy-csp-userrights.md) +- [TakeOwnership](policy-csp-userrights.md) +- [BypassTraverseChecking](policy-csp-userrights.md) +- [ReplaceProcessLevelToken](policy-csp-userrights.md) +- [ChangeTimeZone](policy-csp-userrights.md) +- [ShutDownTheSystem](policy-csp-userrights.md) +- [LogOnAsBatchJob](policy-csp-userrights.md) +- [ProfileSystemPerformance](policy-csp-userrights.md) +- [DenyLogOnAsBatchJob](policy-csp-userrights.md) +- [LogOnAsService](policy-csp-userrights.md) +- [IncreaseProcessWorkingSet](policy-csp-userrights.md) + +## VirtualizationBasedTechnology + +- [HypervisorEnforcedCodeIntegrity](policy-csp-virtualizationbasedtechnology.md) +- [RequireUEFIMemoryAttributesTable](policy-csp-virtualizationbasedtechnology.md) + +## WebThreatDefense + +- [ServiceEnabled](policy-csp-webthreatdefense.md) +- [NotifyMalicious](policy-csp-webthreatdefense.md) +- [NotifyPasswordReuse](policy-csp-webthreatdefense.md) +- [NotifyUnsafeApp](policy-csp-webthreatdefense.md) +- [CaptureThreatWindow](policy-csp-webthreatdefense.md) + +## Wifi + +- [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md) +- [AllowInternetSharing](policy-csp-wifi.md) + +## WindowsDefenderSecurityCenter + +- [CompanyName](policy-csp-windowsdefendersecuritycenter.md) +- [DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) +- [DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) +- [DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) +- [DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md) +- [DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) +- [DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) +- [Email](policy-csp-windowsdefendersecuritycenter.md) +- [EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) +- [EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) +- [HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) +- [HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) +- [HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) +- [HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) +- [Phone](policy-csp-windowsdefendersecuritycenter.md) +- [URL](policy-csp-windowsdefendersecuritycenter.md) + +## WindowsInkWorkspace + +- [AllowWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) +- [AllowSuggestedAppsInWindowsInkWorkspace](policy-csp-windowsinkworkspace.md) + +## WindowsLogon + +- [HideFastUserSwitching](policy-csp-windowslogon.md) +- [EnableFirstLogonAnimation](policy-csp-windowslogon.md) + +## WindowsSandbox + +- [AllowVGPU](policy-csp-windowssandbox.md) +- [AllowNetworking](policy-csp-windowssandbox.md) +- [AllowAudioInput](policy-csp-windowssandbox.md) +- [AllowVideoInput](policy-csp-windowssandbox.md) +- [AllowPrinterRedirection](policy-csp-windowssandbox.md) +- [AllowClipboardRedirection](policy-csp-windowssandbox.md) + +## WirelessDisplay + +- [AllowProjectionToPC](policy-csp-wirelessdisplay.md) +- [RequirePinForPairing](policy-csp-wirelessdisplay.md) + ## Related articles [Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 83bd626bba..95d89d8ebf 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,10 +1,10 @@ --- title: Policy CSP -description: Learn more about the Policy CSP +description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1095,7 +1095,6 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f - [Camera](policy-csp-camera.md) - [Cellular](policy-csp-cellular.md) - [CloudDesktop](policy-csp-clouddesktop.md) -- [CloudPC](policy-csp-cloudpc.md) - [Connectivity](policy-csp-connectivity.md) - [ControlPolicyConflict](policy-csp-controlpolicyconflict.md) - [CredentialProviders](policy-csp-credentialproviders.md) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 9be972e3d9..bdb6a819f1 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,10 +1,10 @@ --- title: AboveLock Policy CSP -description: Learn more about the AboveLock Area in Policy CSP +description: Learn more about the AboveLock Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -91,9 +91,9 @@ This policy is deprecated This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. -If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. +- If you enable or don't configure this setting, the user can interact with Cortana using speech while the system is locked. -If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. +- If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 5da980cc1a..44c49be631 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,10 +1,10 @@ --- title: Accounts Policy CSP -description: Learn more about the Accounts Area in Policy CSP +description: Learn more about the Accounts Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/13/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,9 +37,10 @@ ms.topic: reference -Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0. +Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0 -**Note**: This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP. +> [!NOTE] +> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the EMAIL2 CSP. @@ -137,11 +138,13 @@ Specifies whether the user is allowed to use an MSA account for non-email relate -Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service. +Allows IT Admins the ability to disable the Microsoft Account Sign-In Assistant (wlidsvc) NT service -**Note**: If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are. +> [!NOTE] +> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are -**Note**: If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. +> [!NOTE] +> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to "step-up" from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index a7412e45a0..6432707d70 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,10 +1,10 @@ --- title: ActiveXControls Policy CSP -description: Learn more about the ActiveXControls Area in Policy CSP +description: Learn more about the ActiveXControls Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/13/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ActiveXControls > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. -If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. +- If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. +- If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. -Note: Wild card characters cannot be used when specifying the host URLs. +> [!NOTE] +> Wild card characters cannot be used when specifying the host URLs. @@ -68,7 +67,7 @@ Note: Wild card characters cannot be used when specifying the host URLs. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 1d15012471..ad05a61b1f 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -1,10 +1,10 @@ --- title: ADMX_ActiveXInstallService Policy CSP -description: Learn more about the ADMX_ActiveXInstallService Area in Policy CSP +description: Learn more about the ADMX_ActiveXInstallService Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/13/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ActiveXInstallService > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference This policy setting controls the installation of ActiveX controls for sites in Trusted zone. -If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. +- If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. -If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. +- If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation. If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore. -Note: This policy setting applies to all sites in Trusted zones. +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. @@ -70,7 +69,7 @@ Note: This policy setting applies to all sites in Trusted zones. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index c722d8e379..58e17f5f98 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -1,10 +1,10 @@ --- title: ADMX_AddRemovePrograms Policy CSP -description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP +description: Learn more about the ADMX_AddRemovePrograms Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/13/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AddRemovePrograms > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,15 +44,16 @@ ms.topic: reference Specifies the category of programs that appears when users open the "Add New Programs" page. -If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories. +- If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. -If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. +- If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need. -Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. +> [!NOTE] +> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. @@ -72,7 +71,7 @@ Note: This setting is ignored if either the "Remove Add or Remove Programs" sett > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -111,11 +110,12 @@ Note: This setting is ignored if either the "Remove Add or Remove Programs" sett Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. -If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. +- If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. -Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. @@ -133,7 +133,7 @@ Note: If the "Hide Add New Programs page" setting is enabled, this setting is ig > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -173,11 +173,12 @@ Note: If the "Hide Add New Programs page" setting is enabled, this setting is ig Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. -If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. +- If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. -Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. @@ -195,7 +196,7 @@ Note: If the "Hide Add New Programs page" setting is enabled, this setting is ig > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -239,11 +240,12 @@ This setting removes the "Add programs from your network" section from the Add N Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. -If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. +- If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. -If you disable this setting or do not configure it, "Add programs from your network" is available to all users. +- If you disable this setting or do not configure it, "Add programs from your network" is available to all users. -Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. @@ -261,7 +263,7 @@ Note: If the "Hide Add New Programs page" setting is enabled, this setting is ig > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -303,7 +305,7 @@ Removes the Add New Programs button from the Add or Remove Programs bar. As a re The Add New Programs button lets users install programs published or assigned by a system administrator. -If you disable this setting or do not configure it, the Add New Programs button is available to all users. +- If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. @@ -323,7 +325,7 @@ This setting does not prevent users from using other tools and methods to instal > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -367,7 +369,7 @@ This setting removes Add or Remove Programs from Control Panel and removes the A Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. -If you disable this setting or do not configure it, Add or Remove Programs is available to all users. +- If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. @@ -389,7 +391,7 @@ This setting does not prevent users from using other tools and methods to instal > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -431,7 +433,7 @@ Removes the Set Program Access and Defaults button from the Add or Remove Progra The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. -If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. +- If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. @@ -453,7 +455,7 @@ This setting does not prevent the Set Program Access and Defaults icon from appe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -495,7 +497,7 @@ Removes the Change or Remove Programs button from the Add or Remove Programs bar The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. -If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. +- If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. @@ -515,7 +517,7 @@ This setting does not prevent users from using other tools and methods to delete > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -557,11 +559,13 @@ Prevents users from using Add or Remove Programs to configure installed services This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. -If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. +- If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. +- If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. -Note: When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. +> [!NOTE] +> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. @@ -581,7 +585,7 @@ To remove "Set up services" and prevent the Windows Component Wizard from starti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -623,9 +627,10 @@ Removes links to the Support Info dialog box from programs on the Change or Remo Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. -If you disable this setting or do not configure it, the Support Info hyperlink appears. +- If you disable this setting or do not configure it, the Support Info hyperlink appears. -Note: Not all programs provide a support information hyperlink. +> [!NOTE] +> Not all programs provide a support information hyperlink. @@ -643,7 +648,7 @@ Note: Not all programs provide a support information hyperlink. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -685,7 +690,7 @@ Removes the Add/Remove Windows Components button from the Add or Remove Programs The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. -If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. +- If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. @@ -705,7 +710,7 @@ This setting does not prevent users from using other tools and methods to config > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index 587000d7af..747cb54e0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -1,10 +1,10 @@ --- title: ADMX_AdmPwd Policy CSP -description: Learn more about the ADMX_AdmPwd Area in Policy CSP +description: Learn more about the ADMX_AdmPwd Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AdmPwd > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -63,10 +61,16 @@ If you disable or not configure this setting, local administrator password is NO + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd | +| ADMX File Name | AdmPwd.admx | @@ -111,10 +115,16 @@ When you disable or don't configure this setting, password expiration time may b + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd_AdminName | +| ADMX File Name | AdmPwd.admx | @@ -159,10 +169,16 @@ When you disable or don't configure this setting, password expiration time may b + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd_DontAllowPwdExpirationBehindPolicy | +| ADMX File Name | AdmPwd.admx | @@ -209,10 +225,16 @@ If you disable or not configure this setting, local administrator password is NO + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | POL_AdmPwd_Enabled | +| ADMX File Name | AdmPwd.admx | diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index e1cc857151..a0d2e3d901 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -1,10 +1,10 @@ --- title: ADMX_AppCompat Policy CSP -description: Learn more about the ADMX_AppCompat Area in Policy CSP +description: Learn more about the ADMX_AppCompat Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AppCompat > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -54,7 +52,8 @@ If the status is set to Disabled, the MS-DOS subsystem runs for all users on thi If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on windows 7 and downlevel, the OS will allow 16-bit applications to run. -**Note**: This setting appears in only Computer Configuration. +> [!NOTE] +> This setting appears in only Computer Configuration. @@ -72,7 +71,7 @@ If the status is set to Not Configured, the OS falls back on a local policy set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -130,7 +129,7 @@ The compatibility property page displays a list of options that can be selected > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -194,7 +193,7 @@ Disabling telemetry will take effect on any newly launched applications. To ensu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -242,7 +241,7 @@ The Windows Resource Protection and User Account Control features of Windows use This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. -**Note**: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. +NOTE: Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, please reboot to ensure that your system accurately reflects those changes. @@ -260,7 +259,7 @@ This option is useful to server administrators who require faster performance an > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -316,7 +315,7 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -358,11 +357,12 @@ This policy setting controls the state of the Program Compatibility Assistant (P The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. -If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. +- If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. -If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +- If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. -**Note**: The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. +> [!NOTE] +> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. @@ -380,7 +380,7 @@ If you disable or do not configure this policy setting, the PCA will be turned o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -422,11 +422,12 @@ This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. -If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. +- If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. -If you disable or do not configure this policy setting, the Inventory Collector will be turned on. +- If you disable or do not configure this policy setting, the Inventory Collector will be turned on. -**Note**: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. +> [!NOTE] +> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. @@ -444,7 +445,7 @@ If you disable or do not configure this policy setting, the Inventory Collector > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -488,9 +489,9 @@ Switchback is a mechanism that provides generic compatibility mitigations to old Switchback is on by default. -If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. +- If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. -If you disable or do not configure this policy setting, the Switchback will be turned on. +- If you disable or do not configure this policy setting, the Switchback will be turned on. Please reboot the system after changing the setting to ensure that your system accurately reflects those changes. @@ -510,7 +511,7 @@ Please reboot the system after changing the setting to ensure that your system a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -552,9 +553,9 @@ This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screen shots. Steps Recorder includes an option to turn on and off data collection. -If you enable this policy setting, Steps Recorder will be disabled. +- If you enable this policy setting, Steps Recorder will be disabled. -If you disable or do not configure this policy setting, Steps Recorder will be enabled. +- If you disable or do not configure this policy setting, Steps Recorder will be enabled. @@ -572,7 +573,7 @@ If you disable or do not configure this policy setting, Steps Recorder will be e > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 1e4e2605cd..fb99a07c57 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -1,10 +1,10 @@ --- title: ADMX_AppxPackageManager Policy CSP -description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP +description: Learn more about the ADMX_AppxPackageManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AppxPackageManager > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -54,10 +52,9 @@ Temporary user profiles, which are created when an error prevents the correct pr User profiles for the Guest account and members of the Guests group +- If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. -If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile. - -If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. +- If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile. @@ -75,7 +72,7 @@ If you disable or do not configure this policy setting, Group Policy blocks depl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 7186767005..71173b8d82 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -1,10 +1,10 @@ --- title: ADMX_AppXRuntime Policy CSP -description: Learn more about the ADMX_AppXRuntime Area in Policy CSP +description: Learn more about the ADMX_AppXRuntime Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AppXRuntime > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. -If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. +- If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. @@ -66,7 +64,7 @@ If you disable or don't set this policy setting, Windows Store apps will only us > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,9 +108,9 @@ If you disable or don't set this policy setting, Windows Store apps will only us This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type. -If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. +- If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps. -If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. +- If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type. @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, Windows Store apps can o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -170,9 +168,9 @@ If you disable or do not configure this policy setting, Windows Store apps can o This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched. -If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. +- If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. -If you disable or do not configure this policy setting, all Universal Windows apps can be launched. +- If you disable or do not configure this policy setting, all Universal Windows apps can be launched. This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues. @@ -192,7 +190,7 @@ This policy should not be enabled unless recommended by Microsoft as a security > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -236,11 +234,12 @@ This policy should not be enabled unless recommended by Microsoft as a security This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app. -If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. +- If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps. -If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. +- If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme. -Note: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. +> [!NOTE] +> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk. @@ -258,7 +257,7 @@ Note: Enabling this policy setting does not block Windows Store apps from openin > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index d770e120ae..e6f792fa8b 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -1,10 +1,10 @@ --- title: ADMX_AttachmentManager Policy CSP -description: Learn more about the ADMX_AttachmentManager Area in Policy CSP +description: Learn more about the ADMX_AttachmentManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AttachmentManager > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -52,11 +50,11 @@ Preferring the file type instructs Windows to use the file type data over the fi Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options. -If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. +- If you enable this policy setting, you can choose the order in which Windows processes risk assessment data. -If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +- If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. -If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. +- If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type. @@ -74,7 +72,7 @@ If you do not configure this policy setting, Windows uses its default trust logi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -119,11 +117,11 @@ Moderate Risk: If the attachment is in the list of moderate-risk file types and Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. -If you enable this policy setting, you can specify the default risk level for file types. +- If you enable this policy setting, you can specify the default risk level for file types. -If you disable this policy setting, Windows sets the default risk level to moderate. +- If you disable this policy setting, Windows sets the default risk level to moderate. -If you do not configure this policy setting, Windows sets the default risk level to moderate. +- If you do not configure this policy setting, Windows sets the default risk level to moderate. @@ -141,7 +139,7 @@ If you do not configure this policy setting, Windows sets the default risk level > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -180,11 +178,11 @@ If you do not configure this policy setting, Windows sets the default risk level This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can create a custom list of high-risk file types. +- If you enable this policy setting, you can create a custom list of high-risk file types. -If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. +- If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk. -If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. +- If you do not configure this policy setting, Windows uses its built-in list of high-risk file types. @@ -202,7 +200,7 @@ If you do not configure this policy setting, Windows uses its built-in list of h > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -241,11 +239,11 @@ If you do not configure this policy setting, Windows uses its built-in list of h This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can specify file types that pose a low risk. +- If you enable this policy setting, you can specify file types that pose a low risk. -If you disable this policy setting, Windows uses its default trust logic. +- If you disable this policy setting, Windows uses its default trust logic. -If you do not configure this policy setting, Windows uses its default trust logic. +- If you do not configure this policy setting, Windows uses its default trust logic. @@ -263,7 +261,7 @@ If you do not configure this policy setting, Windows uses its default trust logi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -302,11 +300,11 @@ If you do not configure this policy setting, Windows uses its default trust logi This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list). -If you enable this policy setting, you can specify file types which pose a moderate risk. +- If you enable this policy setting, you can specify file types which pose a moderate risk. -If you disable this policy setting, Windows uses its default trust logic. +- If you disable this policy setting, Windows uses its default trust logic. -If you do not configure this policy setting, Windows uses its default trust logic. +- If you do not configure this policy setting, Windows uses its default trust logic. @@ -324,7 +322,7 @@ If you do not configure this policy setting, Windows uses its default trust logi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 92935c8022..8e82cda5ea 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -1,10 +1,10 @@ --- title: ADMX_AuditSettings Policy CSP -description: Learn more about the ADMX_AuditSettings Area in Policy CSP +description: Learn more about the ADMX_AuditSettings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_AuditSettings > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,15 @@ ms.topic: reference This policy setting determines what information is logged in security audit events when a new process has been created. -This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. +This setting only applies when the Audit Process Creation policy is enabled. +- If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. -If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. +- If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. Default: Not configured -Note: When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data. +> [!NOTE] +> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data. @@ -70,7 +70,7 @@ Note: When this policy setting is enabled, any user with access to read the secu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 95a1a7793a..53f320034a 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -1,10 +1,10 @@ --- title: ADMX_Bits Policy CSP -description: Learn more about the ADMX_Bits Area in Policy CSP +description: Learn more about the ADMX_Bits Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Bits > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. -If you enable this policy setting, the BITS client does not use Windows Branch Cache. +- If you enable this policy setting, the BITS client does not use Windows Branch Cache. -If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. +- If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. -Note: This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. +> [!NOTE] +> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. @@ -68,7 +67,7 @@ Note: This policy setting does not affect the use of Windows Branch Cache by app > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,11 +107,12 @@ Note: This policy setting does not affect the use of Windows Branch Cache by app This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). -If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. +- If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. -If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. +- If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. -Note: This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. +> [!NOTE] +> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. @@ -130,7 +130,7 @@ Note: This policy setting has no effect if the "Allow BITS peer caching" policy > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -170,11 +170,12 @@ Note: This policy setting has no effect if the "Allow BITS peer caching" policy This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). -If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. +- If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. -If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. +- If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. -Note: This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. +> [!NOTE] +> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. @@ -192,7 +193,7 @@ Note: This setting has no effect if the "Allow BITS peer caching" setting is dis > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -234,9 +235,9 @@ This policy setting determines if the Background Intelligent Transfer Service (B If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. -If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. +- If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. -If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. +- If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. @@ -254,7 +255,7 @@ If you disable or do not configure this policy setting, the BITS peer caching fe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -296,11 +297,12 @@ This policy setting limits the network bandwidth that BITS uses for peer cache t To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. -If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. +- If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. -If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. +- If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. -Note: This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. +> [!NOTE] +> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. @@ -318,7 +320,7 @@ Note: This setting has no effect if the "Allow BITS peer caching" policy setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -357,13 +359,14 @@ Note: This setting has no effect if the "Allow BITS peer caching" policy setting This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. -If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. +- If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. -You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. +You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule. -If you disable or do not configure this policy setting, the limits defined for work or nonwork schedules will be used. +- If you disable or do not configure this policy setting, the limits defined for work or nonwork schedules will be used. -Note: The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. +> [!NOTE] +> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. @@ -381,7 +384,7 @@ Note: The bandwidth limits that are set for the maintenance period supersede any > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -421,11 +424,11 @@ Note: The bandwidth limits that are set for the maintenance period supersede any This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and nonwork days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. -If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. +- If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. -You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. +You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours. -If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. @@ -443,7 +446,7 @@ If you disable or do not configure this policy setting, BITS uses all available > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -483,11 +486,12 @@ If you disable or do not configure this policy setting, BITS uses all available This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. -If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. +- If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. -If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. +- If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. -Note: This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. +> [!NOTE] +> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. @@ -505,7 +509,7 @@ Note: This policy setting has no effect if the "Allow BITS peer caching" setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -544,11 +548,12 @@ Note: This policy setting has no effect if the "Allow BITS peer caching" setting This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. -If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. +- If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. -If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. +- If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. -Note: This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. +> [!NOTE] +> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. @@ -566,7 +571,7 @@ Note: This policy setting has no effect if the "Allow BITS Peercaching" policy s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -609,9 +614,9 @@ The time limit applies only to the time that BITS is actively downloading files. By default BITS uses a maximum download time of 90 days (7,776,000 seconds). -If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. +- If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. -If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. +- If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. @@ -629,7 +634,7 @@ If you disable or do not configure this policy setting, the default value of 90 > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -668,11 +673,12 @@ If you disable or do not configure this policy setting, the default value of 90 This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. -If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. -If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. +- If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. -Note: BITS Jobs created by services and the local administrator account do not count toward this limit. +> [!NOTE] +> BITS Jobs created by services and the local administrator account do not count toward this limit. @@ -690,7 +696,7 @@ Note: BITS Jobs created by services and the local administrator account do not c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -729,11 +735,12 @@ Note: BITS Jobs created by services and the local administrator account do not c This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. -If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. -If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. +- If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. -Note: BITS jobs created by services and the local administrator account do not count toward this limit. +> [!NOTE] +> BITS jobs created by services and the local administrator account do not count toward this limit. @@ -751,7 +758,7 @@ Note: BITS jobs created by services and the local administrator account do not c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -790,11 +797,12 @@ Note: BITS jobs created by services and the local administrator account do not c This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. -If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. -If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. +- If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. -Note: This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. +> [!NOTE] +> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. @@ -812,7 +820,7 @@ Note: This limit must be lower than the setting specified in the "Maximum number > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -851,11 +859,12 @@ Note: This limit must be lower than the setting specified in the "Maximum number This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. -If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. +- If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. -If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. +- If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. -Note: BITS Jobs created by services and the local administrator account do not count toward this limit. +> [!NOTE] +> BITS Jobs created by services and the local administrator account do not count toward this limit. @@ -873,7 +882,7 @@ Note: BITS Jobs created by services and the local administrator account do not c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 0ac3866b6f..6c2d52f8d1 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -1,10 +1,10 @@ --- title: ADMX_CipherSuiteOrder Policy CSP -description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP +description: Learn more about the ADMX_CipherSuiteOrder Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_CipherSuiteOrder > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). -If you enable this policy setting, SSL cipher suites are prioritized in the order specified. +- If you enable this policy setting, SSL cipher suites are prioritized in the order specified. -If you disable or do not configure this policy setting, default cipher suite order is used. +- If you disable or do not configure this policy setting, default cipher suite order is used. Link for all the cipherSuites: @@ -68,7 +66,7 @@ Link for all the cipherSuites: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -107,9 +105,9 @@ Link for all the cipherSuites: This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. -If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) +- If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) -If you disable or do not configure this policy setting, the default ECC curve order is used. +- If you disable or do not configure this policy setting, the default ECC curve order is used. Default Curve Order @@ -137,7 +135,7 @@ CertUtil.exe -DisplayEccCurve > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 8b8b45a109..3ee1a98a1d 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -1,10 +1,10 @@ --- title: ADMX_COM Policy CSP -description: Learn more about the ADMX_COM Area in Policy CSP +description: Learn more about the ADMX_COM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_COM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,70 +25,6 @@ ms.topic: reference - -## AppMgmt_COM_SearchForCLSID_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_COM/AppMgmt_COM_SearchForCLSID_2 -``` - - - - -This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. - -Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. - -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. - -If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AppMgmt_COM_SearchForCLSID | -| Friendly Name | Download missing COM components | -| Location | Computer Configuration | -| Path | System | -| Registry Key Name | Software\Policies\Microsoft\Windows\App Management | -| Registry Value Name | COMClassStore | -| ADMX File Name | COM.admx | - - - - - - - - ## AppMgmt_COM_SearchForCLSID_1 @@ -112,9 +46,9 @@ This policy setting directs the system to search Active Directory for missing Co Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. -If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. +- If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. -If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. +- If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -134,13 +68,13 @@ This setting appears in the Computer Configuration and User Configuration folder > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AppMgmt_COM_SearchForCLSID | +| Name | AppMgmt_COM_SearchForCLSID_1 | | Friendly Name | Download missing COM components | | Location | User Configuration | | Path | System | @@ -155,6 +89,70 @@ This setting appears in the Computer Configuration and User Configuration folder + +## AppMgmt_COM_SearchForCLSID_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_COM/AppMgmt_COM_SearchForCLSID_2 +``` + + + + +This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. + +Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components. + +- If you enable this policy setting and a component registration is missing, the system searches for it in Active Directory and, if it is found, downloads it. The resulting searches might make some programs start or run slowly. + +- If you disable or do not configure this policy setting, the program continues without the registration. As a result, the program might not perform all its functions, or it might stop. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AppMgmt_COM_SearchForCLSID_2 | +| Friendly Name | Download missing COM components | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\App Management | +| Registry Value Name | COMClassStore | +| ADMX File Name | COM.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 25cd051506..4a3df26d6e 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -1,10 +1,10 @@ --- title: ADMX_ControlPanel Policy CSP -description: Learn more about the ADMX_ControlPanel Area in Policy CSP +description: Learn more about the ADMX_ControlPanel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ControlPanel > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,17 +44,20 @@ ms.topic: reference This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. -If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. +- If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen. -To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. +To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. -Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. -Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. +> [!NOTE] +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. @@ -74,7 +75,7 @@ Note: To hide pages in the System Settings app, use the "Settings Page Visibilit > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -114,12 +115,13 @@ Note: To hide pages in the System Settings app, use the "Settings Page Visibilit This policy setting controls the default Control Panel view, whether by category or icons. -If this policy setting is enabled, the Control Panel opens to the icon view. +- If this policy setting is enabled, the Control Panel opens to the icon view. -If this policy setting is disabled, the Control Panel opens to the category view. +- If this policy setting is disabled, the Control Panel opens to the category view. -If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. -Note: Icon size is dependent upon what the user has set it to in the previous session. +- If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session. +> [!NOTE] +> Icon size is dependent upon what the user has set it to in the previous session. @@ -137,7 +139,7 @@ Note: Icon size is dependent upon what the user has set it to in the previous se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -207,7 +209,7 @@ If users try to select a Control Panel item from the Properties item on a contex > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -247,15 +249,18 @@ If users try to select a Control Panel item from the Properties item on a contex This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings. -To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization. +To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization. -Note: For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". +> [!NOTE] +> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored. -Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. +> [!NOTE] +> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. -Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. +> [!NOTE] +> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration. @@ -273,7 +278,7 @@ Note: To hide pages in the System Settings app, use the "Settings Page Visibilit > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 013ba7d794..314b420ed6 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -1,10 +1,10 @@ --- title: ADMX_ControlPanelDisplay Policy CSP -description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP +description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ControlPanelDisplay > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,434 +25,6 @@ ms.topic: reference - -## CPL_Personalization_ForceDefaultLockScreen - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen -``` - - - - -This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. - -This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). - -To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as \\Server\Share\Corp.jpg. - -This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. - -Note: This setting only applies to Enterprise, Education, and Server SKUs. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_ForceDefaultLockScreen | -| Friendly Name | Force a specific default lock screen and logon image | -| Location | Computer Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - - -## CPL_Personalization_NoChangingLockScreen - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen -``` - - - - -Prevents users from changing the background image shown when the machine is locked or when on the logon screen. - -By default, users can change the background image shown when the machine is locked or displaying the logon screen. - -If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_NoChangingLockScreen | -| Friendly Name | Prevent changing lock screen and logon image | -| Location | Computer Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| Registry Value Name | NoChangingLockScreen | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - - -## CPL_Personalization_NoChangingStartMenuBackground - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground -``` - - - - -Prevents users from changing the look of their start menu background, such as its color or accent. - -By default, users can change the look of their start menu background, such as its color or accent. - -If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. - -If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. - -If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_NoChangingStartMenuBackground | -| Friendly Name | Prevent changing start menu background | -| Location | Computer Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| Registry Value Name | NoChangingStartMenuBackground | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - - -## CPL_Personalization_NoLockScreen - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen -``` - - - - -This policy setting controls whether the lock screen appears for users. - -If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. - -If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_NoLockScreen | -| Friendly Name | Do not display the lock screen | -| Location | Computer Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| Registry Value Name | NoLockScreen | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - - -## CPL_Personalization_PersonalColors - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors -``` - - - - -Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. - -By default, users can change the background and accent colors. - -If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_PersonalColors | -| Friendly Name | Force a specific background and accent color | -| Location | Computer Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - - -## CPL_Personalization_SetTheme - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme -``` - - - - -Specifies which theme file is applied to the computer the first time a user logs on. - -If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. - -If you disable or do not configure this setting, the default theme will be applied at the first logon. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_SetTheme | -| Friendly Name | Load a specific theme | -| Location | User Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - - -## CPL_Personalization_StartBackground - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground -``` - - - - -Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. - -If this setting is set to zero or not configured, then Start uses the default background, and users can change it. - -If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CPL_Personalization_StartBackground | -| Friendly Name | Force a specific Start background | -| Location | Computer Configuration | -| Path | Control Panel > Personalization | -| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | -| ADMX File Name | ControlPanelDisplay.admx | - - - - - - - - ## CPL_Display_Disable @@ -474,7 +44,7 @@ If this setting is set to a nonzero value, then Start uses the specified backgro Disables the Display Control Panel. -If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. +- If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings. @@ -494,7 +64,7 @@ Also, see the "Prohibit access to the Control Panel" (User Configuration\Adminis > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -552,7 +122,7 @@ This setting prevents users from using Control Panel to add, configure, or chang > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -592,9 +162,9 @@ This setting prevents users from using Control Panel to add, configure, or chang This setting forces the theme color scheme to be the default color scheme. -If you enable this setting, a user cannot change the color scheme of the current desktop theme. +- If you enable this setting, a user cannot change the color scheme of the current desktop theme. -If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. +- If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme. For Windows 7 and later, use the "Prevent changing color and appearance" setting. @@ -614,7 +184,7 @@ For Windows 7 and later, use the "Prevent changing color and appearance" setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -654,11 +224,12 @@ For Windows 7 and later, use the "Prevent changing color and appearance" setting This setting disables the theme gallery in the Personalization Control Panel. -If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). +- If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off). -If you disable or do not configure this setting, there is no effect. +- If you disable or do not configure this setting, there is no effect. -Note: If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. +> [!NOTE] +> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default. @@ -676,7 +247,7 @@ Note: If you enable this setting but do not specify a theme using the "load a sp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -736,7 +307,7 @@ When enabled on Windows XP and later systems, this setting prevents users and ap > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -776,7 +347,7 @@ When enabled on Windows XP and later systems, this setting prevents users and ap Enables desktop screen savers. -If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. +- If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. If you do not configure it, this setting has no effect on the system. @@ -800,7 +371,7 @@ Also, see the "Prevent changing Screen Saver" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -821,6 +392,70 @@ Also, see the "Prevent changing Screen Saver" setting. + +## CPL_Personalization_ForceDefaultLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen +``` + + + + +This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens. + +This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image). + +To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as \\Server\Share\Corp.jpg. + +This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown. + +> [!NOTE] +> This setting only applies to Enterprise, Education, and Server SKUs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_ForceDefaultLockScreen | +| Friendly Name | Force a specific default lock screen and logon image | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + ## CPL_Personalization_LockFontSize @@ -840,9 +475,9 @@ Also, see the "Prevent changing Screen Saver" setting. Prevents users from changing the size of the font in the windows and buttons displayed on their screens. -If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. +- If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. -If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. +- If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab. @@ -860,7 +495,7 @@ If you disable or do not configure this setting, a user may change the font size > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -881,6 +516,130 @@ If you disable or do not configure this setting, a user may change the font size + +## CPL_Personalization_NoChangingLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen +``` + + + + +Prevents users from changing the background image shown when the machine is locked or when on the logon screen. + +By default, users can change the background image shown when the machine is locked or displaying the logon screen. + +- If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoChangingLockScreen | +| Friendly Name | Prevent changing lock screen and logon image | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingLockScreen | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + + +## CPL_Personalization_NoChangingStartMenuBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground +``` + + + + +Prevents users from changing the look of their start menu background, such as its color or accent. + +By default, users can change the look of their start menu background, such as its color or accent. + +- If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them. + +If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy. + +If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoChangingStartMenuBackground | +| Friendly Name | Prevent changing start menu background | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoChangingStartMenuBackground | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + ## CPL_Personalization_NoColorAppearanceUI @@ -902,7 +661,7 @@ Disables the Color (or Window Color) page in the Personalization Control Panel, This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows. -If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. +- If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel. For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel. @@ -922,7 +681,7 @@ For systems prior to Windows Vista, this setting hides the Appearance and Themes > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -964,11 +723,12 @@ Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. -If you enable this setting, none of the Desktop Background settings can be changed by the user. +- If you enable this setting, none of the Desktop Background settings can be changed by the user. To specify wallpaper for a group, use the "Desktop Wallpaper" setting. -Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. +> [!NOTE] +> You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information. Also, see the "Allow only bitmapped wallpaper" setting. @@ -988,7 +748,7 @@ Also, see the "Allow only bitmapped wallpaper" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1030,7 +790,7 @@ Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. -If you enable this setting, none of the desktop icons can be changed by the user. +- If you enable this setting, none of the desktop icons can be changed by the user. For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel. @@ -1050,7 +810,7 @@ For systems prior to Windows Vista, this setting also hides the Desktop tab in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1071,6 +831,66 @@ For systems prior to Windows Vista, this setting also hides the Desktop tab in t + +## CPL_Personalization_NoLockScreen + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen +``` + + + + +This policy setting controls whether the lock screen appears for users. + +- If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. + +- If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_NoLockScreen | +| Friendly Name | Do not display the lock screen | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| Registry Value Name | NoLockScreen | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + ## CPL_Personalization_NoMousePointersUI @@ -1092,7 +912,7 @@ Prevents users from changing the mouse pointers. By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. -If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. +- If you enable this setting, none of the mouse pointer scheme settings can be changed by the user. @@ -1110,7 +930,7 @@ If you enable this setting, none of the mouse pointer scheme settings can be cha > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1168,7 +988,7 @@ This setting prevents users from using Control Panel to add, configure, or chang > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1210,7 +1030,7 @@ Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. -If you enable this setting, none of the Sound Scheme settings can be changed by the user. +- If you enable this setting, none of the Sound Scheme settings can be changed by the user. @@ -1228,7 +1048,7 @@ If you enable this setting, none of the Sound Scheme settings can be changed by > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1249,6 +1069,65 @@ If you enable this setting, none of the Sound Scheme settings can be changed by + +## CPL_Personalization_PersonalColors + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors +``` + + + + +Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. + +By default, users can change the background and accent colors. + +- If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_PersonalColors | +| Friendly Name | Force a specific background and accent color | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + ## CPL_Personalization_ScreenSaverIsSecure @@ -1268,15 +1147,17 @@ If you enable this setting, none of the Sound Scheme settings can be changed by Determines whether screen savers used on the computer are password protected. -If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver. +- If you enable this setting, all screen savers are password protected. +- If you disable this setting, password protection cannot be set on any screen saver. This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting. -If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. +- If you do not configure this setting, users can choose whether or not to set password protection on each screen saver. To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting. -Note: To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. +> [!NOTE] +> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting. @@ -1294,7 +1175,7 @@ Note: To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1364,7 +1245,7 @@ When not configured, whatever wait time is set on the client through the Screen > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1403,15 +1284,16 @@ When not configured, whatever wait time is set on the client through the Screen Specifies the screen saver for the user's desktop. -If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. +- If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver. -If you disable this setting or do not configure it, users can select any screen saver. +- If you disable this setting or do not configure it, users can select any screen saver. -If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. +- If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file. If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored. -Note: This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. +> [!NOTE] +> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run. @@ -1429,7 +1311,7 @@ Note: This setting can be superseded by the "Enable Screen Saver" setting. If th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1449,6 +1331,69 @@ Note: This setting can be superseded by the "Enable Screen Saver" setting. If th + +## CPL_Personalization_SetTheme + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme +``` + + + + +Specifies which theme file is applied to the computer the first time a user logs on. + +- If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon. + +- If you disable or do not configure this setting, the default theme will be applied at the first logon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_SetTheme | +| Friendly Name | Load a specific theme | +| Location | User Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + ## CPL_Personalization_SetVisualStyle @@ -1470,15 +1415,18 @@ This setting allows you to force a specific visual style file by entering the pa This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles). -If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. +- If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes. -If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). +- If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available). -Note: If this setting is enabled and the file is not available at user logon, the default visual style is loaded. +> [!NOTE] +> If this setting is enabled and the file is not available at user logon, the default visual style is loaded. -Note: When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles +> [!NOTE] +> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles -Note: To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. +> [!NOTE] +> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style. @@ -1496,7 +1444,7 @@ Note: To select the Windows Classic visual style, leave the box blank beside "Pa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1516,6 +1464,65 @@ Note: To select the Windows Classic visual style, leave the box blank beside "Pa + +## CPL_Personalization_StartBackground + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground +``` + + + + +Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. + +If this setting is set to zero or not configured, then Start uses the default background, and users can change it. + +If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CPL_Personalization_StartBackground | +| Friendly Name | Force a specific Start background | +| Location | Computer Configuration | +| Path | Control Panel > Personalization | +| Registry Key Name | Software\Policies\Microsoft\Windows\Personalization | +| ADMX File Name | ControlPanelDisplay.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index d47c331118..7f08bf470b 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,10 +1,10 @@ --- title: ADMX_Cpls Policy CSP -description: Learn more about the ADMX_Cpls Area in Policy CSP +description: Learn more about the ADMX_Cpls Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Cpls > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. -Note: The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. +> [!NOTE] +> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. -If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed. +- If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed. -If you disable or do not configure this policy setting, users will be able to customize their account pictures. +- If you disable or do not configure this policy setting, users will be able to customize their account pictures. @@ -68,7 +67,7 @@ If you disable or do not configure this policy setting, users will be able to cu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 8d3b09714a..9ded8c68b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,10 +1,10 @@ --- title: ADMX_CredentialProviders Policy CSP -description: Learn more about the ADMX_CredentialProviders Area in Policy CSP +description: Learn more about the ADMX_CredentialProviders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_CredentialProviders > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,13 @@ ms.topic: reference This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off. -If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. +- If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. -If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. +- If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. -If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. +- If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off. -If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. +- If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose. @@ -70,7 +68,7 @@ If you don't configure this policy setting on a workgroup device, a user on a Co > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,11 +108,12 @@ If you don't configure this policy setting on a workgroup device, a user on a Co This policy setting allows the administrator to assign a specified credential provider as the default credential provider. -If you enable this policy setting, the specified credential provider is selected on other user tile. +- If you enable this policy setting, the specified credential provider is selected on other user tile. -If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. +- If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. -Note: A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. +> [!NOTE] +> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. @@ -132,7 +131,7 @@ Note: A list of registered credential providers and their GUIDs can be found in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -172,18 +171,18 @@ Note: A list of registered credential providers and their GUIDs can be found in This policy setting allows the administrator to exclude the specified credential providers from use during authentication. -Note: credential providers are used to process and validate user +**Note** credential providers are used to process and validate user credentials during logon or when authentication is required. -Windows Vista provides two default credential providers: +Windows Vista provides two default credential providers Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication). -If you enable this policy, an administrator can specify the CLSIDs +- If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes. -If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. +- If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes. @@ -201,7 +200,7 @@ If you disable or do not configure this policy, all installed and otherwise enab > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 80c055cf2d..6af877c393 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,10 +1,10 @@ --- title: ADMX_CredSsp Policy CSP -description: Learn more about the ADMX_CredSsp Area in Policy CSP +description: Learn more about the ADMX_CredSsp Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_CredSsp > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,7 +46,7 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). +- If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). The policy becomes effective the next time the user signs on to a computer running Windows. @@ -57,7 +55,8 @@ If you disable or do not configure (by default) this policy setting, delegation FWlink for KB: -Note: The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -80,7 +79,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -122,11 +121,12 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). +- If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. -Note: The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -149,7 +149,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -189,21 +189,19 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all Encryption Oracle Remediation -This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). +This policy setting applies to applications using the CredSSP component (for example Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. -If you enable this policy setting, CredSSP version support will be selected based on the following options: +- If you enable this policy setting, CredSSP version support will be selected based on the following options -Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. +Force Updated Clients Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. **Note** this setting should not be deployed until all remote hosts support the newest version. -**Note**: this setting should not be deployed until all remote hosts support the newest version. +Mitigated Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. -Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. +Vulnerable Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. -Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. - -For more information about the vulnerability and servicing requirements for protection, see +For more information about the vulnerability and servicing requirements for protection, see @@ -221,7 +219,7 @@ For more information about the vulnerability and servicing requirements for prot > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -262,13 +260,14 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). +- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. +- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. -Note: The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. +> [!NOTE] +> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com @@ -292,7 +291,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -334,13 +333,14 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). +- If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. +- If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. -Note: The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -363,7 +363,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -405,13 +405,14 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). +- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). -If you disable this policy setting, delegation of saved credentials is not permitted to any machine. +- If you disable this policy setting, delegation of saved credentials is not permitted to any machine. -Note: The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -434,7 +435,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -476,13 +477,14 @@ This policy setting applies to applications using the Cred SSP component (for ex This policy setting applies when server authentication was achieved via NTLM. -If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). +- If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. -If you disable this policy setting, delegation of saved credentials is not permitted to any machine. +- If you disable this policy setting, delegation of saved credentials is not permitted to any machine. -Note: The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -505,7 +507,7 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -545,11 +547,12 @@ TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). +- If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. -Note: The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -574,7 +577,7 @@ This policy setting can be used in combination with the "Allow delegating defaul > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -614,11 +617,12 @@ This policy setting can be used in combination with the "Allow delegating defaul This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). +- If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. -Note: The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -643,7 +647,7 @@ This policy setting can be used in combination with the "Allow delegating fresh > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -683,11 +687,12 @@ This policy setting can be used in combination with the "Allow delegating fresh This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). -If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). +- If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. -Note: The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> [!NOTE] +> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example: TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine @@ -712,7 +717,7 @@ This policy setting can be used in combination with the "Allow delegating saved > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -755,7 +760,7 @@ When running in Restricted Admin or Remote Credential Guard mode, participating Participating apps: Remote Desktop Client -If you enable this policy setting, the following options are supported: +- If you enable this policy setting, the following options are supported: Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. @@ -763,11 +768,13 @@ Require Remote Credential Guard: Participating applications must use Remote Cred Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. -If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. +- If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. -Note: To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). +> [!NOTE] +> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). -Note: On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. +> [!NOTE] +> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. @@ -785,7 +792,7 @@ Note: On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enfor > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index 63b8ff4f26..dfe52973d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,10 +1,10 @@ --- title: ADMX_CredUI Policy CSP -description: Learn more about the ADMX_CredUI Area in Policy CSP +description: Learn more about the ADMX_CredUI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_CredUI > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,13 +42,14 @@ ms.topic: reference -This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. +This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user's Windows credentials. -Note: This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. +> [!NOTE] +> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. -If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. +- If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. -If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials. +- If you disable or do not configure this policy setting, users will enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials. @@ -68,7 +67,7 @@ If you disable or do not configure this policy setting, users will enter Windows > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,7 +105,7 @@ If you disable or do not configure this policy setting, users will enter Windows -If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords. +If you turn this policy setting on, local users won't be able to set up and use security questions to reset their passwords. @@ -124,7 +123,7 @@ If you turn this policy setting on, local users won’t be able to set up and us > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index e081be4028..16b4681320 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,10 +1,10 @@ --- title: ADMX_CtrlAltDel Policy CSP -description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP +description: Learn more about the ADMX_CtrlAltDel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_CtrlAltDel > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting prevents users from changing their Windows password on demand. -If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. +- If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. @@ -66,7 +64,7 @@ However, users are still able to change their password when prompted by the syst > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,11 +106,12 @@ This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. -If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del. +- If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del. -If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. +- If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del. -Tip:To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. +> [!TIP] +> To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer. @@ -130,7 +129,7 @@ Tip:To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -172,9 +171,9 @@ This policy setting prevents users from starting Task Manager. Task Manager (taskmgr.exe) lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable names of programs; and change the priority of the process in which programs run. -If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. +- If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action. -If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. +- If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run. @@ -192,7 +191,7 @@ If you disable or do not configure this policy setting, users can access Task Ma > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -232,11 +231,11 @@ If you disable or do not configure this policy setting, users can access Task Ma This policy setting disables or removes all menu items and buttons that log the user off the system. -If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. +- If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu. Also, see the 'Remove Logoff on the Start Menu' policy setting. -If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. +- If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. @@ -254,7 +253,7 @@ If you disable or do not configure this policy setting, users can see and select > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 5da89c9cb7..d4ca4a3c81 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,10 +1,10 @@ --- title: ADMX_DataCollection Policy CSP -description: Learn more about the ADMX_DataCollection Area in Policy CSP +description: Learn more about the ADMX_DataCollection Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DataCollection > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,9 +42,9 @@ ms.topic: reference -This policy setting defines the identifier used to uniquely associate this device’s diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. +This policy setting defines the identifier used to uniquely associate this device's diagnostic data data as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. -If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization. +- If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data data with your organization. @@ -64,13 +62,13 @@ If you disable or do not configure this policy setting, then Microsoft will not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CommercialId | +| Name | CommercialIdPolicy | | Friendly Name | Configure the Commercial ID | | Location | Computer Configuration | | Path | WindowsComponents > Data Collection and Preview Builds | diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 23d4e853cd..61fe97ffea 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,10 +1,10 @@ --- title: ADMX_DCOM Policy CSP -description: Learn more about the ADMX_DCOM Area in Policy CSP +description: Learn more about the ADMX_DCOM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DCOM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. -If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled), DCOM will look for an entry in the locally configured list. +- If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled), DCOM will look for an entry in the locally configured list. -If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list. +- If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list. -If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured. +- If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured. @@ -69,7 +67,7 @@ If you do not configure this policy setting, DCOM will only look in the locally > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -111,13 +109,13 @@ Allows you to view and change a list of DCOM server application ids (appids) whi DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. -If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. +- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1, DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. -If you disable this policy setting, the appid exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. +- If you disable this policy setting, the appid exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. -If you do not configure this policy setting, the appid exemption list defined by local computer administrators is used. +- If you do not configure this policy setting, the appid exemption list defined by local computer administrators is used. -Notes: +**Note**: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. @@ -142,7 +140,7 @@ DCOM servers added to this exemption list are only exempted if their custom laun > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index fdb4402be8..69fb32dabf 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,10 +1,10 @@ --- title: ADMX_Desktop Policy CSP -description: Learn more about the ADMX_Desktop Area in Policy CSP +description: Learn more about the ADMX_Desktop Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Desktop > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,70 +25,6 @@ ms.topic: reference - -## NoDesktop - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop -``` - - - - -Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. - -Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. - -Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoDesktop | -| Friendly Name | Hide and disable all items on the desktop | -| Location | Computer and User Configuration | -| Path | Desktop | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoDesktop | -| ADMX File Name | Desktop.admx | - - - - - - - - ## AD_EnableFilter @@ -110,9 +44,9 @@ Also, see "Items displayed in Places Bar" in User Configuration\Administrative T Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. -If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. +- If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. -If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. +- If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. @@ -132,7 +66,7 @@ To see the filter bar, open Network Locations, click Entire Network, and then cl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -174,9 +108,9 @@ Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. -If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. +- If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. -If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. +- If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. @@ -196,7 +130,7 @@ This setting is designed to let users search Active Directory but not tempt them > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -236,9 +170,9 @@ This setting is designed to let users search Active Directory but not tempt them Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. -If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. +- If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. -If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. +- If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. This setting is designed to protect the network and the domain controller from the effect of expansive searches. @@ -258,7 +192,7 @@ This setting is designed to protect the network and the domain controller from t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -299,9 +233,10 @@ Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. +- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. -Note: If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. @@ -319,7 +254,7 @@ Note: If both the "Enable Active Desktop" setting and the "Disable Active Deskto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -361,9 +296,10 @@ Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. -If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. +- If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. -Note: If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. @@ -381,7 +317,7 @@ Note: If both the "Enable Active Desktop" setting and the "Disable Active Deskto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -439,7 +375,7 @@ This is a comprehensive setting that locks down the configuration you establish > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -460,6 +396,70 @@ This is a comprehensive setting that locks down the configuration you establish + +## NoDesktop + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Desktop/NoDesktop +``` + + + + +Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. + +Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. + +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoDesktop | +| Friendly Name | Hide and disable all items on the desktop | +| Location | Computer and User Configuration | +| Path | Desktop | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDesktop | +| ADMX File Name | Desktop.admx | + + + + + + + + ## NoDesktopCleanupWizard @@ -479,11 +479,12 @@ This is a comprehensive setting that locks down the configuration you establish Prevents users from using the Desktop Cleanup Wizard. -If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. +- If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. -If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. +- If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. -Note: When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. +> [!NOTE] +> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. @@ -501,7 +502,7 @@ Note: When this setting is not enabled, users can run the Desktop Cleanup Wizard > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -559,7 +560,7 @@ This setting does not prevent the user from starting Internet Explorer by using > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -599,13 +600,14 @@ This setting does not prevent the user from starting Internet Explorer by using This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. -If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. +- If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. -If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. +- If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. -If you do not configure this setting, the default is to display Computer as usual. +- If you do not configure this setting, the default is to display Computer as usual. -Note: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. @@ -623,7 +625,7 @@ Note: In operating systems earlier than Microsoft Windows Vista, this policy app > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -669,7 +671,8 @@ This setting does not prevent the user from using other methods to gain access t This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. -Note: To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. +> [!NOTE] +> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. @@ -687,7 +690,7 @@ Note: To make changes to this setting effective, you must log off from and log b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -729,7 +732,8 @@ Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. -Note: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. @@ -747,7 +751,7 @@ Note: In operating systems earlier than Microsoft Windows Vista, this policy app > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -787,9 +791,9 @@ Note: In operating systems earlier than Microsoft Windows Vista, this policy app This setting hides Properties on the context menu for Computer. -If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. +- If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. -If you disable or do not configure this setting, the Properties option is displayed as usual. +- If you disable or do not configure this setting, the Properties option is displayed as usual. @@ -807,7 +811,7 @@ If you disable or do not configure this setting, the Properties option is displa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -847,13 +851,13 @@ If you disable or do not configure this setting, the Properties option is displa This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. -If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: +- If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: Right-clicks the My Documents icon. Clicks the My Documents icon, and then opens the File menu. Clicks the My Documents icon, and then presses ALT+ENTER. -If you disable or do not configure this policy setting, the Properties menu command is displayed. +- If you disable or do not configure this policy setting, the Properties menu command is displayed. @@ -871,7 +875,7 @@ If you disable or do not configure this policy setting, the Properties menu comm > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -911,9 +915,9 @@ If you disable or do not configure this policy setting, the Properties menu comm Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. -If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. +- If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. -If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. +- If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. @@ -931,7 +935,7 @@ If you enable this setting, shared folders are not added to Network Locations au > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -975,7 +979,8 @@ This setting removes the Recycle Bin icon from the desktop, from File Explorer, This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. -Note: To make changes to this setting effective, you must log off and then log back on. +> [!NOTE] +> To make changes to this setting effective, you must log off and then log back on. @@ -993,7 +998,7 @@ Note: To make changes to this setting effective, you must log off and then log b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1033,9 +1038,9 @@ Note: To make changes to this setting effective, you must log off and then log b Removes the Properties option from the Recycle Bin context menu. -If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. +- If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. -If you disable or do not configure this setting, the Properties option is displayed as usual. +- If you disable or do not configure this setting, the Properties option is displayed as usual. @@ -1053,7 +1058,7 @@ If you disable or do not configure this setting, the Properties option is displa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1093,7 +1098,7 @@ If you disable or do not configure this setting, the Properties option is displa Prevents users from saving certain changes to the desktop. -If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. +- If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. @@ -1111,7 +1116,7 @@ If you enable this setting, users can change the desktop, but some changes, such > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1151,9 +1156,9 @@ If you enable this setting, users can change the desktop, but some changes, such Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. -If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. +- If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. -If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. +- If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. @@ -1171,7 +1176,7 @@ If you disable or do not configure this policy, this window minimizing and resto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1215,9 +1220,11 @@ You can use the "Add" box in this setting to add particular Web-based items or s You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. -Note: Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. +> [!NOTE] +> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. -Note: For this setting to take affect, you must log off and log on to the system. +> [!NOTE] +> For this setting to take affect, you must log off and log on to the system. @@ -1235,7 +1242,7 @@ Note: For this setting to take affect, you must log off and log on to the system > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1294,7 +1301,7 @@ Also, see the "Disable all items" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1336,9 +1343,10 @@ Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add items to the desktop but close them so they are not displayed. -If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. +- If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. -Note: This setting does not prevent users from deleting items from their Active Desktop. +> [!NOTE] +> This setting does not prevent users from deleting items from their Active Desktop. @@ -1356,7 +1364,7 @@ Note: This setting does not prevent users from deleting items from their Active > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1418,7 +1426,7 @@ Also, see the "Prohibit closing items" and "Disable all items" settings. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1476,7 +1484,7 @@ This setting disables the Properties button on the Web tab in Display in Control > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1518,7 +1526,8 @@ Removes Active Desktop content and prevents users from adding Active Desktop con This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. -Note: This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. +> [!NOTE] +> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. @@ -1536,7 +1545,7 @@ Note: This setting does not disable Active Desktop. Users can still use image fo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1576,11 +1585,13 @@ Note: This setting does not disable Active Desktop. Users can still use image fo Prevents users from manipulating desktop toolbars. -If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. +- If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. -Note: If users have added or removed toolbars, this setting prevents them from restoring the default configuration. +> [!NOTE] +> If users have added or removed toolbars, this setting prevents them from restoring the default configuration. -Tip: To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." +> [!TIP] +> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." Also, see the "Prohibit adjusting desktop toolbars" setting. @@ -1600,7 +1611,7 @@ Also, see the "Prohibit adjusting desktop toolbars" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1642,7 +1653,8 @@ Prevents users from adjusting the length of desktop toolbars. Also, users cannot This setting does not prevent users from adding or removing toolbars on the desktop. -Note: If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. +> [!NOTE] +> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. @@ -1662,7 +1674,7 @@ Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's tool > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1720,7 +1732,7 @@ Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1764,11 +1776,12 @@ This setting lets you specify the wallpaper on users' desktops and prevents user To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. -If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. +- If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. -Note: This setting does not apply to remote desktop server sessions. +> [!NOTE] +> This setting does not apply to remote desktop server sessions. @@ -1786,7 +1799,7 @@ Note: This setting does not apply to remote desktop server sessions. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index 9527d9ce53..c7ba19f2ce 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,10 +1,10 @@ --- title: ADMX_DeviceCompat Policy CSP -description: Learn more about the ADMX_DeviceCompat Area in Policy CSP +description: Learn more about the ADMX_DeviceCompat Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DeviceCompat > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,7 +60,7 @@ Changes behavior of Microsoft bus drivers to work with specific devices. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -118,7 +116,7 @@ Changes behavior of 3rd-party drivers to work around incompatibilities introduce > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 1a33f9e1e1..35e1379f3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,10 +1,10 @@ --- title: ADMX_DeviceGuard Policy CSP -description: Learn more about the ADMX_DeviceGuard Area in Policy CSP +description: Learn more about the ADMX_DeviceGuard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DeviceGuard > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -75,7 +73,7 @@ If using a signed and protected policy then disabling this policy setting doesn' > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index ef54eb773e..1deaa9fc80 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,10 +1,10 @@ --- title: ADMX_DeviceInstallation Policy CSP -description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP +description: Learn more about the ADMX_DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DeviceInstallation > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,10 @@ ms.topic: reference This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. -If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. +- If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. @@ -66,7 +65,7 @@ If you disable or do not configure this policy setting, members of the Administr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,9 +105,9 @@ If you disable or do not configure this policy setting, members of the Administr This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. -If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. +- If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. -If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. +- If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. @@ -126,7 +125,7 @@ If you disable or do not configure this policy setting, Windows displays a defau > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -165,9 +164,9 @@ If you disable or do not configure this policy setting, Windows displays a defau This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. -If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. +- If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. -If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. +- If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. @@ -185,7 +184,7 @@ If you disable or do not configure this policy setting, Windows displays a defau > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -224,9 +223,9 @@ If you disable or do not configure this policy setting, Windows displays a defau This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. -If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. +- If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. -If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. +- If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. @@ -244,7 +243,7 @@ If you disable or do not configure this policy setting, Windows waits 240 second > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -283,11 +282,12 @@ If you disable or do not configure this policy setting, Windows waits 240 second This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. -If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. +- If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. -If you disable or do not configure this policy setting, the system does not force a reboot. +- If you disable or do not configure this policy setting, the system does not force a reboot. -Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. +> [!NOTE] +> If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. @@ -305,7 +305,7 @@ Note: If no reboot is forced, the device installation restriction right will not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -347,9 +347,10 @@ This policy setting allows you to prevent Windows from installing removable devi NOTE: To enable the "Allow installation of devices using drivers that match these device setup classes", "Allow installation of devices that match any of these device IDs", and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings. @@ -367,7 +368,7 @@ If you disable or do not configure this policy setting, Windows can install and > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -407,9 +408,9 @@ If you disable or do not configure this policy setting, Windows can install and This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. -If you enable this policy setting, Windows does not create a system restore point when one would normally be created. +- If you enable this policy setting, Windows does not create a system restore point when one would normally be created. -If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. +- If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. @@ -427,7 +428,7 @@ If you disable or do not configure this policy setting, Windows creates a system > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -467,9 +468,9 @@ If you disable or do not configure this policy setting, Windows creates a system This policy setting specifies a list of device setup class GUIDs describing driver packages that non-administrator members of the built-in Users group may install on the system. -If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. +- If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. -If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new driver packages on the system. +- If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new driver packages on the system. @@ -487,7 +488,7 @@ If you disable or do not configure this policy setting, only members of the Admi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index 32b9e76cc9..658452c874 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,10 +1,10 @@ --- title: ADMX_DeviceSetup Policy CSP -description: Learn more about the ADMX_DeviceSetup Area in Policy CSP +description: Learn more about the ADMX_DeviceSetup Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DeviceSetup > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to turn off "Found New Hardware" balloons during device installation. -If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. +- If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. -If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. +- If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, "Found New Hardware" bal > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,13 +104,13 @@ If you disable or do not configure this policy setting, "Found New Hardware" bal This policy setting allows you to specify the order in which Windows searches source locations for device drivers. -If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. +- If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. -Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. +**Note** that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. -If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. +- If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, members of the Administr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index f1728146f0..a1bfa5be48 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,10 +1,10 @@ --- title: ADMX_DFS Policy CSP -description: Learn more about the ADMX_DFS Area in Policy CSP +description: Learn more about the ADMX_DFS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DFS > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes. -If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes. +- If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes. -If you disable or do not configure this policy setting, the default value of 15 minutes applies. +- If you disable or do not configure this policy setting, the default value of 15 minutes applies. -Note: The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. +> [!NOTE] +> The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. @@ -68,7 +67,7 @@ Note: The minimum value you can select is 15 minutes. If you try to set this set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index 751d2e0a19..78e62e2a1a 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,10 +1,10 @@ --- title: ADMX_DigitalLocker Policy CSP -description: Learn more about the ADMX_DigitalLocker Area in Policy CSP +description: Learn more about the ADMX_DigitalLocker Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DigitalLocker > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,68 +25,6 @@ ms.topic: reference - -## Digitalx_DiableApplication_TitleText_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 -``` - - - - -Specifies whether Digital Locker can run. - -Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. - -If you enable this setting, Digital Locker will not run. - -If you disable or do not configure this setting, Digital Locker can be run. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Digitalx_DiableApplication_TitleText | -| Friendly Name | Do not allow Digital Locker to run | -| Location | Computer Configuration | -| Path | Windows Components > Digital Locker | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Digital Locker | -| Registry Value Name | DoNotRunDigitalLocker | -| ADMX File Name | DigitalLocker.admx | - - - - - - - - ## Digitalx_DiableApplication_TitleText_1 @@ -110,9 +46,9 @@ Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. -If you enable this setting, Digital Locker will not run. +- If you enable this setting, Digital Locker will not run. -If you disable or do not configure this setting, Digital Locker can be run. +- If you disable or do not configure this setting, Digital Locker can be run. @@ -130,13 +66,13 @@ If you disable or do not configure this setting, Digital Locker can be run. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Digitalx_DiableApplication_TitleText | +| Name | Digitalx_DiableApplication_TitleText_1 | | Friendly Name | Do not allow Digital Locker to run | | Location | User Configuration | | Path | Windows Components > Digital Locker | @@ -151,6 +87,68 @@ If you disable or do not configure this setting, Digital Locker can be run. + +## Digitalx_DiableApplication_TitleText_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2 +``` + + + + +Specifies whether Digital Locker can run. + +Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker. + +- If you enable this setting, Digital Locker will not run. + +- If you disable or do not configure this setting, Digital Locker can be run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Digitalx_DiableApplication_TitleText_2 | +| Friendly Name | Do not allow Digital Locker to run | +| Location | Computer Configuration | +| Path | Windows Components > Digital Locker | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Digital Locker | +| Registry Value Name | DoNotRunDigitalLocker | +| ADMX File Name | DigitalLocker.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 8855716640..01ef255643 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,10 +1,10 @@ --- title: ADMX_DiskDiagnostic Policy CSP -description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP +description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DiskDiagnostic > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,17 +42,18 @@ ms.topic: reference -This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. +This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault. -If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. +- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. -If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. +- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -Note: For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. @@ -72,7 +71,7 @@ Note: For Windows Server systems, this policy setting applies only if the Deskto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -109,15 +108,15 @@ Note: For Windows Server systems, this policy setting applies only if the Deskto -This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. +This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics. -Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. +Self-Monitoring And Reporting Technology (S. M. A. R. T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur. -If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. +- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss. -If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. +- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken. -If you do not configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. +- If you do not configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -125,7 +124,8 @@ No reboots or service restarts are required for this policy setting to take effe This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. -Note: For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. @@ -143,7 +143,7 @@ Note: For Windows Server systems, this policy setting applies only if the Deskto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 80b531a03c..04aee2cb1f 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,6 +1,6 @@ --- title: ADMX_DiskNVCache Policy CSP -description: Learn more about the ADMX_DiskNVCache Area in Policy CSP +description: Learn more about the ADMX_DiskNVCache Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 0c1693728b..a8d0a1bea1 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,6 +1,6 @@ --- title: ADMX_DiskQuota Policy CSP -description: Learn more about the ADMX_DiskQuota Area in Policy CSP +description: Learn more about the ADMX_DiskQuota Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index 4000ca5105..60915bf0cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,10 +1,10 @@ --- title: ADMX_DistributedLinkTracking Policy CSP -description: Learn more about the ADMX_DistributedLinkTracking Area in Policy CSP +description: Learn more about the ADMX_DistributedLinkTracking Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DistributedLinkTracking > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -63,7 +61,7 @@ Specifies that Distributed Link Tracking clients in this domain may use the Dist > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 088059f1f3..c9dacb52a6 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,10 +1,10 @@ --- title: ADMX_DnsClient Policy CSP -description: Learn more about the ADMX_DnsClient Area in Policy CSP +description: Learn more about the ADMX_DnsClient Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DnsClient > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. -If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition to single-label names. +- If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition to single-label names. -If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified domain names. +- If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified domain names. @@ -66,7 +64,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -112,11 +110,11 @@ For example, if attaching suffixes is allowed, an unqualified multi-label name q If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. -If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. +- If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. -If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. +- If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. -If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. +- If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. @@ -134,7 +132,7 @@ If you do not configure this policy setting, computers will use their local DNS > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -176,9 +174,9 @@ Specifies a connection-specific DNS suffix. This policy setting supersedes local To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. -If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. +- If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. @@ -196,7 +194,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -253,9 +251,9 @@ If a DNS suffix search list is not specified, the DNS client attaches the primar For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. -If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. +- If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. -If this policy setting is disabled, or if this policy setting is not configured, DNS clients use the default devolution level of two provided that DNS devolution is enabled. +- If this policy setting is disabled, or if this policy setting is not configured, DNS clients use the default devolution level of two provided that DNS devolution is enabled. @@ -273,7 +271,7 @@ If this policy setting is disabled, or if this policy setting is not configured, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -313,9 +311,9 @@ If this policy setting is disabled, or if this policy setting is not configured, Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. -If this policy setting is enabled, IDNs are not converted to Punycode. +- If this policy setting is enabled, IDNs are not converted to Punycode. -If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. +- If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. @@ -333,7 +331,7 @@ If this policy setting is disabled, or if this policy setting is not configured, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -373,9 +371,9 @@ If this policy setting is disabled, or if this policy setting is not configured, Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. -If this policy setting is enabled, IDNs are converted to the Nameprep form. +- If this policy setting is enabled, IDNs are converted to the Nameprep form. -If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. +- If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. @@ -393,7 +391,7 @@ If this policy setting is disabled, or if this policy setting is not configured, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -435,9 +433,9 @@ Defines the DNS servers to which a computer sends queries when it attempts to re To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. -If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. +- If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. @@ -455,7 +453,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -494,11 +492,12 @@ If you disable this policy setting, or if you do not configure this policy setti Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). -If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. +- If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. -If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. +- If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. -Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. @@ -516,7 +515,7 @@ Note: This policy setting is applicable only if the turn off smart multi-homed n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -558,13 +557,14 @@ Specifies the primary DNS suffix used by computers in DNS name registration and To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. -Important: In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. +> [!IMPORTANT] +> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. -If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. +- If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. -If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. +- If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. @@ -582,7 +582,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -623,13 +623,14 @@ Specifies if a computer performing dynamic DNS registration will register A and By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. -If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. +- If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. -For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. -Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. +> [!IMPORTANT] +> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. -If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. +- If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. @@ -647,7 +648,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -689,7 +690,7 @@ Specifies if DNS client computers will register PTR resource records. By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. -If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. +- If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: @@ -699,7 +700,7 @@ Register: Computers will attempt to register PTR resource records even if regist Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. -If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. +- If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. @@ -717,7 +718,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -756,9 +757,9 @@ If you disable this policy setting, or if you do not configure this policy setti Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. -If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. +- If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. -If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. +- If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. @@ -776,7 +777,7 @@ If you disable this policy setting, computers may not use dynamic DNS registrati > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -820,9 +821,9 @@ This policy setting is designed for computers that register address (A) resource During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. -If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. +- If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. -If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. +- If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. @@ -840,7 +841,7 @@ If you disable this policy setting, existing A resource records that contain con > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -882,13 +883,14 @@ Specifies the interval used by DNS clients to refresh registration of A and PTR Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. -Warning: If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. +> [!WARNING] +> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. -If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. +- If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. @@ -906,7 +908,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -947,9 +949,9 @@ Specifies the value of the time to live (TTL) field in A and PTR resource record To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). -If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. +- If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). +- If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). @@ -967,7 +969,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1012,9 +1014,9 @@ Client computers that receive this policy setting will attach one or more suffix To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. -If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. +- If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. -If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. +- If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. @@ -1032,7 +1034,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1071,9 +1073,9 @@ If you disable this policy setting, or if you do not configure this policy setti Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. -If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. +- If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. -If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. +- If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. @@ -1091,7 +1093,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1131,11 +1133,12 @@ If you disable this policy setting, or if you do not configure this policy setti Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). -If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. +- If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. -If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. +- If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. -Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. @@ -1153,7 +1156,7 @@ Note: This policy setting is applicable only if the turn off smart multi-homed n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1201,9 +1204,9 @@ Only unsecure - computers send only nonsecure dynamic updates. Only secure - computers send only secure dynamic updates. -If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. +- If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. -If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. +- If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. @@ -1221,7 +1224,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1262,9 +1265,9 @@ Specifies if computers may send dynamic updates to zones with a single label nam By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. -If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. +- If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. -If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. +- If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. @@ -1282,7 +1285,7 @@ If you disable this policy setting, or if you do not configure this policy setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1340,9 +1343,9 @@ If a DNS suffix search list is not specified, the DNS client attaches the primar For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. -If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +- If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. -If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. +- If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. @@ -1360,7 +1363,7 @@ If you disable this policy setting, DNS clients do not attempt to resolve names > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1402,9 +1405,9 @@ Specifies that link local multicast name resolution (LLMNR) is disabled on clien LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. -If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. +- If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. -If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. +- If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. @@ -1422,13 +1425,13 @@ If you disable this policy setting, or you do not configure this policy setting, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DNS_TurnOffMulticast | +| Name | Turn_Off_Multicast | | Friendly Name | Turn off multicast name resolution | | Location | Computer Configuration | | Path | Network > DNS Client | diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 01d13ee89c..eccb350bf2 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,10 +1,10 @@ --- title: ADMX_DWM Policy CSP -description: Learn more about the ADMX_DWM Area in Policy CSP +description: Learn more about the ADMX_DWM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_DWM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,192 +25,6 @@ ms.topic: reference - -## DwmDefaultColorizationColor_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDefaultColorizationColor_2 -``` - - - - -This policy setting controls the default color for window frames when the user does not specify a color. - -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. - -If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. - -Note: This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DwmDefaultColorizationColor | -| Friendly Name | Specify a default color | -| Location | Computer Configuration | -| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | -| Registry Value Name | DefaultColorizationColorState | -| ADMX File Name | DWM.admx | - - - - - - - - - -## DwmDisallowAnimations_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowAnimations_2 -``` - - - - -This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. - -If you enable this policy setting, window animations are turned off. - -If you disable or do not configure this policy setting, window animations are turned on. - -Changing this policy setting requires a logoff for it to be applied. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DwmDisallowAnimations | -| Friendly Name | Do not allow window animations | -| Location | Computer Configuration | -| Path | Windows Components > Desktop Window Manager | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | -| Registry Value Name | DisallowAnimations | -| ADMX File Name | DWM.admx | - - - - - - - - - -## DwmDisallowColorizationColorChanges_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowColorizationColorChanges_2 -``` - - - - -This policy setting controls the ability to change the color of window frames. - -If you enable this policy setting, you prevent users from changing the default window frame color. - -If you disable or do not configure this policy setting, you allow users to change the default window frame color. - -Note: This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DwmDisallowColorizationColorChanges | -| Friendly Name | Do not allow color changes | -| Location | Computer Configuration | -| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | -| Registry Value Name | DisallowColorizationColorChanges | -| ADMX File Name | DWM.admx | - - - - - - - - ## DwmDefaultColorizationColor_1 @@ -232,11 +44,12 @@ Note: This policy setting can be used in conjunction with the "Specify a default This policy setting controls the default color for window frames when the user does not specify a color. -If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. +- If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. -If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. +- If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. -Note: This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. +> [!NOTE] +> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. @@ -254,13 +67,13 @@ Note: This policy setting can be used in conjunction with the "Prevent color cha > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DwmDefaultColorizationColor | +| Name | DwmDefaultColorizationColor_1 | | Friendly Name | Specify a default color | | Location | User Configuration | | Path | Windows Components > Desktop Window Manager > Window Frame Coloring | @@ -275,6 +88,69 @@ Note: This policy setting can be used in conjunction with the "Prevent color cha + +## DwmDefaultColorizationColor_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDefaultColorizationColor_2 +``` + + + + +This policy setting controls the default color for window frames when the user does not specify a color. + +- If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. + +- If you disable or do not configure this policy setting, the default internal color is used, if the user does not specify a color. + +> [!NOTE] +> This policy setting can be used in conjunction with the "Prevent color changes of window frames" setting, to enforce a specific color for window frames that cannot be changed by users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DwmDefaultColorizationColor_2 | +| Friendly Name | Specify a default color | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DefaultColorizationColorState | +| ADMX File Name | DWM.admx | + + + + + + + + ## DwmDisallowAnimations_1 @@ -294,9 +170,9 @@ Note: This policy setting can be used in conjunction with the "Prevent color cha This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. -If you enable this policy setting, window animations are turned off. +- If you enable this policy setting, window animations are turned off. -If you disable or do not configure this policy setting, window animations are turned on. +- If you disable or do not configure this policy setting, window animations are turned on. Changing this policy setting requires a logoff for it to be applied. @@ -316,13 +192,13 @@ Changing this policy setting requires a logoff for it to be applied. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DwmDisallowAnimations | +| Name | DwmDisallowAnimations_1 | | Friendly Name | Do not allow window animations | | Location | User Configuration | | Path | Windows Components > Desktop Window Manager | @@ -337,6 +213,68 @@ Changing this policy setting requires a logoff for it to be applied. + +## DwmDisallowAnimations_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowAnimations_2 +``` + + + + +This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. + +- If you enable this policy setting, window animations are turned off. + +- If you disable or do not configure this policy setting, window animations are turned on. + +Changing this policy setting requires a logoff for it to be applied. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DwmDisallowAnimations_2 | +| Friendly Name | Do not allow window animations | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowAnimations | +| ADMX File Name | DWM.admx | + + + + + + + + ## DwmDisallowColorizationColorChanges_1 @@ -356,11 +294,12 @@ Changing this policy setting requires a logoff for it to be applied. This policy setting controls the ability to change the color of window frames. -If you enable this policy setting, you prevent users from changing the default window frame color. +- If you enable this policy setting, you prevent users from changing the default window frame color. -If you disable or do not configure this policy setting, you allow users to change the default window frame color. +- If you disable or do not configure this policy setting, you allow users to change the default window frame color. -Note: This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. +> [!NOTE] +> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. @@ -378,13 +317,13 @@ Note: This policy setting can be used in conjunction with the "Specify a default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DwmDisallowColorizationColorChanges | +| Name | DwmDisallowColorizationColorChanges_1 | | Friendly Name | Do not allow color changes | | Location | User Configuration | | Path | Windows Components > Desktop Window Manager > Window Frame Coloring | @@ -399,6 +338,69 @@ Note: This policy setting can be used in conjunction with the "Specify a default + +## DwmDisallowColorizationColorChanges_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_DWM/DwmDisallowColorizationColorChanges_2 +``` + + + + +This policy setting controls the ability to change the color of window frames. + +- If you enable this policy setting, you prevent users from changing the default window frame color. + +- If you disable or do not configure this policy setting, you allow users to change the default window frame color. + +> [!NOTE] +> This policy setting can be used in conjunction with the "Specify a default color for window frames" policy setting, to enforce a specific color for window frames that cannot be changed by users. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DwmDisallowColorizationColorChanges_2 | +| Friendly Name | Do not allow color changes | +| Location | Computer Configuration | +| Path | Windows Components > Desktop Window Manager > Window Frame Coloring | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DWM | +| Registry Value Name | DisallowColorizationColorChanges | +| ADMX File Name | DWM.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 0b3e24725b..3592fb1a73 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,10 +1,10 @@ --- title: ADMX_EAIME Policy CSP -description: Learn more about the ADMX_EAIME Area in Policy CSP +description: Learn more about the ADMX_EAIME Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EAIME > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. -If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. +- If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. -If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. +- If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. This policy setting applies to Japanese Microsoft IME only. -**Note**: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -70,7 +69,7 @@ This policy setting applies to Japanese Microsoft IME only. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,7 +109,7 @@ This policy setting applies to Japanese Microsoft IME only. This policy setting allows you to restrict character code range of conversion by setting character filter. -If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: +- If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: 0x0001 // JIS208 area 0x0002 // NEC special char code @@ -124,11 +123,12 @@ If you enable this policy setting, then only the character code ranges specified 0x1000 // IVS char 0xFFFF // no definition. -If you disable or do not configure this policy setting, no range of characters are filtered by default. +- If you disable or do not configure this policy setting, no range of characters are filtered by default. This policy setting applies to Japanese Microsoft IME only. -**Note**: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -146,7 +146,7 @@ This policy setting applies to Japanese Microsoft IME only. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -185,9 +185,9 @@ This policy setting applies to Japanese Microsoft IME only. This policy setting allows you to turn off the ability to use a custom dictionary. -If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. +- If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. -If you disable or do not configure this policy setting, the custom dictionary can be used by default. +- If you disable or do not configure this policy setting, the custom dictionary can be used by default. [Clear auto-tuning information] removes self-tuned words from the custom dictionary, even if a group policy setting is turned on. To do this, select Settings > Time & Language > Japanese Options > Microsoft IME Options. If compatibility mode is turned on, select Advanced options > Dictionary/Auto-tuning > [Clear auto-tuning information]. @@ -195,7 +195,8 @@ If you disable or do not configure this policy setting, the custom dictionary ca This policy setting is applied to Japanese Microsoft IME. -**Note**: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -213,7 +214,7 @@ This policy setting is applied to Japanese Microsoft IME. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -253,13 +254,14 @@ This policy setting is applied to Japanese Microsoft IME. This policy setting allows you to turn off history-based predictive input. -If you enable this policy setting, history-based predictive input is turned off. +- If you enable this policy setting, history-based predictive input is turned off. -If you disable or do not configure this policy setting, history-based predictive input is on by default. +- If you disable or do not configure this policy setting, history-based predictive input is on by default. This policy setting applies to Japanese Microsoft IME only. -**Note**: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -277,7 +279,7 @@ This policy setting applies to Japanese Microsoft IME only. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -319,13 +321,14 @@ This policy setting allows you to turn off Internet search integration. Search integration includes both using Search Provider (Japanese Microsoft IME) and performing bing search from predictive input for Japanese Microsoft IME. -If you enable this policy setting, you cannot use search integration. +- If you enable this policy setting, you cannot use search integration. -If you disable or do not configure this policy setting, the search integration function can be used by default. +- If you disable or do not configure this policy setting, the search integration function can be used by default. This policy setting applies to Japanese Microsoft IME. -**Note**: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -343,7 +346,7 @@ This policy setting applies to Japanese Microsoft IME. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -383,11 +386,11 @@ This policy setting applies to Japanese Microsoft IME. This policy setting allows you to turn off Open Extended Dictionary. -If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. +- If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. -If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. +- If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. This policy setting is applied to Japanese Microsoft IME. @@ -407,7 +410,7 @@ This policy setting is applied to Japanese Microsoft IME. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -447,9 +450,9 @@ This policy setting is applied to Japanese Microsoft IME. This policy setting allows you to turn off saving the auto-tuning result to file. -If you enable this policy setting, the auto-tuning data is not saved to file. +- If you enable this policy setting, the auto-tuning data is not saved to file. -If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. +- If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. This policy setting applies to Japanese Microsoft IME only. @@ -469,7 +472,7 @@ This policy setting applies to Japanese Microsoft IME only. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -509,11 +512,11 @@ This policy setting applies to Japanese Microsoft IME only. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. -If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. +- If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. -If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. +- If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. -If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. +- If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. @@ -533,7 +536,7 @@ This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -573,11 +576,11 @@ This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. -If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. +- If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. -If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. +- If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. -If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. +- If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. This Policy setting applies only to Microsoft CHS Pinyin IME. @@ -597,7 +600,7 @@ This Policy setting applies only to Microsoft CHS Pinyin IME. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -660,10 +663,16 @@ This Policy setting applies only to Microsoft CHS Pinyin IME. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | L_TurnOnLexiconUpdate | +| ADMX File Name | EAIME.admx | @@ -714,10 +723,16 @@ This Policy setting applies only to Microsoft CHS Pinyin IME. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | L_TurnOnLiveStickers | +| ADMX File Name | EAIME.admx | @@ -745,9 +760,9 @@ This Policy setting applies only to Microsoft CHS Pinyin IME. This policy setting allows you to turn on logging of misconversion for the misconversion report. -If you enable this policy setting, misconversion logging is turned on. +- If you enable this policy setting, misconversion logging is turned on. -If you disable or do not configure this policy setting, misconversion logging is turned off. +- If you disable or do not configure this policy setting, misconversion logging is turned off. This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. @@ -767,7 +782,7 @@ This policy setting applies to Japanese Microsoft IME and Traditional Chinese IM > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index c233fee0f8..0c9580b962 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,10 +1,10 @@ --- title: ADMX_EncryptFilesonMove Policy CSP -description: Learn more about the ADMX_EncryptFilesonMove Area in Policy CSP +description: Learn more about the ADMX_EncryptFilesonMove Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EncryptFilesonMove > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. -If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. +- If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. -If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. +- If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. @@ -68,7 +66,7 @@ This setting applies only to files moved within a volume. When files are moved t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index b8fe9e6112..72b2d0f856 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,10 +1,10 @@ --- title: ADMX_EnhancedStorage Policy CSP -description: Learn more about the ADMX_EnhancedStorage Area in Policy CSP +description: Learn more about the ADMX_EnhancedStorage Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EnhancedStorage > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. -If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. +- If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. -If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. +- If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, all Enhanced Storage dev > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,9 +104,9 @@ If you disable or do not configure this policy setting, all Enhanced Storage dev This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. -If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. +- If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. -If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. +- If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. @@ -126,7 +124,7 @@ If you disable or do not configure this policy setting, all IEEE 1667 silos on E > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -166,9 +164,9 @@ If you disable or do not configure this policy setting, all IEEE 1667 silos on E This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. -If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. +- If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. -If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. +- If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. @@ -186,7 +184,7 @@ If you disable or do not configure this policy setting, a password can be used t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -226,9 +224,9 @@ If you disable or do not configure this policy setting, a password can be used t This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. -If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. +- If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. -If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. +- If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. @@ -246,7 +244,7 @@ If you disable or do not configure this policy setting, non-Enhanced Storage rem > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -288,9 +286,9 @@ This policy setting locks Enhanced Storage devices when the computer is locked. This policy setting is supported in Windows Server SKUs only. -If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. +- If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. -If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. +- If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. @@ -308,7 +306,7 @@ If you disable or do not configure this policy setting, the Enhanced Storage dev > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -348,9 +346,9 @@ If you disable or do not configure this policy setting, the Enhanced Storage dev This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. -If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. +- If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. -If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. +- If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. @@ -368,7 +366,7 @@ If you disable or do not configure this policy setting, USB Enhanced Storage dev > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index a16a17919c..600645f1cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,10 +1,10 @@ --- title: ADMX_ErrorReporting Policy CSP -description: Learn more about the ADMX_ErrorReporting Area in Policy CSP +description: Learn more about the ADMX_ErrorReporting Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ErrorReporting > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. -If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. +- If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. -If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. +- If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. @@ -72,7 +70,7 @@ For related information, see the Configure Error Reporting and Report Operating > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -111,11 +109,11 @@ For related information, see the Configure Error Reporting and Report Operating This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. +- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. -If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. +- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. -If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. +- If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. @@ -133,7 +131,7 @@ If you disable or do not configure this policy setting, the Default application > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -174,13 +172,13 @@ This policy setting specifies applications for which Windows Error Reporting sho To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. -If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. +- If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) -If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. +- If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. -Also see the ""Default Application Reporting"" and ""Application Exclusion List"" policies. +Also see the "Default Application Reporting" and "Application Exclusion List" policies. This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. @@ -200,7 +198,7 @@ This setting will be ignored if the 'Configure Error Reporting' setting is disab > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -241,25 +239,27 @@ This policy setting configures how errors are reported to Microsoft, and what in This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. -Important: If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. +> [!IMPORTANT] +> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. -If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: +- If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). +- If you enable this policy setting, you can configure the following settings in the policy setting: -- ""Do not display links to any Microsoft ‘More information’ websites"": Select this option if you do not want error dialog boxes to display links to Microsoft websites. +- "Do not display links to any Microsoft 'More information' websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. -- ""Do not collect additional files"": Select this option if you do not want additional files to be collected and included in error reports. +- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports. -- ""Do not collect additional computer data"": Select this if you do not want additional information about the computer to be collected and included in error reports. +- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports. -- ""Force queue mode for application errors"": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. +- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. -- ""Corporate file path"": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. +- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. -- ""Replace instances of the word ‘Microsoft’ with"": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. +- "Replace instances of the word 'Microsoft' with": You can specify text with which to customize your error report dialog boxes. The word "Microsoft" is replaced with the specified text. -If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. +- If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. -If you disable this policy setting, configuration settings in the policy setting are left blank. +- If you disable this policy setting, configuration settings in the policy setting are left blank. See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. @@ -279,7 +279,7 @@ See related policy settings Display Error Notification (same folder as this poli > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -318,11 +318,11 @@ See related policy settings Display Error Notification (same folder as this poli This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. -If you enable this policy setting, Windows Error Reporting includes operating system errors. +- If you enable this policy setting, Windows Error Reporting includes operating system errors. -If you disable this policy setting, operating system errors are not included in error reports. +- If you disable this policy setting, operating system errors are not included in error reports. -If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. +- If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. See also the Configure Error Reporting policy setting. @@ -342,7 +342,7 @@ See also the Configure Error Reporting policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -363,6 +363,66 @@ See also the Configure Error Reporting policy setting. + +## WerArchive_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerArchive_1 +``` + + + + +This policy setting controls the behavior of the Windows Error Reporting archive. + +- If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +- If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerArchive_1 | +| Friendly Name | Configure Report Archive | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableArchive | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerArchive_2 @@ -382,9 +442,9 @@ See also the Configure Error Reporting policy setting. This policy setting controls the behavior of the Windows Error Reporting archive. -If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. +- If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. -If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. +- If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. @@ -402,13 +462,13 @@ If you disable or do not configure this policy setting, no Windows Error Reporti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerArchive | +| Name | WerArchive_2 | | Friendly Name | Configure Report Archive | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | @@ -423,6 +483,66 @@ If you disable or do not configure this policy setting, no Windows Error Reporti + +## WerAutoApproveOSDumps_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerAutoApproveOSDumps_1 +``` + + + + +This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +- If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +- If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerAutoApproveOSDumps_1 | +| Friendly Name | Automatically send memory dumps for OS-generated error reports | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | AutoApproveOSDumps | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerAutoApproveOSDumps_2 @@ -442,9 +562,9 @@ If you disable or do not configure this policy setting, no Windows Error Reporti This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. -If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. +- If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. -If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. +- If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. @@ -462,13 +582,13 @@ If you disable this policy setting, then all memory dumps are uploaded according > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerAutoApproveOSDumps | +| Name | WerAutoApproveOSDumps_2 | | Friendly Name | Automatically send memory dumps for OS-generated error reports | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting | @@ -483,6 +603,66 @@ If you disable this policy setting, then all memory dumps are uploaded according + +## WerBypassDataThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassDataThrottling_1 +``` + + + + +This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +- If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +- If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerBypassDataThrottling_1 | +| Friendly Name | Do not throttle additional data | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassDataThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerBypassDataThrottling_2 @@ -502,9 +682,9 @@ If you disable this policy setting, then all memory dumps are uploaded according This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. -If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. +- If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. -If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. +- If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. @@ -522,13 +702,13 @@ If you disable or do not configure this policy setting, WER throttles data by de > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerBypassDataThrottling | +| Name | WerBypassDataThrottling_2 | | Friendly Name | Do not throttle additional data | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting | @@ -543,6 +723,66 @@ If you disable or do not configure this policy setting, WER throttles data by de + +## WerBypassNetworkCostThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 +``` + + + + +This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +- If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +- If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerBypassNetworkCostThrottling_1 | +| Friendly Name | Send data when on connected to a restricted/costed network | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassNetworkCostThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerBypassNetworkCostThrottling_2 @@ -562,9 +802,9 @@ If you disable or do not configure this policy setting, WER throttles data by de This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. -If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. +- If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. -If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. +- If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. @@ -582,13 +822,13 @@ If you disable or do not configure this policy setting, WER does not send data, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerBypassNetworkCostThrottling | +| Name | WerBypassNetworkCostThrottling_2 | | Friendly Name | Send data when on connected to a restricted/costed network | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting | @@ -603,6 +843,66 @@ If you disable or do not configure this policy setting, WER does not send data, + +## WerBypassPowerThrottling_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassPowerThrottling_1 +``` + + + + +This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +- If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +- If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerBypassPowerThrottling_1 | +| Friendly Name | Send additional data when on battery power | +| Location | User Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | BypassPowerThrottling | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerBypassPowerThrottling_2 @@ -622,9 +922,9 @@ If you disable or do not configure this policy setting, WER does not send data, This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. -If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. +- If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. -If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. +- If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. @@ -642,13 +942,13 @@ If you disable or do not configure this policy setting, WER checks for solutions > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerBypassPowerThrottling | +| Name | WerBypassPowerThrottling_2 | | Friendly Name | Send additional data when on battery power | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting | @@ -682,9 +982,9 @@ If you disable or do not configure this policy setting, WER checks for solutions This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). -If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. +- If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization's network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. -If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. +- If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. @@ -702,7 +1002,7 @@ If you disable or do not configure this policy setting, Windows Error Reporting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -722,614 +1022,6 @@ If you disable or do not configure this policy setting, Windows Error Reporting - -## WerConsentOverride_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentOverride_2 -``` - - - - -This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. - -If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. - -If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerConsentOverride | -| Friendly Name | Ignore custom consent settings | -| Location | Computer Configuration | -| Path | Windows Components > Windows Error Reporting > Consent | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | -| Registry Value Name | DefaultOverrideBehavior | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerDefaultConsent_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDefaultConsent_2 -``` - - - - -This policy setting determines the default consent behavior of Windows Error Reporting. - -If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: - -- Always ask before sending data: Windows prompts users for consent to send reports. - -- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. - -- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. - -- Send all data: any error reporting data requested by Microsoft is sent automatically. - -If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerDefaultConsent | -| Friendly Name | Configure Default consent | -| Location | Computer Configuration | -| Path | Windows Components > Windows Error Reporting > Consent | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerExlusion_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerExlusion_2 -``` - - - - -This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. - -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. - -If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerExlusion | -| Friendly Name | List of applications to be excluded | -| Location | Computer Configuration | -| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerNoLogging_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoLogging_2 -``` - - - - -This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. - -If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. - -If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerNoLogging | -| Friendly Name | Disable logging | -| Location | Computer Configuration | -| Path | Windows Components > Windows Error Reporting | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | LoggingDisabled | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerQueue_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerQueue_2 -``` - - - - -This policy setting determines the behavior of the Windows Error Reporting report queue. - -If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. - -The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. - -If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerQueue | -| Friendly Name | Configure Report Queue | -| Location | Computer Configuration | -| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | DisableQueue | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerArchive_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerArchive_1 -``` - - - - -This policy setting controls the behavior of the Windows Error Reporting archive. - -If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. - -If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerArchive | -| Friendly Name | Configure Report Archive | -| Location | User Configuration | -| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | DisableArchive | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerAutoApproveOSDumps_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerAutoApproveOSDumps_1 -``` - - - - -This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. - -If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. - -If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerAutoApproveOSDumps | -| Friendly Name | Automatically send memory dumps for OS-generated error reports | -| Location | User Configuration | -| Path | Windows Components > Windows Error Reporting | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | AutoApproveOSDumps | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerBypassDataThrottling_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassDataThrottling_1 -``` - - - - -This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. - -If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. - -If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerBypassDataThrottling | -| Friendly Name | Do not throttle additional data | -| Location | User Configuration | -| Path | Windows Components > Windows Error Reporting | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | BypassDataThrottling | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerBypassNetworkCostThrottling_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 -``` - - - - -This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. - -If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. - -If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerBypassNetworkCostThrottling | -| Friendly Name | Send data when on connected to a restricted/costed network | -| Location | User Configuration | -| Path | Windows Components > Windows Error Reporting | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | BypassNetworkCostThrottling | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - - -## WerBypassPowerThrottling_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerBypassPowerThrottling_1 -``` - - - - -This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. - -If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. - -If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WerBypassPowerThrottling | -| Friendly Name | Send additional data when on battery power | -| Location | User Configuration | -| Path | Windows Components > Windows Error Reporting | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | -| Registry Value Name | BypassPowerThrottling | -| ADMX File Name | ErrorReporting.admx | - - - - - - - - ## WerConsentCustomize_1 @@ -1349,7 +1041,7 @@ If you disable or do not configure this policy setting, WER checks for solutions This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +- If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. @@ -1361,7 +1053,7 @@ If you enable this policy setting, you can add specific event types to a list by - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. +- If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. @@ -1379,13 +1071,13 @@ If you disable or do not configure this policy setting, then the default consent > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerConsentCustomize | +| Name | WerConsentCustomize_1 | | Friendly Name | Customize consent settings | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting > Consent | @@ -1418,9 +1110,9 @@ If you disable or do not configure this policy setting, then the default consent This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. -If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. +- If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. -If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. +- If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. @@ -1438,13 +1130,13 @@ If you disable or do not configure this policy setting, custom consent policy se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerConsentOverride | +| Name | WerConsentOverride_1 | | Friendly Name | Ignore custom consent settings | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting > Consent | @@ -1459,6 +1151,66 @@ If you disable or do not configure this policy setting, custom consent policy se + +## WerConsentOverride_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerConsentOverride_2 +``` + + + + +This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +- If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +- If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerConsentOverride_2 | +| Friendly Name | Ignore custom consent settings | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| Registry Value Name | DefaultOverrideBehavior | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerDefaultConsent_1 @@ -1478,7 +1230,7 @@ If you disable or do not configure this policy setting, custom consent policy se This policy setting determines the default consent behavior of Windows Error Reporting. -If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: +- If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: - Always ask before sending data: Windows prompts users for consent to send reports. @@ -1488,7 +1240,7 @@ If you enable this policy setting, you can set the default consent handling for - Send all data: any error reporting data requested by Microsoft is sent automatically. -If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. +- If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. @@ -1506,13 +1258,13 @@ If this policy setting is disabled or not configured, then the consent level def > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerDefaultConsent | +| Name | WerDefaultConsent_1 | | Friendly Name | Configure Default consent | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting > Consent | @@ -1526,6 +1278,73 @@ If this policy setting is disabled or not configured, then the consent level def + +## WerDefaultConsent_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerDefaultConsent_2 +``` + + + + +This policy setting determines the default consent behavior of Windows Error Reporting. + +- If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +- If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerDefaultConsent_2 | +| Friendly Name | Configure Default consent | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Consent | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerDisable_1 @@ -1545,9 +1364,9 @@ If this policy setting is disabled or not configured, then the consent level def This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. +- If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. +- If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. @@ -1565,13 +1384,13 @@ If you disable or do not configure this policy setting, the Turn off Windows Err > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerDisable | +| Name | WerDisable_1 | | Friendly Name | Disable Windows Error Reporting | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting | @@ -1605,9 +1424,10 @@ If you disable or do not configure this policy setting, the Turn off Windows Err This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. -If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. +- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. +- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. -If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. +- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. @@ -1625,13 +1445,13 @@ If you disable or do not configure this policy setting, errors are reported on a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerExlusion | +| Name | WerExlusion_1 | | Friendly Name | List of applications to be excluded | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | @@ -1645,6 +1465,66 @@ If you disable or do not configure this policy setting, errors are reported on a + +## WerExlusion_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerExlusion_2 +``` + + + + +This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +- If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. +- If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +- If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerExlusion_2 | +| Friendly Name | List of applications to be excluded | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerNoLogging_1 @@ -1664,9 +1544,9 @@ If you disable or do not configure this policy setting, errors are reported on a This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. -If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. +- If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. -If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. +- If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. @@ -1684,13 +1564,13 @@ If you disable or do not configure this policy setting, Windows Error Reporting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerNoLogging | +| Name | WerNoLogging_1 | | Friendly Name | Disable logging | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting | @@ -1705,6 +1585,66 @@ If you disable or do not configure this policy setting, Windows Error Reporting + +## WerNoLogging_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerNoLogging_2 +``` + + + + +This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +- If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +- If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerNoLogging_2 | +| Friendly Name | Disable logging | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | LoggingDisabled | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + ## WerNoSecondLevelData_1 @@ -1724,9 +1664,9 @@ If you disable or do not configure this policy setting, Windows Error Reporting This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. +- If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +- If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. @@ -1744,13 +1684,13 @@ If you disable or do not configure this policy setting, then consent policy sett > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerNoSecondLevelData | +| Name | WerNoSecondLevelData_1 | | Friendly Name | Do not send additional data | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting | @@ -1784,11 +1724,11 @@ If you disable or do not configure this policy setting, then consent policy sett This policy setting determines the behavior of the Windows Error Reporting report queue. -If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. +- If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. -If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. +- If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. @@ -1806,13 +1746,13 @@ If you disable or do not configure this policy setting, Windows Error Reporting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerQueue | +| Name | WerQueue_1 | | Friendly Name | Configure Report Queue | | Location | User Configuration | | Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | @@ -1827,6 +1767,68 @@ If you disable or do not configure this policy setting, Windows Error Reporting + +## WerQueue_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ErrorReporting/WerQueue_2 +``` + + + + +This policy setting determines the behavior of the Windows Error Reporting report queue. + +- If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +- If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WerQueue_2 | +| Friendly Name | Configure Report Queue | +| Location | Computer Configuration | +| Path | Windows Components > Windows Error Reporting > Advanced Error Reporting Settings | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting | +| Registry Value Name | DisableQueue | +| ADMX File Name | ErrorReporting.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index 7475c803aa..4a0513e2d2 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,10 +1,10 @@ --- title: ADMX_EventForwarding Policy CSP -description: Learn more about the ADMX_EventForwarding Area in Policy CSP +description: Learn more about the ADMX_EventForwarding Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EventForwarding > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. -If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. +- If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. -If you disable or do not configure this policy setting, forwarder resource usage is not specified. +- If you disable or do not configure this policy setting, forwarder resource usage is not specified. This setting applies across all subscriptions for the forwarder (source computer). @@ -68,7 +66,7 @@ This setting applies across all subscriptions for the forwarder (source computer > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -107,12 +105,12 @@ This setting applies across all subscriptions for the forwarder (source computer This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. -If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. +- If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. Use the following syntax when using the HTTPS protocol: Server=https://``:5986/wsman/SubscriptionManager/WEC,Refresh=``,IssuerCA=``. When using the HTTP protocol, use port 5985. -If you disable or do not configure this policy setting, the Event Collector computer will not be specified. +- If you disable or do not configure this policy setting, the Event Collector computer will not be specified. @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, the Event Collector comp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index c8adf75d8a..e1e98092d9 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,10 +1,10 @@ --- title: ADMX_EventLog Policy CSP -description: Learn more about the ADMX_EventLog Area in Policy CSP +description: Learn more about the ADMX_EventLog Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EventLog > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. @@ -68,13 +66,13 @@ If you do not configure this policy setting and the "Retain old events" policy s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_AutoBackup | +| Name | Channel_Log_AutoBackup_1 | | Friendly Name | Back up log automatically when full | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Application | @@ -108,11 +106,11 @@ If you do not configure this policy setting and the "Retain old events" policy s This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. @@ -130,13 +128,13 @@ If you do not configure this policy setting and the "Retain old events" policy s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_AutoBackup | +| Name | Channel_Log_AutoBackup_2 | | Friendly Name | Back up log automatically when full | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Security | @@ -170,11 +168,11 @@ If you do not configure this policy setting and the "Retain old events" policy s This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. @@ -192,13 +190,13 @@ If you do not configure this policy setting and the "Retain old events" policy s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_AutoBackup | +| Name | Channel_Log_AutoBackup_3 | | Friendly Name | Back up log automatically when full | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Setup | @@ -232,11 +230,11 @@ If you do not configure this policy setting and the "Retain old events" policy s This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. -If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. +- If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. -If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. +- If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. -If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. +- If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. @@ -254,13 +252,13 @@ If you do not configure this policy setting and the "Retain old events" policy s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_AutoBackup | +| Name | Channel_Log_AutoBackup_4 | | Friendly Name | Back up log automatically when full | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > System | @@ -294,11 +292,12 @@ If you do not configure this policy setting and the "Retain old events" policy s This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. -If you enable this policy setting, only those users matching the security descriptor can access the log. +- If you enable this policy setting, only those users matching the security descriptor can access the log. -If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. +- If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. -Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. @@ -316,13 +315,13 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess | +| Name | Channel_Log_FileLogAccess_1 | | Friendly Name | Configure log access | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Application | @@ -355,11 +354,12 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. -If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. +- If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. -If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. +- If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. -Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. @@ -377,13 +377,13 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess | +| Name | Channel_Log_FileLogAccess_2 | | Friendly Name | Configure log access | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Security | @@ -416,11 +416,12 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. -If you enable this policy setting, only those users matching the security descriptor can access the log. +- If you enable this policy setting, only those users matching the security descriptor can access the log. -If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. +- If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. -Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. @@ -438,13 +439,13 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess | +| Name | Channel_Log_FileLogAccess_3 | | Friendly Name | Configure log access | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Setup | @@ -477,11 +478,12 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. -If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. +- If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. -If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. +- If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. -Note: If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. @@ -499,13 +501,13 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess | +| Name | Channel_Log_FileLogAccess_4 | | Friendly Name | Configure log access | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > System | @@ -538,11 +540,11 @@ Note: If you enable this policy setting, some tools and APIs may ignore it. The This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. -If you enable this policy setting, only those users matching the security descriptor can access the log. +- If you enable this policy setting, only those users matching the security descriptor can access the log. -If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. +- If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. -If you do not configure this policy setting, the previous policy setting configuration remains in effect. +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. @@ -560,13 +562,13 @@ If you do not configure this policy setting, the previous policy setting configu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess_Legacy | +| Name | Channel_Log_FileLogAccess_5 | | Friendly Name | Configure log access (legacy) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Application | @@ -599,11 +601,11 @@ If you do not configure this policy setting, the previous policy setting configu This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. -If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. +- If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. -If you disable this policy setting, only system software and administrators can read or clear this log. +- If you disable this policy setting, only system software and administrators can read or clear this log. -If you do not configure this policy setting, the previous policy setting configuration remains in effect. +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. @@ -621,13 +623,13 @@ If you do not configure this policy setting, the previous policy setting configu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess_Legacy | +| Name | Channel_Log_FileLogAccess_6 | | Friendly Name | Configure log access (legacy) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Security | @@ -660,11 +662,11 @@ If you do not configure this policy setting, the previous policy setting configu This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. -If you enable this policy setting, only those users matching the security descriptor can access the log. +- If you enable this policy setting, only those users matching the security descriptor can access the log. -If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. +- If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. -If you do not configure this policy setting, the previous policy setting configuration remains in effect. +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. @@ -682,13 +684,13 @@ If you do not configure this policy setting, the previous policy setting configu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess_Legacy | +| Name | Channel_Log_FileLogAccess_7 | | Friendly Name | Configure log access (legacy) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Setup | @@ -721,11 +723,11 @@ If you do not configure this policy setting, the previous policy setting configu This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. -If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. +- If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. -If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. +- If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. -If you do not configure this policy setting, the previous policy setting configuration remains in effect. +- If you do not configure this policy setting, the previous policy setting configuration remains in effect. @@ -743,13 +745,13 @@ If you do not configure this policy setting, the previous policy setting configu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_FileLogAccess_Legacy | +| Name | Channel_Log_FileLogAccess_8 | | Friendly Name | Configure log access (legacy) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > System | @@ -782,11 +784,12 @@ If you do not configure this policy setting, the previous policy setting configu This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -804,13 +807,13 @@ Note: Old events may or may not be retained according to the "Backup log automat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_Retention | +| Name | Channel_Log_Retention_2 | | Friendly Name | Control Event Log behavior when the log file reaches its maximum size | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Security | @@ -844,11 +847,12 @@ Note: Old events may or may not be retained according to the "Backup log automat This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -866,13 +870,13 @@ Note: Old events may or may not be retained according to the "Backup log automat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_Retention | +| Name | Channel_Log_Retention_3 | | Friendly Name | Control Event Log behavior when the log file reaches its maximum size | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Setup | @@ -906,11 +910,12 @@ Note: Old events may or may not be retained according to the "Backup log automat This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -928,13 +933,13 @@ Note: Old events may or may not be retained according to the "Backup log automat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_Log_Retention | +| Name | Channel_Log_Retention_4 | | Friendly Name | Control Event Log behavior when the log file reaches its maximum size | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > System | @@ -968,7 +973,7 @@ Note: Old events may or may not be retained according to the "Backup log automat This policy setting turns on logging. -If you enable or do not configure this policy setting, then events can be written to this log. +- If you enable or do not configure this policy setting, then events can be written to this log. If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. @@ -988,7 +993,7 @@ If the policy setting is disabled, then no new events can be logged. Events can > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1028,9 +1033,9 @@ If the policy setting is disabled, then no new events can be logged. Events can This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. @@ -1048,13 +1053,13 @@ If you disable or do not configure this policy setting, the Event Log uses the f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogFilePath | +| Name | Channel_LogFilePath_1 | | Friendly Name | Control the location of the log file | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Application | @@ -1087,9 +1092,9 @@ If you disable or do not configure this policy setting, the Event Log uses the f This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. @@ -1107,13 +1112,13 @@ If you disable or do not configure this policy setting, the Event Log uses the f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogFilePath | +| Name | Channel_LogFilePath_2 | | Friendly Name | Control the location of the log file | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Security | @@ -1146,9 +1151,9 @@ If you disable or do not configure this policy setting, the Event Log uses the f This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. @@ -1166,13 +1171,13 @@ If you disable or do not configure this policy setting, the Event Log uses the f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogFilePath | +| Name | Channel_LogFilePath_3 | | Friendly Name | Control the location of the log file | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Setup | @@ -1205,9 +1210,9 @@ If you disable or do not configure this policy setting, the Event Log uses the f This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. -If you enable this policy setting, the Event Log uses the path specified in this policy setting. +- If you enable this policy setting, the Event Log uses the path specified in this policy setting. -If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. +- If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. @@ -1225,13 +1230,13 @@ If you disable or do not configure this policy setting, the Event Log uses the f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogFilePath | +| Name | Channel_LogFilePath_4 | | Friendly Name | Control the location of the log file | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > System | @@ -1264,9 +1269,9 @@ If you disable or do not configure this policy setting, the Event Log uses the f This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. @@ -1284,13 +1289,13 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Channel_LogMaxSize | +| Name | Channel_LogMaxSize_3 | | Friendly Name | Specify the maximum log file size (KB) | | Location | Computer Configuration | | Path | Windows Components > Event Log Service > Setup | diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index 683fb90ac1..b49b9259de 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,10 +1,10 @@ --- title: ADMX_EventLogging Policy CSP -description: Learn more about the ADMX_EventLogging Area in Policy CSP +description: Learn more about the ADMX_EventLogging Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EventLogging > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting lets you configure Protected Event Logging. -If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, provided that you have access to the private key corresponding to the public key that they were encrypted with. +- If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, provided that you have access to the private key corresponding to the public key that they were encrypted with. -If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log. +- If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, components will not encr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index 1ca041f7cf..c0b5223b4c 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,10 +1,10 @@ --- title: ADMX_EventViewer Policy CSP -description: Learn more about the ADMX_EventViewer Area in Policy CSP +description: Learn more about the ADMX_EventViewer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_EventViewer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,7 +60,7 @@ This is the program that will be invoked when the user clicks the events.asp lin > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -117,7 +115,7 @@ This specifies the command line parameters that will be passed to the events.asp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -172,7 +170,7 @@ This is the URL that will be passed to the Description area in the Event Propert > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index 6a9ecf5e4d..1d565c61b0 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,10 +1,10 @@ --- title: ADMX_Explorer Policy CSP -description: Learn more about the ADMX_Explorer Area in Policy CSP +description: Learn more about the ADMX_Explorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Explorer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,7 +60,7 @@ Sets the target of the More Information link that will be displayed when the use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -82,64 +80,6 @@ Sets the target of the More Information link that will be displayed when the use - -## DisableRoamedProfileInit - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Explorer/DisableRoamedProfileInit -``` - - - - -This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. - -If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableRoamedProfileInit | -| Friendly Name | Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | DisableRoamedProfileInit | -| ADMX File Name | Explorer.admx | - - - - - - - - ## AlwaysShowClassicMenu @@ -159,13 +99,15 @@ If you enable this policy setting on a machine that does not contain all program This policy setting configures File Explorer to always display the menu bar. -Note: By default, the menu bar is not displayed in File Explorer. +> [!NOTE] +> By default, the menu bar is not displayed in File Explorer. -If you enable this policy setting, the menu bar will be displayed in File Explorer. +- If you enable this policy setting, the menu bar will be displayed in File Explorer. -If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer. +- If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer. -Note: When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. +> [!NOTE] +> When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key. @@ -183,7 +125,7 @@ Note: When the menu bar is not displayed, users can access the menu bar by press > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -204,6 +146,64 @@ Note: When the menu bar is not displayed, users can access the menu bar by press + +## DisableRoamedProfileInit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Explorer/DisableRoamedProfileInit +``` + + + + +This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values. + +- If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRoamedProfileInit | +| Friendly Name | Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableRoamedProfileInit | +| ADMX File Name | Explorer.admx | + + + + + + + + ## PreventItemCreationInUsersFilesFolder @@ -223,12 +223,12 @@ Note: When the menu bar is not displayed, users can access the menu bar by press This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. -If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. +- If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. -If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. +- If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. - -Note: Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. +> [!NOTE] +> Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. @@ -246,7 +246,7 @@ Note: Enabling this policy setting does not prevent the user from being able to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -302,7 +302,7 @@ This policy is similar to settings directly available to computer users. Disabli > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 1bf343650f..de3e5d8181 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,10 +1,10 @@ --- title: ADMX_ExternalBoot Policy CSP -description: Learn more about the ADMX_ExternalBoot Area in Policy CSP +description: Learn more about the ADMX_ExternalBoot Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ExternalBoot > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. -If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. +- If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. -If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can't hibernate the PC. +- If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can't hibernate the PC. @@ -66,13 +64,13 @@ If you disable or don't configure this setting, Windows, when started from a Win > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PortableOperatingSystem_Hibernate_DisplayName | +| Name | PortableOperatingSystem_Hibernate | | Friendly Name | Allow hibernate (S4) when starting from a Windows To Go workspace | | Location | Computer Configuration | | Path | Windows Components > Portable Operating System | @@ -106,11 +104,11 @@ If you disable or don't configure this setting, Windows, when started from a Win This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. -If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item. +- If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item. -If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration. +- If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration. -If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. +- If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. @@ -128,13 +126,13 @@ If you do not configure this setting, users who are members of the Administrator > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PortableOperatingSystem_Launcher_DisplayName | +| Name | PortableOperatingSystem_Launcher | | Friendly Name | Windows To Go Default Startup Options | | Location | Computer Configuration | | Path | Windows Components > Portable Operating System | @@ -168,9 +166,9 @@ If you do not configure this setting, users who are members of the Administrator Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. -If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby states to make the PC sleep. +- If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby states to make the PC sleep. -If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep. +- If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep. @@ -188,13 +186,13 @@ If you disable or don't configure this setting, Windows, when started from a Win > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PortableOperatingSystem_Sleep_DisplayName | +| Name | PortableOperatingSystem_Sleep | | Friendly Name | Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace | | Location | Computer Configuration | | Path | Windows Components > Portable Operating System | diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 516eae188b..b645c3d188 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,10 +1,10 @@ --- title: ADMX_FileRecovery Policy CSP -description: Learn more about the ADMX_FileRecovery Area in Policy CSP +description: Learn more about the ADMX_FileRecovery Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_FileRecovery > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -52,15 +50,16 @@ Silent: Detection, troubleshooting, and recovery of corrupted files will automat Troubleshooting Only: Detection and troubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an administrator event with instructions if manual recovery is possible. -If you enable this setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubleshooting only state. +- If you enable this setting, the recovery behavior for corrupted files will be set to either the regular (default), silent, or troubleshooting only state. -If you disable this setting, the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. +- If you disable this setting, the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. -If you do not configure this setting, the recovery behavior for corrupted files will be set to the regular recovery behavior. +- If you do not configure this setting, the recovery behavior for corrupted files will be set to the regular recovery behavior. No system or service restarts are required for changes to this policy to take immediate effect after a Group Policy refresh. -Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +> [!NOTE] +> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. @@ -79,7 +78,7 @@ Note: This policy setting will take effect only when the Diagnostic Policy Servi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index 3a65ac03d8..a23152f09a 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,10 +1,10 @@ --- title: ADMX_FileRevocation Policy CSP -description: Learn more about the ADMX_FileRevocation Area in Policy CSP +description: Learn more about the ADMX_FileRevocation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_FileRevocation > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -47,13 +45,14 @@ ms.topic: reference Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: -Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy +Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy -If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. +- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. -If you disable or do not configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revoke access to content it protected. +- If you disable or do not configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revoke access to content it protected. -Note: File revocation applies to all content protected under the same second level domain as the provided enterprise identifier. So, revoking an enterprise ID of mail.contoso.com will revoke the user’s access to all content protected under the contoso.com hierarchy. +> [!NOTE] +> File revocation applies to all content protected under the same second level domain as the provided enterprise identifier. So, revoking an enterprise ID of mail.contoso.com will revoke the user's access to all content protected under the contoso.com hierarchy. @@ -71,13 +70,13 @@ Note: File revocation applies to all content protected under the same second lev > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DelegatedPackageFamilyNames_Name | +| Name | DelegatedPackageFamilyNames | | Friendly Name | Allow Windows Runtime apps to revoke enterprise data | | Location | User Configuration | | Path | Windows Components > File Revocation | diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 87505ed986..2333b8c1fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,10 +1,10 @@ --- title: ADMX_FileServerVSSProvider Policy CSP -description: Learn more about the ADMX_FileServerVSSProvider Area in Policy CSP +description: Learn more about the ADMX_FileServerVSSProvider Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_FileServerVSSProvider > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,7 +48,8 @@ VSS for SMB2 File Shares feature enables VSS aware backup applications to perfor By default, the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. -Note: To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service . +> [!NOTE] +> To make changes to this setting effective, you must restart Volume Shadow Copy (VSS) Service . @@ -68,7 +67,7 @@ Note: To make changes to this setting effective, you must restart Volume Shadow > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index 8f838165cc..329a7e9c63 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,10 +1,10 @@ --- title: ADMX_FileSys Policy CSP -description: Learn more about the ADMX_FileSys Area in Policy CSP +description: Learn more about the ADMX_FileSys Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_FileSys > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -64,7 +62,7 @@ A reboot is required for this setting to take effect > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -123,7 +121,7 @@ A value of 1 will disable delete notifications for all volumes. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -181,7 +179,7 @@ A reboot is required for this setting to take effect > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -237,7 +235,7 @@ Encrypting the page file prevents malicious users from reading data that has bee > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -293,7 +291,7 @@ Enabling Win32 long paths will allow manifested win32 applications and Windows S > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -351,7 +349,7 @@ If you enable short names on all volumes then short names will always be generat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -415,7 +413,7 @@ NOTE: If this policy is Disabled or Not Configured, local administrators may sel > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -471,7 +469,7 @@ TXF deprecated features included savepoints, secondary RM, miniversion and roll > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index 083d17de33..e3ca25a214 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,10 +1,10 @@ --- title: ADMX_FolderRedirection Policy CSP -description: Learn more about the ADMX_FolderRedirection Area in Policy CSP +description: Learn more about the ADMX_FolderRedirection Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_FolderRedirection > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,132 +25,6 @@ ms.topic: reference - -## LocalizeXPRelativePaths_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/LocalizeXPRelativePaths_2 -``` - - - - -This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. - -If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. - -If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. - -Note: This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LocalizeXPRelativePaths | -| Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | -| Location | Computer Configuration | -| Path | System > Folder Redirection | -| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | -| Registry Value Name | LocalizeXPRelativePaths | -| ADMX File Name | FolderRedirection.admx | - - - - - - - - - -## PrimaryComputer_FR_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/PrimaryComputer_FR_2 -``` - - - - -This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. - -To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. - -If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. - -If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. - -Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PrimaryComputerFr | -| Friendly Name | Redirect folders on primary computers only | -| Location | Computer Configuration | -| Path | System > Folder Redirection | -| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | -| Registry Value Name | PrimaryComputerEnabledFR | -| ADMX File Name | FolderRedirection.admx | - - - - - - - - ## DisableFRAdminPin @@ -172,15 +44,18 @@ Note: If you enable this policy setting in Computer Configuration and User Confi This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. -If you enable this policy setting, users must manually select the files they wish to make available offline. +- If you enable this policy setting, users must manually select the files they wish to make available offline. -If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. +- If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. -Note: This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. +> [!NOTE] +> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. -Note: Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable. +> [!NOTE] +> Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files becomes unavailable. -Note: If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". +> [!NOTE] +> If one or more valid folder GUIDs are specified in the policy setting "Do not automatically make specific redirected folders available offline", that setting will override the configured value of "Do not automatically make all redirected folders available offline". @@ -198,7 +73,7 @@ Note: If one or more valid folder GUIDs are specified in the policy setting "Do > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -240,11 +115,13 @@ This policy setting allows you to control whether individual redirected shell fo For the folders affected by this setting, users must manually select the files they wish to make available offline. -If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. +- If you disable or do not configure this policy setting, all redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. -Note: This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. +> [!NOTE] +> This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching", nor does it affect the availability of the "Always available offline" menu option in the user interface. -Note: The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". +> [!NOTE] +> The configuration of this policy for any folder will override the configured value of "Do not automatically make all redirected folders available offline". @@ -262,7 +139,7 @@ Note: The configuration of this policy for any folder will override the configur > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -301,9 +178,9 @@ Note: The configuration of this policy for any folder will override the configur This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. -If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. +- If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. -If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. +- If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location. @@ -321,7 +198,7 @@ If you disable or do not configure this policy setting, when the path to a redir > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -361,11 +238,12 @@ If you disable or do not configure this policy setting, when the path to a redir This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. -If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. +- If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. -If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. +- If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. -Note: This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. +> [!NOTE] +> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. @@ -383,13 +261,13 @@ Note: This policy is valid only on Windows Vista, Windows 7, Windows 8, and Wind > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | LocalizeXPRelativePaths | +| Name | LocalizeXPRelativePaths_1 | | Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | | Location | User Configuration | | Path | System > Folder Redirection | @@ -404,6 +282,69 @@ Note: This policy is valid only on Windows Vista, Windows 7, Windows 8, and Wind + +## LocalizeXPRelativePaths_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/LocalizeXPRelativePaths_2 +``` + + + + +This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. + +- If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder. + +- If you disable or not configure this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use the standard English names for these subfolders when redirecting the Start Menu or legacy My Documents folder. + +> [!NOTE] +> This policy is valid only on Windows Vista, Windows 7, Windows 8, and Windows Server 2012 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LocalizeXPRelativePaths_2 | +| Friendly Name | Use localized subfolder names when redirecting Start Menu and My Documents | +| Location | Computer Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | LocalizeXPRelativePaths | +| ADMX File Name | FolderRedirection.admx | + + + + + + + + ## PrimaryComputer_FR_1 @@ -425,11 +366,12 @@ This policy setting controls whether folders are redirected on a user's primary To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. -If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. +- If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. -If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. +- If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. -Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. +> [!NOTE] +> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. @@ -447,13 +389,13 @@ Note: If you enable this policy setting in Computer Configuration and User Confi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PrimaryComputerFr | +| Name | PrimaryComputer_FR_1 | | Friendly Name | Redirect folders on primary computers only | | Location | User Configuration | | Path | System > Folder Redirection | @@ -468,6 +410,71 @@ Note: If you enable this policy setting in Computer Configuration and User Confi + +## PrimaryComputer_FR_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_FolderRedirection/PrimaryComputer_FR_2 +``` + + + + +This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. + +To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. + +- If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user's primary computer only. + +- If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. + +> [!NOTE] +> If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrimaryComputer_FR_2 | +| Friendly Name | Redirect folders on primary computers only | +| Location | Computer Configuration | +| Path | System > Folder Redirection | +| Registry Key Name | Software\Policies\Microsoft\Windows\System\Fdeploy | +| Registry Value Name | PrimaryComputerEnabledFR | +| ADMX File Name | FolderRedirection.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index 30f0229ac8..898a9c4f92 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,10 +1,10 @@ --- title: ADMX_FramePanes Policy CSP -description: Learn more about the ADMX_FramePanes Area in Policy CSP +description: Learn more about the ADMX_FramePanes Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_FramePanes > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting shows or hides the Details Pane in File Explorer. -If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. +- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. -If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user. +- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user -**Note**: This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. +> [!NOTE] +> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. This is the default policy setting. @@ -70,7 +69,7 @@ If you disable, or do not configure this policy setting, the Details Pane is hid > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -109,7 +108,7 @@ If you disable, or do not configure this policy setting, the Details Pane is hid Hides the Preview Pane in File Explorer. -If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. +- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. @@ -129,7 +128,7 @@ If you disable, or do not configure this setting, the Preview Pane is hidden by > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index 74ace3c457..79f96e961d 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,10 +1,10 @@ --- title: ADMX_fthsvc Policy CSP -description: Learn more about the ADMX_fthsvc Area in Policy CSP +description: Learn more about the ADMX_fthsvc Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_fthsvc > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. -If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. +- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. -If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. +- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. -If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. +- If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -74,7 +72,7 @@ No system restart or service restart is required for this policy setting to take > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index bc42d298f5..9a730ad116 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,10 +1,10 @@ --- title: ADMX_Globalization Policy CSP -description: Learn more about the ADMX_Globalization Area in Policy CSP +description: Learn more about the ADMX_Globalization Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -115,7 +115,8 @@ The policy setting "Restrict user locales" can also be enabled to disallow selec - If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. - If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. -- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. +- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. +- If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. @@ -184,7 +185,8 @@ The policy setting "Restrict user locales" can also be enabled to disallow selec - If you disable or do not configure this policy setting, the user can select a custom locale as their user locale. - If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. -- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. +- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. +- If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings. To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting. @@ -724,7 +726,8 @@ The locale list is specified using language tags, separated by a semicolon (;). - If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. -- If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. +- If this policy setting is disabled at the computer level, the per-user policy is ignored. +- If this policy setting is not configured at the computer level, restrictions are based on per-user policies. @@ -791,7 +794,8 @@ The locale list is specified using language tags, separated by a semicolon (;). - If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. - If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. -- If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies. +- If this policy setting is disabled at the computer level, the per-user policy is ignored. +- If this policy setting is not configured at the computer level, restrictions are based on per-user policies. diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index 8c9d4e91c9..f755796c17 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,10 +1,10 @@ --- title: ADMX_GroupPolicy Policy CSP -description: Learn more about the ADMX_GroupPolicy Area in Policy CSP +description: Learn more about the ADMX_GroupPolicy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_GroupPolicy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,15 +46,15 @@ This policy setting allows user-based policy processing, roaming user profiles, This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. -If you do not configure this policy setting: +- If you do not configure this policy setting: - No user-based policy settings are applied from the user's forest. - Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. - Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer. - An event log message (1109) is posted, stating that loopback was invoked in Replace mode. -If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. +- If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. -If you disable this policy setting, the behavior is the same as if it is not configured. +- If you disable this policy setting, the behavior is the same as if it is not configured. @@ -74,7 +72,7 @@ If you disable this policy setting, the behavior is the same as if it is not con > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -114,9 +112,9 @@ If you disable this policy setting, the behavior is the same as if it is not con This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. -If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. +- If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. -If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. +- If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity. @@ -134,7 +132,7 @@ If you disable or do not configure this policy setting, Group Policy will use th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -177,7 +175,8 @@ This policy setting affects all policy settings that use the software installati This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -199,7 +198,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -242,7 +241,8 @@ This policy setting affects all policies that use the disk quota component of Gr This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -266,7 +266,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -309,7 +309,8 @@ This policy setting affects all policies that use the encryption component of Gr It overrides customized settings that the program implementing the encryption policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -333,7 +334,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -376,7 +377,8 @@ This policy setting affects all policies that use the folder redirection compone This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -398,7 +400,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -441,7 +443,8 @@ This policy setting affects all policies that use the Internet Explorer Maintena This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -465,7 +468,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -508,7 +511,8 @@ This policy setting affects all policies that use the IP security component of G This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -532,7 +536,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -573,7 +577,8 @@ This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. @@ -595,7 +600,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -636,7 +641,8 @@ This policy setting determines when policies that assign shared scripts are upda This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this setting, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -660,7 +666,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -703,7 +709,8 @@ This policy setting affects all policies that use the security component of Grou This policy setting overrides customized settings that the program implementing the security policy set when it was installed. -If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. +- If you enable this policy setting, you can use the check boxes provided to change the options. +- If you disable or do not configure this policy setting, it has no effect on the system. The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. @@ -725,7 +732,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -768,9 +775,9 @@ This policy setting affects all policies that use the wired network component of It overrides customized settings that the program implementing the wired network set when it was installed. -If you enable this policy, you can use the check boxes provided to change the options. +- If you enable this policy, you can use the check boxes provided to change the options. -If you disable this setting or do not configure it, it has no effect on the system. +- If you disable this setting or do not configure it, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -794,7 +801,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -837,9 +844,9 @@ This policy setting affects all policies that use the wireless network component It overrides customized settings that the program implementing the wireless network set when it was installed. -If you enable this policy, you can use the check boxes provided to change the options. +- If you enable this policy, you can use the check boxes provided to change the options. -If you disable this setting or do not configure it, it has no effect on the system. +- If you disable this setting or do not configure it, it has no effect on the system. The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays. @@ -863,7 +870,7 @@ The "Process even if the Group Policy objects have not changed" option updates a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -883,6 +890,79 @@ The "Process even if the Group Policy objects have not changed" option updates a + +## DenyRsopToInteractiveUser_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 +``` + + + + +This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. + +By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. + +- If you enable this policy setting, interactive users cannot generate RSoP data. + +- If you disable or do not configure this policy setting, interactive users can generate RSoP. + +> [!NOTE] +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. + +> [!NOTE] +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc + +> [!NOTE] +> This policy setting exists as both a User Configuration and Computer Configuration setting. + +Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DenyRsopToInteractiveUser_1 | +| Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| Registry Value Name | DenyRsopToInteractiveUser | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + ## DenyRsopToInteractiveUser_2 @@ -904,15 +984,18 @@ This policy setting controls the ability of users to view their Resultant Set of By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. -If you enable this policy setting, interactive users cannot generate RSoP data. +- If you enable this policy setting, interactive users cannot generate RSoP data. -If you disable or do not configure this policy setting, interactive users can generate RSoP. +- If you disable or do not configure this policy setting, interactive users can generate RSoP. -Note: This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. +> [!NOTE] +> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. -Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc +> [!NOTE] +> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc -Note: This policy setting exists as both a User Configuration and Computer Configuration setting. +> [!NOTE] +> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. @@ -932,13 +1015,13 @@ Also, see the "Turn off Resultant set of Policy logging" policy setting in Compu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DenyRsopToInteractiveUser | +| Name | DenyRsopToInteractiveUser_2 | | Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | | Location | Computer Configuration | | Path | System > Group Policy | @@ -988,7 +1071,7 @@ This policy setting prevents the Group Policy Client Service from stopping when > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1009,6 +1092,70 @@ This policy setting prevents the Group Policy Client Service from stopping when + +## DisableAutoADMUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableAutoADMUpdate +``` + + + + +Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. + +By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. If the local files are newer, they are copied into the GPO. + +Changing the status of this setting to Enabled will keep any source files from copying to the GPO. + +Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp. + +NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoADMUpdate | +| Friendly Name | Turn off automatic update of ADM files | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | DisableAutoADMUpdate | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + ## DisableBackgroundPolicy @@ -1028,11 +1175,12 @@ This policy setting prevents the Group Policy Client Service from stopping when This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. -If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. +- If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings. -If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. +- If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings. -Note: If you make changes to this policy setting, you must restart your computer for it to take effect. +> [!NOTE] +> If you make changes to this policy setting, you must restart your computer for it to take effect. @@ -1050,7 +1198,7 @@ Note: If you make changes to this policy setting, you must restart your computer > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1092,11 +1240,12 @@ This policy setting prevents Local Group Policy Objects (Local GPOs) from being By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied. -If you enable this policy setting, the system does not process and apply any Local GPOs. +- If you enable this policy setting, the system does not process and apply any Local GPOs. -If you disable or do not configure this policy setting, Local GPOs continue to be applied. +- If you disable or do not configure this policy setting, Local GPOs continue to be applied. -Note: For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. +> [!NOTE] +> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup. @@ -1114,7 +1263,7 @@ Note: For computers joined to a domain, it is strongly recommended that you only > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1154,15 +1303,17 @@ Note: For computers joined to a domain, it is strongly recommended that you only This policy setting allows you to control a user's ability to invoke a computer policy refresh. -If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. +- If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs. -If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. +- If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user. -Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. +> [!NOTE] +> This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured. Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval. -Note: If you make changes to this policy setting, you must restart your computer for it to take effect. +> [!NOTE] +> If you make changes to this policy setting, you must restart your computer for it to take effect. @@ -1180,7 +1331,7 @@ Note: If you make changes to this policy setting, you must restart your computer > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1220,11 +1371,11 @@ Note: If you make changes to this policy setting, you must restart your computer This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). -If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. +- If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences. -If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences. +- If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -1242,7 +1393,7 @@ If you do not configure this policy setting, the default behavior depends on the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1282,13 +1433,13 @@ If you do not configure this policy setting, the default behavior depends on the This policy setting allows you to configure Group Policy caching behavior. -If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +- If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. -If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +- If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) @@ -1306,7 +1457,7 @@ If you disable this policy setting, the Group Policy client will not cache appli > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1345,10 +1496,10 @@ If you disable this policy setting, the Group Policy client will not cache appli This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. -If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +- If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds. -If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) +- If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the "Configure Group Policy Slow Link Detection" policy setting to configure asynchronous foreground behavior.) @@ -1366,7 +1517,7 @@ If you disable or do not configure this policy setting, the Group Policy client > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1406,11 +1557,11 @@ If you disable or do not configure this policy setting, the Group Policy client This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. -If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. +- If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. -If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. +- If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -1428,7 +1579,7 @@ If you do not configure this policy setting, the default behavior depends on the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1449,6 +1600,73 @@ If you do not configure this policy setting, the default behavior depends on the + +## EnforcePoliciesOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnforcePoliciesOnly +``` + + + + +This policy setting prevents administrators from viewing or using Group Policy preferences. + +A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. + +- If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear. + +- If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. + +> [!NOTE] +> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." + +In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnforcePoliciesOnly | +| Friendly Name | Enforce Show Policies Only | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | ShowPoliciesOnly | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + ## FontMitigation @@ -1484,13 +1702,13 @@ This security feature provides a global setting to prevent programs from loading > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Font_List | +| Name | FontMitigation | | Friendly Name | Untrusted Font Blocking | | Location | Computer Configuration | | Path | System > Mitigation Options | @@ -1504,6 +1722,144 @@ This security feature provides a global setting to prevent programs from loading + +## GPDCOptions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPDCOptions +``` + + + + +This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. + +- If you enable this setting, you can which domain controller is used according to these options: + +"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. + +"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use. + +"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. + +- If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. + +> [!NOTE] +> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | GPDCOptions | +| Friendly Name | Configure Group Policy domain controller selection | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## GPTransferRate_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPTransferRate_1 +``` + + + + +This policy setting defines a slow connection for purposes of applying and updating Group Policy. + +If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. + +The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. + +- If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. + +- If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. + +This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. + +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile + +> [!NOTE] +> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | GPTransferRate_1 | +| Friendly Name | Configure Group Policy slow link detection | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + ## GPTransferRate_2 @@ -1527,15 +1883,16 @@ If the rate at which data is transferred from the domain controller providing a The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. -If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. +- If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. -If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. +- If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. +Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile -**Note**: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. +> [!NOTE] +> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. @@ -1553,13 +1910,13 @@ Also, see the "Do not detect slow network connections" and related policies in C > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | GPTransferRate | +| Name | GPTransferRate_2 | | Friendly Name | Configure Group Policy slow link detection | | Location | Computer Configuration | | Path | System > Group Policy | @@ -1596,9 +1953,9 @@ In addition to background updates, Group Policy for the computer is always updat By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. +- If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. -If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. +- If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. The Set Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. @@ -1606,7 +1963,8 @@ This setting establishes the update rate for computer Group Policy. To set an up This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled. -Note: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. +> [!NOTE] +> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress. @@ -1624,7 +1982,7 @@ Note: Consider notifying users that their policy is updated periodically so that > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1665,13 +2023,14 @@ This policy setting specifies how often Group Policy is updated on domain contro By default, Group Policy on the domain controllers is updated every five minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. +- If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. -If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. +- If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly. -Note: This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. +> [!NOTE] +> This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting. @@ -1689,7 +2048,7 @@ Note: This setting is used only when you are establishing policy for a domain, s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1709,6 +2068,80 @@ Note: This setting is used only when you are establishing policy for a domain, s + +## GroupPolicyRefreshRateUser + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRateUser +``` + + + + +This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. + +In addition to background updates, Group Policy for users is always updated when users log on. + +By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. + +- If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. + +- If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. + +This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. + +> [!IMPORTANT] +> If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. + +> [!NOTE] +> This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). + +> [!TIP] +> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | GroupPolicyRefreshRateUser | +| Friendly Name | Set Group Policy refresh interval for users | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + ## LogonScriptDelay @@ -1726,17 +2159,17 @@ Note: This setting is used only when you are establishing policy for a domain, s -Enter “0” to disable Logon Script Delay. +Enter "0" to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. -If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. +- If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts. -If you disable this policy setting, Group Policy will run scripts immediately after logon. +- If you disable this policy setting, Group Policy will run scripts immediately after logon. -If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. +- If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts. @@ -1754,7 +2187,7 @@ If you do not configure this policy setting, Group Policy will wait five minutes > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1775,6 +2208,127 @@ If you do not configure this policy setting, Group Policy will wait five minutes + +## NewGPODisplayName + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPODisplayName +``` + + + + +This policy setting allows you to set the default display name for new Group Policy objects. + +This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. + +The display name can contain environment variables and can be a maximum of 255 characters long. + +- If this setting is disabled or Not Configured, the default display name of New Group Policy object is used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NewGPODisplayName | +| Friendly Name | Set default name for new Group Policy objects | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + + +## NewGPOLinksDisabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPOLinksDisabled +``` + + + + +This policy setting allows you to create new Group Policy object links in the disabled state. + +- If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. + +- If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NewGPOLinksDisabled | +| Friendly Name | Create new Group Policy Object links disabled by default | +| Location | User Configuration | +| Path | System > Group Policy | +| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | +| Registry Value Name | NewGPOLinksDisabled | +| ADMX File Name | GroupPolicy.admx | + + + + + + + + ## OnlyUseLocalAdminFiles @@ -1804,15 +2358,16 @@ This leads to the following behavior: You can change this behavior by using this setting. -If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. +- If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs. This leads to the following behavior: - If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. -If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. +- If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. -Note: If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. +> [!NOTE] +> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing. @@ -1830,7 +2385,7 @@ Note: If the ADMs that you require are not all available locally in your %windir > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1911,13 +2466,13 @@ Setting flags not specified here to any value other than ? results in undefined > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ProcessMitigationOptions_List | +| Name | ProcessMitigationOptions | | Friendly Name | Process Mitigation Options | | Location | Computer and User Configuration | | Path | System > Mitigation Options | @@ -1966,7 +2521,7 @@ Enabling this setting will cause the Group Policy Client to connect to the same > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2008,11 +2563,12 @@ This setting allows you to enable or disable Resultant Set of Policy (RSoP) logg RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included. -If you enable this setting, RSoP logging is turned off. +- If you enable this setting, RSoP logging is turned off. -If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. +- If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on. -Note: To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). +> [!NOTE] +> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC). @@ -2030,7 +2586,7 @@ Note: To view the RSoP information logged on a client computer, you can use the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2072,11 +2628,12 @@ This policy setting allows an administrator to define the Direct Access connecti When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. -Note: When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). +> [!NOTE] +> When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). -If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. +- If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions. -If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. +- If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link. @@ -2094,7 +2651,7 @@ If you disable this setting or do not configure it, Group Policy will evaluate t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2134,17 +2691,19 @@ If you disable this setting or do not configure it, Group Policy will evaluate t This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected. -If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. +- If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner. Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials, which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available. -Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection +> [!NOTE] +> that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection and Drive Maps preference extension will not be applied. -Note: There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: +> [!NOTE] +> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled: 1 - At the first computer startup after the client computer has joined the domain. 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled. -If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. +- If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous. @@ -2162,7 +2721,7 @@ If you disable or do not configure this policy setting, detecting a slow network > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2202,9 +2761,9 @@ If you disable or do not configure this policy setting, detecting a slow network This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. -If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. +- If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time. -If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. +- If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system. @@ -2222,7 +2781,7 @@ If you disable or do not configure this policy setting, Group Policy will use th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2261,17 +2820,19 @@ If you disable or do not configure this policy setting, Group Policy will use th This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. -By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. +By default, the user's Group Policy Objects determine which user settings apply. +- If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. -If you enable this setting, you can select one of the following modes from the Mode box: +- If you enable this setting, you can select one of the following modes from the Mode box: "Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. -If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. +- If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply. -Note: This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. +> [!NOTE] +> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains. @@ -2289,7 +2850,7 @@ Note: This setting is effective only when both the computer account and the user > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2309,534 +2870,6 @@ Note: This setting is effective only when both the computer account and the user - -## DenyRsopToInteractiveUser_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DenyRsopToInteractiveUser_1 -``` - - - - -This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. - -By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. - -If you enable this policy setting, interactive users cannot generate RSoP data. - -If you disable or do not configure this policy setting, interactive users can generate RSoP. - -Note: This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data. - -Note: To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc - -Note: This policy setting exists as both a User Configuration and Computer Configuration setting. - -Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DenyRsopToInteractiveUser | -| Friendly Name | Determine if interactive users can generate Resultant Set of Policy data | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\System | -| Registry Value Name | DenyRsopToInteractiveUser | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## DisableAutoADMUpdate - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/DisableAutoADMUpdate -``` - - - - -Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. - -By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO. If the local files are newer, they are copied into the GPO. - -Changing the status of this setting to Enabled will keep any source files from copying to the GPO. - -Changing the status of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp. - -NOTE: If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableAutoADMUpdate | -| Friendly Name | Turn off automatic update of ADM files | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | -| Registry Value Name | DisableAutoADMUpdate | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## EnforcePoliciesOnly - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/EnforcePoliciesOnly -``` - - - - -This policy setting prevents administrators from viewing or using Group Policy preferences. - -A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys. - -If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear. - -If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command. - -Note: To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View." - -In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | EnforcePoliciesOnly | -| Friendly Name | Enforce Show Policies Only | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | -| Registry Value Name | ShowPoliciesOnly | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## GPDCOptions - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPDCOptions -``` - - - - -This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. - -If you enable this setting, you can which domain controller is used according to these options: - -"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. - -"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use. - -"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller. - -If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain. - -Note: To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters." - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | GPDCOptions | -| Friendly Name | Configure Group Policy domain controller selection | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## GPTransferRate_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GPTransferRate_1 -``` - - - - -This policy setting defines a slow connection for purposes of applying and updating Group Policy. - -If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow. - -The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links. - -If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast. - -If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second. - -This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder. - -Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. - -**Note**: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | GPTransferRate | -| Friendly Name | Configure Group Policy slow link detection | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\System | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## GroupPolicyRefreshRateUser - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/GroupPolicyRefreshRateUser -``` - - - - -This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. - -In addition to background updates, Group Policy for users is always updated when users log on. - -By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. - -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations. - -If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. - -This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly. - -Important: If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored. - -Note: This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy). - -Tip: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | GroupPolicyRefreshRateUser | -| Friendly Name | Set Group Policy refresh interval for users | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\System | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## NewGPODisplayName - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPODisplayName -``` - - - - -This policy setting allows you to set the default display name for new Group Policy objects. - -This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser. - -The display name can contain environment variables and can be a maximum of 255 characters long. - -If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NewGPODisplayName | -| Friendly Name | Set default name for new Group Policy objects | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - - -## NewGPOLinksDisabled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/NewGPOLinksDisabled -``` - - - - -This policy setting allows you to create new Group Policy object links in the disabled state. - -If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system. - -If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NewGPOLinksDisabled | -| Friendly Name | Create new Group Policy Object links disabled by default | -| Location | User Configuration | -| Path | System > Group Policy | -| Registry Key Name | Software\Policies\Microsoft\Windows\Group Policy Editor | -| Registry Value Name | NewGPOLinksDisabled | -| ADMX File Name | GroupPolicy.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 1e23d7534a..08e004e302 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,10 +1,10 @@ --- title: ADMX_Help Policy CSP -description: Learn more about the ADMX_Help Area in Policy CSP +description: Learn more about the ADMX_Help Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Help > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ This policy setting allows you to exclude HTML Help Executable from being monito Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. -If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. +- If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. -If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTLM Help stops if DEP detects system memory abnormalities. +- If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTLM Help stops if DEP detects system memory abnormalities. @@ -68,7 +66,7 @@ If you disable or do not configure this policy setting, DEP is turned on for HTM > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,19 +106,21 @@ If you disable or do not configure this policy setting, DEP is turned on for HTM This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. -If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. +- If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders. To restrict the commands to one or more folders, enable the policy setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder". -Note: An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows. +> [!NOTE] +> An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows. The "Shortcut" command is used to add a link to a Help topic, and runs executables that are external to the Help file. The "WinHelp" command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on the Settings tab of the Policy Properties dialog box blank. -If you disable or do not configure this policy setting, these commands are fully functional for all Help files. +- If you disable or do not configure this policy setting, these commands are fully functional for all Help files. -Note: Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. +> [!NOTE] +> Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. For additional options, see the "Restrict these programs from being launched from Help" policy. @@ -140,7 +140,7 @@ For additional options, see the "Restrict these programs from being launched fro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -160,69 +160,6 @@ For additional options, see the "Restrict these programs from being launched fro - -## RestrictRunFromHelp_Comp - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Help/RestrictRunFromHelp_Comp -``` - - - - -This policy setting allows you to restrict programs from being run from online Help. - -If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. - -If you disable or do not configure this policy setting, users can run all applications from online Help. - -Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. - -Note: This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RestrictRunFromHelp_Comp | -| Friendly Name | Restrict these programs from being launched from Help | -| Location | Computer Configuration | -| Path | System | -| Registry Key Name | Software\Policies\Microsoft\Windows\System | -| ADMX File Name | Help.admx | - - - - - - - - ## RestrictRunFromHelp @@ -242,13 +179,15 @@ Note: This policy setting is available under Computer Configuration and User Con This policy setting allows you to restrict programs from being run from online Help. -If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. +- If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. -If you disable or do not configure this policy setting, users can run all applications from online Help. +- If you disable or do not configure this policy setting, users can run all applications from online Help. -Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. +> [!NOTE] +> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. -Note: This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help +> [!NOTE] +> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help @@ -266,7 +205,7 @@ Note: This policy setting is available under Computer Configuration and User Con > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -286,6 +225,71 @@ Note: This policy setting is available under Computer Configuration and User Con + +## RestrictRunFromHelp_Comp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Help/RestrictRunFromHelp_Comp +``` + + + + +This policy setting allows you to restrict programs from being run from online Help. + +- If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas. + +- If you disable or do not configure this policy setting, users can run all applications from online Help. + +> [!NOTE] +> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings. + +> [!NOTE] +> This policy setting is available under Computer Configuration and User Configuration. If both are settings are used, any programs listed in either of these locations cannot launched from Help + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RestrictRunFromHelp_Comp | +| Friendly Name | Restrict these programs from being launched from Help | +| Location | Computer Configuration | +| Path | System | +| Registry Key Name | Software\Policies\Microsoft\Windows\System | +| ADMX File Name | Help.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index 2098f1a31d..2fa008cfe0 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,10 +1,10 @@ --- title: ADMX_HelpAndSupport Policy CSP -description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP +description: Learn more about the ADMX_HelpAndSupport Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_HelpAndSupport > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. -If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. +- If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. -If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). +- If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, the default behavior app > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,9 +104,9 @@ If you disable or do not configure this policy setting, the default behavior app This policy setting specifies whether users can provide ratings for Help content. -If you enable this policy setting, ratings controls are not added to Help content. +- If you enable this policy setting, ratings controls are not added to Help content. -If you disable or do not configure this policy setting, ratings controls are added to Help topics. +- If you disable or do not configure this policy setting, ratings controls are added to Help topics. Users can use the control to provide feedback on the quality and usefulness of the Help and Support content. @@ -128,7 +126,7 @@ Users can use the control to provide feedback on the quality and usefulness of t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -168,9 +166,9 @@ Users can use the control to provide feedback on the quality and usefulness of t This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. -If you enable this policy setting, users cannot participate in the Help Experience Improvement program. +- If you enable this policy setting, users cannot participate in the Help Experience Improvement program. -If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. +- If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. @@ -188,7 +186,7 @@ If you disable or do not configure this policy setting, users can turn on the He > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -228,9 +226,9 @@ If you disable or do not configure this policy setting, users can turn on the He This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. -If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. +- If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. -If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page. +- If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page. @@ -248,7 +246,7 @@ If you disable or do not configure this policy setting, users can access online > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index 3d1f933b5d..b16c585854 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,10 +1,10 @@ --- title: ADMX_hotspotauth Policy CSP -description: Learn more about the ADMX_hotspotauth Area in Policy CSP +description: Learn more about the ADMX_hotspotauth Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_hotspotauth > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ This policy setting defines whether WLAN hotspots are probed for Wireless Intern If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. -If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. +- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. -If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. +- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. @@ -68,7 +66,7 @@ If you disable this policy setting, WLAN hotspots are not probed for WISPr proto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index a42e2c3941..27fdebb0e8 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,10 +1,10 @@ --- title: ADMX_ICM Policy CSP -description: Learn more about the ADMX_ICM Area in Policy CSP +description: Learn more about the ADMX_ICM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ICM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly. -If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. +- If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program. -If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. +- If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program. -If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. +- If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users. @@ -68,7 +66,7 @@ If you do not configure this policy setting, the administrator can use the Probl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,9 +108,9 @@ This policy setting specifies whether to automatically update root certificates Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities. -If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. +- If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities. -If you disable or do not configure this policy setting, your computer will contact the Windows Update website. +- If you disable or do not configure this policy setting, your computer will contact the Windows Update website. @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, your computer will conta > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -151,6 +149,138 @@ If you disable or do not configure this policy setting, your computer will conta + +## DisableHTTPPrinting_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableHTTPPrinting_1 +``` + + + + +This policy setting specifies whether to allow printing over HTTP from this client. + +Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. + +> [!NOTE] +> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. + +- If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. + +- If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. + +Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableHTTPPrinting_1 | +| Friendly Name | Turn off printing over HTTP | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableHTTPPrinting | +| ADMX File Name | ICM.admx | + + + + + + + + + +## DisableWebPnPDownload_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableWebPnPDownload_1 +``` + + + + +This policy setting specifies whether to allow this client to download print driver packages over HTTP. + +To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. + +> [!NOTE] +> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. + +- If you enable this policy setting, print drivers cannot be downloaded over HTTP. + +- If you disable or do not configure this policy setting, users can download print drivers over HTTP. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableWebPnPDownload_1 | +| Friendly Name | Turn off downloading of print drivers over HTTP | +| Location | User Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | +| Registry Value Name | DisableWebPnPDownload | +| ADMX File Name | ICM.admx | + + + + + + + + ## DriverSearchPlaces_DontSearchWindowsUpdate @@ -170,15 +300,16 @@ If you disable or do not configure this policy setting, your computer will conta This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present. -If you enable this policy setting, Windows Update is not searched when a new device is installed. +- If you enable this policy setting, Windows Update is not searched when a new device is installed. -If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. +- If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present. -If you do not configure this policy setting, searching Windows Update is optional when installing a device. +- If you do not configure this policy setting, searching Windows Update is optional when installing a device. Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally. -Note: This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. +> [!NOTE] +> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows. @@ -196,7 +327,7 @@ Note: This policy setting is replaced by "Specify Driver Source Search Order" in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -238,9 +369,9 @@ This policy setting specifies whether "Events.asp" hyperlinks are available for The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred. -If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description. +- If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description. -If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". +- If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft. Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer". @@ -258,7 +389,7 @@ If you disable or do not configure this policy setting, the user can click the h > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -300,9 +431,9 @@ This policy setting specifies whether to show the "Did you know?" section of Hel This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer. -If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. +- If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content. -If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. +- If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content. You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection. @@ -322,7 +453,7 @@ You might want to enable this policy setting for users who do not have Internet > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -364,9 +495,9 @@ This policy setting specifies whether users can perform a Microsoft Knowledge Ba The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options. -If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. +- If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched. -If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. +- If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page. @@ -384,7 +515,7 @@ If you disable or do not configure this policy setting, the Knowledge Base is se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -405,6 +536,68 @@ If you disable or do not configure this policy setting, the Knowledge Base is se + +## InternetManagement_RestrictCommunication_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_ICM/InternetManagement_RestrictCommunication_1 +``` + + + + +This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. + +- If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. + +- If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. + +- If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | InternetManagement_RestrictCommunication_1 | +| Friendly Name | Restrict Internet communication | +| Location | User Configuration | +| Path | System > Internet Communication Management | +| Registry Key Name | Software\Policies\Microsoft\InternetManagement | +| Registry Value Name | RestrictCommunication | +| ADMX File Name | ICM.admx | + + + + + + + + ## InternetManagement_RestrictCommunication_2 @@ -424,11 +617,11 @@ If you disable or do not configure this policy setting, the Knowledge Base is se This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. -If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. +- If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. -If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. +- If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. -If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. +- If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. @@ -446,13 +639,13 @@ If you do not configure this policy setting, all of the the policy settings in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | InternetManagement_RestrictCommunication | +| Name | InternetManagement_RestrictCommunication_2 | | Friendly Name | Restrict Internet communication | | Location | Computer Configuration | | Path | System > Internet Communication Management | @@ -486,9 +679,9 @@ If you do not configure this policy setting, all of the the policy settings in t This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). -If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. +- If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers. -If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. +- If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area. @@ -506,7 +699,7 @@ If you disable or do not configure this policy setting, users can connect to Mic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -546,11 +739,11 @@ If you disable or do not configure this policy setting, users can connect to Mic This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. -If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. +- If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. -If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. +- If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration. -Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). +**Note** that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in). @@ -568,7 +761,7 @@ Note that registration is optional and involves submitting some personal informa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -610,9 +803,9 @@ This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. -If you enable this policy setting, users are not given the option to report errors. +- If you enable this policy setting, users are not given the option to report errors. -If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. +- If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share. This policy setting overrides any user setting made from the Control Panel for error reporting. @@ -634,7 +827,7 @@ Also see the "Configure Error Reporting", "Display Error Notification" and "Disa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -673,11 +866,12 @@ Also see the "Configure Error Reporting", "Display Error Notification" and "Disa This policy setting allows you to remove access to Windows Update. -If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at , from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. +- If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at , from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website. -If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. +- If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update. -Note: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. +> [!NOTE] +> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. @@ -695,7 +889,7 @@ Note: This policy applies only when this PC is configured to connect to an intra > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -737,11 +931,12 @@ This policy setting specifies whether Search Companion should automatically down When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results. -If you enable this policy setting, Search Companion does not download content updates during searches. +- If you enable this policy setting, Search Companion does not download content updates during searches. -If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. +- If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search. -Note: Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. +> [!NOTE] +> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely. @@ -759,7 +954,7 @@ Note: Internet searches still send the search text and information about the sea > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -780,510 +975,6 @@ Note: Internet searches still send the search text and information about the sea - -## ShellNoUseInternetOpenWith_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseInternetOpenWith_2 -``` - - - - -This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. - -When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. - -If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. - -If you disable or do not configure this policy setting, the user is allowed to use the Web service. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShellNoUseInternetOpenWith | -| Friendly Name | Turn off Internet File Association service | -| Location | Computer Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoInternetOpenWith | -| ADMX File Name | ICM.admx | - - - - - - - - - -## ShellNoUseStoreOpenWith_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseStoreOpenWith_2 -``` - - - - -This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. - -When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. - -If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. - -If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShellNoUseStoreOpenWith | -| Friendly Name | Turn off access to the Store | -| Location | Computer Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | NoUseStoreOpenWith | -| ADMX File Name | ICM.admx | - - - - - - - - - -## ShellRemoveOrderPrints_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemoveOrderPrints_2 -``` - - - - -This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. - -The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. - -If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. - -If you disable or do not configure this policy setting, the task is displayed. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShellRemoveOrderPrints | -| Friendly Name | Turn off the "Order Prints" picture task | -| Location | Computer Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoOnlinePrintsWizard | -| ADMX File Name | ICM.admx | - - - - - - - - - -## ShellRemovePublishToWeb_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemovePublishToWeb_2 -``` - - - - -This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. - -The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. - -If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. - -If you disable or do not configure this policy setting, the tasks are shown. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShellRemovePublishToWeb | -| Friendly Name | Turn off the "Publish to Web" task for files and folders | -| Location | Computer Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoPublishingWizard | -| ADMX File Name | ICM.admx | - - - - - - - - - -## WinMSG_NoInstrumentation_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/WinMSG_NoInstrumentation_2 -``` - - - - -This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. - -With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. - -If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. - -If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. - -If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WinMSG_NoInstrumentation | -| Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | -| Location | Computer Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Policies\Microsoft\Messenger\Client | -| Registry Value Name | CEIP | -| ADMX File Name | ICM.admx | - - - - - - - - - -## DisableHTTPPrinting_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableHTTPPrinting_1 -``` - - - - -This policy setting specifies whether to allow printing over HTTP from this client. - -Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. - -Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. - -If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. - -If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. - -Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableHTTPPrinting | -| Friendly Name | Turn off printing over HTTP | -| Location | User Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | -| Registry Value Name | DisableHTTPPrinting | -| ADMX File Name | ICM.admx | - - - - - - - - - -## DisableWebPnPDownload_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ICM/DisableWebPnPDownload_1 -``` - - - - -This policy setting specifies whether to allow this client to download print driver packages over HTTP. - -To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. - -Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. - -If you enable this policy setting, print drivers cannot be downloaded over HTTP. - -If you disable or do not configure this policy setting, users can download print drivers over HTTP. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableWebPnPDownload | -| Friendly Name | Turn off downloading of print drivers over HTTP | -| Location | User Configuration | -| Path | InternetManagement > Internet Communication settings | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers | -| Registry Value Name | DisableWebPnPDownload | -| ADMX File Name | ICM.admx | - - - - - - - - - -## InternetManagement_RestrictCommunication_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_ICM/InternetManagement_RestrictCommunication_1 -``` - - - - -This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. - -If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet. - -If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet. - -If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | InternetManagement_RestrictCommunication | -| Friendly Name | Restrict Internet communication | -| Location | User Configuration | -| Path | System > Internet Communication Management | -| Registry Key Name | Software\Policies\Microsoft\InternetManagement | -| Registry Value Name | RestrictCommunication | -| ADMX File Name | ICM.admx | - - - - - - - - ## ShellNoUseInternetOpenWith_1 @@ -1305,9 +996,9 @@ This policy setting specifies whether to use the Microsoft Web service for findi When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. -If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. +- If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. -If you disable or do not configure this policy setting, the user is allowed to use the Web service. +- If you disable or do not configure this policy setting, the user is allowed to use the Web service. @@ -1325,13 +1016,13 @@ If you disable or do not configure this policy setting, the user is allowed to u > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellNoUseInternetOpenWith | +| Name | ShellNoUseInternetOpenWith_1 | | Friendly Name | Turn off Internet File Association service | | Location | User Configuration | | Path | InternetManagement > Internet Communication settings | @@ -1346,6 +1037,68 @@ If you disable or do not configure this policy setting, the user is allowed to u + +## ShellNoUseInternetOpenWith_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseInternetOpenWith_2 +``` + + + + +This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. + +When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application. + +- If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed. + +- If you disable or do not configure this policy setting, the user is allowed to use the Web service. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellNoUseInternetOpenWith_2 | +| Friendly Name | Turn off Internet File Association service | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoInternetOpenWith | +| ADMX File Name | ICM.admx | + + + + + + + + ## ShellNoUseStoreOpenWith_1 @@ -1367,9 +1120,9 @@ This policy setting specifies whether to use the Store service for finding an ap When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. -If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. +- If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. -If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. +- If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. @@ -1387,13 +1140,13 @@ If you disable or do not configure this policy setting, the user is allowed to u > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellNoUseStoreOpenWith | +| Name | ShellNoUseStoreOpenWith_1 | | Friendly Name | Turn off access to the Store | | Location | User Configuration | | Path | InternetManagement > Internet Communication settings | @@ -1408,6 +1161,68 @@ If you disable or do not configure this policy setting, the user is allowed to u + +## ShellNoUseStoreOpenWith_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellNoUseStoreOpenWith_2 +``` + + + + +This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. + +When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. + +- If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed. + +- If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellNoUseStoreOpenWith_2 | +| Friendly Name | Turn off access to the Store | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoUseStoreOpenWith | +| ADMX File Name | ICM.admx | + + + + + + + + ## ShellPreventWPWDownload_1 @@ -1429,9 +1244,9 @@ This policy setting specifies whether Windows should download a list of provider These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. -If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. +- If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. -If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. +- If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. @@ -1451,13 +1266,13 @@ See the documentation for the web publishing and online ordering wizards for mor > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellPreventWPWDownload | +| Name | ShellPreventWPWDownload_1 | | Friendly Name | Turn off Internet download for Web publishing and online ordering wizards | | Location | User Configuration | | Path | InternetManagement > Internet Communication settings | @@ -1493,9 +1308,9 @@ This policy setting specifies whether the "Order Prints Online" task is availabl The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. -If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. +- If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. -If you disable or do not configure this policy setting, the task is displayed. +- If you disable or do not configure this policy setting, the task is displayed. @@ -1513,13 +1328,13 @@ If you disable or do not configure this policy setting, the task is displayed. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellRemoveOrderPrints | +| Name | ShellRemoveOrderPrints_1 | | Friendly Name | Turn off the "Order Prints" picture task | | Location | User Configuration | | Path | InternetManagement > Internet Communication settings | @@ -1534,6 +1349,68 @@ If you disable or do not configure this policy setting, the task is displayed. + +## ShellRemoveOrderPrints_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemoveOrderPrints_2 +``` + + + + +This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. + +The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. + +- If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders. + +- If you disable or do not configure this policy setting, the task is displayed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellRemoveOrderPrints_2 | +| Friendly Name | Turn off the "Order Prints" picture task | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoOnlinePrintsWizard | +| ADMX File Name | ICM.admx | + + + + + + + + ## ShellRemovePublishToWeb_1 @@ -1555,9 +1432,9 @@ This policy setting specifies whether the tasks "Publish this file to the Web," The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. -If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. +- If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. -If you disable or do not configure this policy setting, the tasks are shown. +- If you disable or do not configure this policy setting, the tasks are shown. @@ -1575,13 +1452,13 @@ If you disable or do not configure this policy setting, the tasks are shown. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellRemovePublishToWeb | +| Name | ShellRemovePublishToWeb_1 | | Friendly Name | Turn off the "Publish to Web" task for files and folders | | Location | User Configuration | | Path | InternetManagement > Internet Communication settings | @@ -1596,6 +1473,68 @@ If you disable or do not configure this policy setting, the tasks are shown. + +## ShellRemovePublishToWeb_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/ShellRemovePublishToWeb_2 +``` + + + + +This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. + +The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web. + +- If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. + +- If you disable or do not configure this policy setting, the tasks are shown. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellRemovePublishToWeb_2 | +| Friendly Name | Turn off the "Publish to Web" task for files and folders | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoPublishingWizard | +| ADMX File Name | ICM.admx | + + + + + + + + ## WinMSG_NoInstrumentation_1 @@ -1617,11 +1556,11 @@ This policy setting specifies whether Windows Messenger collects anonymous infor With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. -If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. +- If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. -If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. +- If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. -If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. +- If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. @@ -1639,13 +1578,13 @@ If you do not configure this policy setting, users have the choice to opt in and > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WinMSG_NoInstrumentation | +| Name | WinMSG_NoInstrumentation_1 | | Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | | Location | User Configuration | | Path | InternetManagement > Internet Communication settings | @@ -1660,6 +1599,70 @@ If you do not configure this policy setting, users have the choice to opt in and + +## WinMSG_NoInstrumentation_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_ICM/WinMSG_NoInstrumentation_2 +``` + + + + +This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. + +With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in future releases. + +- If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown. + +- If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. + +- If you do not configure this policy setting, users have the choice to opt in and allow information to be collected. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WinMSG_NoInstrumentation_2 | +| Friendly Name | Turn off the Windows Messenger Customer Experience Improvement Program | +| Location | Computer Configuration | +| Path | InternetManagement > Internet Communication settings | +| Registry Key Name | Software\Policies\Microsoft\Messenger\Client | +| Registry Value Name | CEIP | +| ADMX File Name | ICM.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index a3cbe89e61..0af1df4d24 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,10 +1,10 @@ --- title: ADMX_IIS Policy CSP -description: Learn more about the ADMX_IIS Area in Policy CSP +description: Learn more about the ADMX_IIS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_IIS > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,7 +42,9 @@ ms.topic: reference -"This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." +"This policy setting prevents installation of Internet Information Services (IIS) on this computer. +- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. +- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." @@ -62,7 +62,7 @@ ms.topic: reference > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index f7308d08d7..a7898086b3 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,10 +1,10 @@ --- title: ADMX_iSCSI Policy CSP -description: Learn more about the ADMX_iSCSI Area in Policy CSP +description: Learn more about the ADMX_iSCSI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_iSCSI > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,7 +60,7 @@ If enabled then new iSNS servers may not be added and thus new targets discovere > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -118,7 +116,7 @@ If enabled then new target portals may not be added and thus new targets discove > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -156,9 +154,7 @@ If enabled then new target portals may not be added and thus new targets discove -If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. - -**Note**: if enabled there may be cases where this will break VDS. +If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. **Note** if enabled there may be cases where this will break VDS. @@ -176,7 +172,7 @@ If enabled then discovered targets may not be manually configured. If disabled t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -214,9 +210,7 @@ If enabled then discovered targets may not be manually configured. If disabled t -If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. - -**Note**: if enabled there may be cases where this will break VDS. +If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. **Note** if enabled there may be cases where this will break VDS. @@ -234,7 +228,7 @@ If enabled then new targets may not be manually configured by entering the targe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -290,7 +284,7 @@ If enabled then do not allow the initiator iqn name to be changed. If disabled t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -346,7 +340,7 @@ If enabled then only those sessions that are established via a persistent login > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -402,7 +396,7 @@ If enabled then do not allow the initiator CHAP secret to be changed. If disable > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -458,7 +452,7 @@ If enabled then only those connections that are configured for IPSec may be esta > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -514,7 +508,7 @@ If enabled then only those sessions that are configured for mutual CHAP may be e > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -552,9 +546,7 @@ If enabled then only those sessions that are configured for mutual CHAP may be e -If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. - -**Note** that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one. +If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. **Note** that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one. @@ -572,7 +564,7 @@ If enabled then only those sessions that are configured for one-way CHAP may be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index beb1234d4b..0b0cd3777a 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,10 +1,10 @@ --- title: ADMX_kdc Policy CSP -description: Learn more about the ADMX_kdc Area in Policy CSP +description: Learn more about the ADMX_kdc Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_kdc > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. -If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. +- If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. -If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring. +- If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring. If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. -**Note**: For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features. +> [!NOTE] +> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features. If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. @@ -63,7 +62,8 @@ When the domain functional level is set to Windows Server 2012 then the domain c - If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. -**Warning**: When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. +> [!WARNING] +> When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled). @@ -88,7 +88,7 @@ Impact on domain controller performance when this policy setting is enabled: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -128,13 +128,14 @@ Impact on domain controller performance when this policy setting is enabled: This policy setting controls whether the domain controller provides information about previous logons to client computers. -If you enable this policy setting, the domain controller provides the information message about previous logons. +- If you enable this policy setting, the domain controller provides the information message about previous logons. For Windows Logon to leverage this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled. -If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled. +- If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled. -**Note**: Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything. +> [!NOTE] +> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything. @@ -152,7 +153,7 @@ If you disable or do not configure this policy setting, the domain controller do > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -192,9 +193,9 @@ If you disable or do not configure this policy setting, the domain controller do This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. +- If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain. -If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. +- If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used. To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain. @@ -214,7 +215,7 @@ To ensure consistent behavior, this policy setting must be supported and set ide > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -252,17 +253,17 @@ To ensure consistent behavior, this policy setting must be supported and set ide -Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. +Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller's domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. -If you enable this policy setting, the following options are supported: +- If you enable this policy setting, the following options are supported: Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials. -If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. +- If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID. @@ -280,7 +281,7 @@ If you disable or not configure this policy setting, then the DC will never offe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -319,11 +320,12 @@ If you disable or not configure this policy setting, then the DC will never offe This policy setting allows you to configure a domain controller to request compound authentication. -**Note**: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. +> [!NOTE] +> For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. -If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. +- If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. -If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration. +- If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration. @@ -341,7 +343,7 @@ If you disable or do not configure this policy setting, domain controllers will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -381,9 +383,9 @@ If you disable or do not configure this policy setting, domain controllers will This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. -If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. +- If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. -If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. +- If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions. @@ -401,7 +403,7 @@ If you disable or do not configure this policy setting, the threshold value defa > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index aa6cfac797..1845af6733 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,10 +1,10 @@ --- title: ADMX_Kerberos Policy CSP -description: Learn more about the ADMX_Kerberos Area in Policy CSP +description: Learn more about the ADMX_Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Kerberos > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. -Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. +> [!NOTE] +> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. -If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. +- If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. -If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. +- If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. @@ -68,7 +67,7 @@ If you disable or do not configure this policy setting and the resource domain r > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,14 +109,14 @@ Support for device authentication using certificate will require connectivity to This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. -If you enable this policy setting, the device’s credentials will be selected based on the following options: +- If you enable this policy setting, the device’s credentials will be selected based on the following options: Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. -If you disable this policy setting, certificates will never be used. -If you do not configure this policy setting, Automatic will be used. +- If you disable this policy setting, certificates will never be used. +- If you do not configure this policy setting, Automatic will be used. @@ -135,7 +134,7 @@ If you do not configure this policy setting, Automatic will be used. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -175,11 +174,11 @@ If you do not configure this policy setting, Automatic will be used. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. -If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +- If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. +- If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. -If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. +- If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. @@ -197,13 +196,13 @@ If you do not configure this policy setting, the system uses the host name-to-Ke > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | hosttorealm | +| Name | HostToRealm | | Friendly Name | Define host name-to-Kerberos realm mappings | | Location | Computer Configuration | | Path | System > Kerberos | @@ -237,10 +236,11 @@ If you do not configure this policy setting, the system uses the host name-to-Ke This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. -If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. -Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. +- If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. +> [!WARNING] +> When revocation check is ignored, the server represented by the certificate is not guaranteed valid. -If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. +- If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. @@ -258,7 +258,7 @@ If you disable or do not configure this policy setting, the Kerberos client enfo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -298,9 +298,9 @@ If you disable or do not configure this policy setting, the Kerberos client enfo This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. -If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +- If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. +- If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. @@ -318,7 +318,7 @@ If you disable or do not configure this policy setting, the Kerberos client does > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -358,11 +358,11 @@ If you disable or do not configure this policy setting, the Kerberos client does This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. -If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. +- If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. -If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. +- If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. -If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. +- If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. @@ -380,7 +380,7 @@ If you do not configure this policy setting, the system uses the interoperable K > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -422,7 +422,7 @@ This policy setting controls configuring the device's Active Directory account f Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. -If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: +- If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: Never: Compound authentication is never provided for this computer account. @@ -430,8 +430,8 @@ Automatic: Compound authentication is provided for this computer account when on Always: Compound authentication is always provided for this computer account. -If you disable this policy setting, Never will be used. -If you do not configure this policy setting, Automatic will be used. +- If you disable this policy setting, Never will be used. +- If you do not configure this policy setting, Automatic will be used. @@ -449,7 +449,7 @@ If you do not configure this policy setting, Automatic will be used. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -489,9 +489,9 @@ If you do not configure this policy setting, Automatic will be used. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. -If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. +- If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. -If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. +- If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. @@ -509,7 +509,7 @@ If you disable or do not configure this policy setting, any service is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index e67a81aae5..6db1233f57 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,10 +1,10 @@ --- title: ADMX_LanmanServer Policy CSP -description: Learn more about the ADMX_LanmanServer Area in Policy CSP +description: Learn more about the ADMX_LanmanServer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_LanmanServer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting determines the cipher suites used by the SMB server. -If you enable this policy setting, cipher suites are prioritized in the order specified. +- If you enable this policy setting, cipher suites are prioritized in the order specified. -If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. +- If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. SMB 3.11 cipher suites: @@ -65,7 +63,8 @@ How to modify this setting: Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. -Note: When configuring this security setting, changes will not take effect until you restart Windows. +> [!NOTE] +> When configuring this security setting, changes will not take effect until you restart Windows. @@ -83,13 +82,13 @@ Note: When configuring this security setting, changes will not take effect until > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_CipherSuiteOrder_Name | +| Name | Pol_CipherSuiteOrder | | Friendly Name | Cipher suite order | | Location | Computer Configuration | | Path | Network > Lanman Server | @@ -156,7 +155,7 @@ In circumstances where this policy setting is enabled, you can also select the f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -233,7 +232,7 @@ Hash version supported: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -272,11 +271,12 @@ Hash version supported: This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. -If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. +- If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences. -If you disable or do not configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites. +- If you disable or do not configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites. -Note: When configuring this security setting, changes will not take effect until you restart Windows. +> [!NOTE] +> When configuring this security setting, changes will not take effect until you restart Windows. @@ -294,13 +294,13 @@ Note: When configuring this security setting, changes will not take effect until > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_HonorCipherSuiteOrder_Name | +| Name | Pol_HonorCipherSuiteOrder | | Friendly Name | Honor cipher suite order | | Location | Computer Configuration | | Path | Network > Lanman Server | diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 60fc930a3d..4b3d5a5868 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,10 +1,10 @@ --- title: ADMX_LanmanWorkstation Policy CSP -description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP +description: Learn more about the ADMX_LanmanWorkstation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_LanmanWorkstation > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting determines the cipher suites used by the SMB client. -If you enable this policy setting, cipher suites are prioritized in the order specified. +- If you enable this policy setting, cipher suites are prioritized in the order specified. -If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. +- If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used. SMB 3.11 cipher suites: @@ -65,7 +63,8 @@ How to modify this setting: Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use. -Note: When configuring this security setting, changes will not take effect until you restart Windows. +> [!NOTE] +> When configuring this security setting, changes will not take effect until you restart Windows. @@ -84,13 +83,13 @@ AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_CipherSuiteOrder_Name | +| Name | Pol_CipherSuiteOrder | | Friendly Name | Cipher suite order | | Location | Computer Configuration | | Path | Network > Lanman Workstation | @@ -123,11 +122,12 @@ AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. -If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. +- If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. -If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. +- If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares. -Note: This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. +> [!NOTE] +> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage. @@ -145,13 +145,13 @@ Note: This policy has no effect when connecting Scale-out File Server shares pro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_EnableHandleCachingForCAFiles_Name | +| Name | Pol_EnableHandleCachingForCAFiles | | Friendly Name | Handle Caching on Continuous Availability Shares | | Location | Computer Configuration | | Path | Network > Lanman Workstation | @@ -185,11 +185,12 @@ Note: This policy has no effect when connecting Scale-out File Server shares pro This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled. -If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. +- If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. -If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. +- If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares. -Note: Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. +> [!NOTE] +> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states. @@ -207,13 +208,13 @@ Note: Microsoft does not recommend enabling this group policy. Use of CA with Of > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_EnableCSCforCAShares_Name | +| Name | Pol_EnableOfflineFilesforCAShares | | Friendly Name | Offline Files Availability on Continuous Availability Shares | | Location | Computer Configuration | | Path | Network > Lanman Workstation | diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index 46666166e3..3908dc2a9b 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,10 +1,10 @@ --- title: ADMX_LeakDiagnostic Policy CSP -description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP +description: Learn more about the ADMX_LeakDiagnostic Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_LeakDiagnostic > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,15 +44,16 @@ ms.topic: reference This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems. -If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default. +- If you enable or do not configure this policy setting, the DPS enables Windows Memory Leak Diagnosis by default. -If you disable this policy setting, the DPS is not able to diagnose memory leak problems. +- If you disable this policy setting, the DPS is not able to diagnose memory leak problems. This policy setting takes effect only under the following conditions: --- If the diagnostics-wide scenario execution policy is not configured. --- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. +- If the diagnostics-wide scenario execution policy is not configured. +- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. -Note: The DPS can be configured with the Services snap-in to the Microsoft Management Console. +> [!NOTE] +> The DPS can be configured with the Services snap-in to the Microsoft Management Console. No operating system restart or service restart is required for this policy to take effect. Changes take effect immediately. @@ -75,7 +74,7 @@ For Windows Server systems, this policy setting applies only if the Desktop Expe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index adbbc2cf3c..3d53041435 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -1,10 +1,10 @@ --- title: ADMX_LinkLayerTopologyDiscovery Policy CSP -description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP +description: Learn more about the ADMX_LinkLayerTopologyDiscovery Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_LinkLayerTopologyDiscovery > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ This policy setting changes the operational behavior of the Mapper I/O network p LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. -If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. +- If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. -If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply. +- If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply. @@ -68,7 +66,7 @@ If you disable or do not configure this policy setting, the default behavior of > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,9 +108,9 @@ This policy setting changes the operational behavior of the Responder network pr The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. -If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. +- If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead. -If you disable or do not configure this policy setting, the default behavior for the Responder will apply. +- If you disable or do not configure this policy setting, the default behavior for the Responder will apply. @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, the default behavior for > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index 18f83b496c..1bef7d5e63 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -1,10 +1,10 @@ --- title: ADMX_LocationProviderAdm Policy CSP -description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP +description: Learn more about the ADMX_LocationProviderAdm Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_LocationProviderAdm > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ ms.topic: reference This policy setting turns off the Windows Location Provider feature for this computer. -If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. +- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. -If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. +- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. @@ -68,13 +66,13 @@ If you disable or do not configure this policy setting, all programs on this com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableWindowsLocationProvider | +| Name | DisableWindowsLocationProvider_1 | | Friendly Name | Turn off Windows Location Provider | | Location | Computer Configuration | | Path | Windows Components > Location and Sensors > Windows Location Provider | diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 02114530b3..d95dcfdb4f 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -1,10 +1,10 @@ --- title: ADMX_Logon Policy CSP -description: Learn more about the ADMX_Logon Area in Policy CSP +description: Learn more about the ADMX_Logon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Logon > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy prevents the user from showing account details (email address or user name) on the sign-in screen. -If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. +- If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. -If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. +- If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, the user may choose to s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,8 +104,8 @@ If you disable or do not configure this policy setting, the user may choose to s This policy setting disables the acrylic blur effect on logon background image. -If you enable this policy, the logon background image shows without blur. -If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. +- If you enable this policy, the logon background image shows without blur. +- If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect. @@ -125,7 +123,7 @@ If you disable or do not configure this policy, the logon background image adopt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -146,6 +144,75 @@ If you disable or do not configure this policy, the logon background image adopt + +## DisableExplorerRunLegacy_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunLegacy_1 +``` + + + + +This policy setting ignores the customized run list. + +You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. + +- If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. + +- If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. + +Also, see the "Do not process the run once list" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunLegacy_1 | +| Friendly Name | Do not process the legacy run list | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableCurrentUserRun | +| ADMX File Name | Logon.admx | + + + + + + + + ## DisableExplorerRunLegacy_2 @@ -167,15 +234,16 @@ This policy setting ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. -If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. +- If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. -If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. +- If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. -Note: To create a customized run list by using a policy setting, use the ""Run these applications at startup"" policy setting. +> [!NOTE] +> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. -Also, see the ""Do not process the run once list"" policy setting. +Also, see the "Do not process the run once list" policy setting. @@ -193,13 +261,13 @@ Also, see the ""Do not process the run once list"" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableExplorerRunLegacy | +| Name | DisableExplorerRunLegacy_2 | | Friendly Name | Do not process the legacy run list | | Location | Computer Configuration | | Path | System > Logon | @@ -214,6 +282,75 @@ Also, see the ""Do not process the run once list"" policy setting. + +## DisableExplorerRunOnceLegacy_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunOnceLegacy_1 +``` + + + + +This policy setting ignores customized run-once lists. + +You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. + +- If you enable this policy setting, the system ignores the run-once list. + +- If you disable or do not configure this policy setting, the system runs the programs in the run-once list. + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + +> [!NOTE] +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. + +Also, see the "Do not process the legacy run list" policy setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableExplorerRunOnceLegacy_1 | +| Friendly Name | Do not process the run once list | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | DisableCurrentUserRunOnce | +| ADMX File Name | Logon.admx | + + + + + + + + ## DisableExplorerRunOnceLegacy_2 @@ -235,15 +372,16 @@ This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. -If you enable this policy setting, the system ignores the run-once list. +- If you enable this policy setting, the system ignores the run-once list. -If you disable or do not configure this policy setting, the system runs the programs in the run-once list. +- If you disable or do not configure this policy setting, the system runs the programs in the run-once list. This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. -Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. +> [!NOTE] +> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. -Also, see the ""Do not process the legacy run list"" policy setting. +Also, see the "Do not process the legacy run list" policy setting. @@ -261,13 +399,13 @@ Also, see the ""Do not process the legacy run list"" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableExplorerRunOnceLegacy | +| Name | DisableExplorerRunOnceLegacy_2 | | Friendly Name | Do not process the run once list | | Location | Computer Configuration | | Path | System > Logon | @@ -301,9 +439,9 @@ Also, see the ""Do not process the legacy run list"" policy setting. This policy setting suppresses system status messages. -If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. +- If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off. -If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. +- If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off. @@ -321,7 +459,7 @@ If you disable or do not configure this policy setting, the system displays the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -361,9 +499,9 @@ If you disable or do not configure this policy setting, the system displays the This policy setting prevents connected users from being enumerated on domain-joined computers. -If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. +- If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. -If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. +- If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers. @@ -381,7 +519,7 @@ If you disable or do not configure this policy setting, connected users will be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -402,6 +540,76 @@ If you disable or do not configure this policy setting, connected users will be + +## NoWelcomeTips_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/NoWelcomeTips_1 +``` + + + + +This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. + +- If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. + +Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. + +- If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. + +This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoWelcomeTips_1 | +| Friendly Name | Do not display the Getting Started welcome screen at logon | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoWelcomeScreen | +| ADMX File Name | Logon.admx | + + + + + + + + ## NoWelcomeTips_2 @@ -421,17 +629,19 @@ If you disable or do not configure this policy setting, connected users will be This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. -If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. +- If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. -Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welcome"" in the Run dialog box. +Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box. -If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. +- If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. -This setting applies only to Windows 2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server. +This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server. -Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click ""Getting Started."" To suppress the welcome screen without specifying a setting, clear the ""Show this screen at startup"" check box on the welcome screen. +> [!TIP] +> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen. @@ -449,13 +659,13 @@ Tip: To display the welcome screen, click Start, point to Programs, point to Acc > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | NoWelcomeTips | +| Name | NoWelcomeTips_2 | | Friendly Name | Do not display the Getting Started welcome screen at logon | | Location | Computer Configuration | | Path | System > Logon | @@ -470,6 +680,72 @@ Tip: To display the welcome screen, click Start, point to Programs, point to Acc + +## Run_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Logon/Run_1 +``` + + + + +This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. + +- If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. + +To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. + +- If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. + +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Run_1 | +| Friendly Name | Run these programs at user logon | +| Location | User Configuration | +| Path | System > Logon | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | Logon.admx | + + + + + + + + ## Run_2 @@ -489,15 +765,16 @@ Tip: To display the welcome screen, click Start, point to Programs, point to Acc This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. -If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. +- If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. -If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. +- If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. -Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. -Also, see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" settings. +Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings. @@ -515,13 +792,13 @@ Also, see the ""Do not process the legacy run list"" and the ""Do not process th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Run | +| Name | Run_2 | | Friendly Name | Run these programs at user logon | | Location | Computer Configuration | | Path | System > Logon | @@ -554,23 +831,23 @@ Also, see the ""Do not process the legacy run list"" and the ""Do not process th This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available. -Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. +**Note** that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected. If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized. -If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. +- If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously. On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). -If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon: -• The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and -• The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. +If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon +- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and +- The "Allow asynchronous user Group Policy processing when logging on through Terminal Services" policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\. If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon). -If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. +- If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background. -Notes: +**Note** -If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy. -If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available. @@ -590,7 +867,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -632,9 +909,9 @@ This policy setting ignores Windows Logon Background. This policy setting may be used to make Windows give preference to a custom logon background. -If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. +- If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background. -If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. +- If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background. @@ -652,7 +929,7 @@ If you disable or do not configure this policy setting, Windows uses the default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -694,11 +971,12 @@ This policy setting directs the system to display highly detailed status message This policy setting is designed for advanced users who require this information. -If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. +- If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system. -If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes. +- If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes. -Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff status messages"" policy setting is enabled. +> [!NOTE] +> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled. @@ -716,7 +994,7 @@ Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -737,275 +1015,6 @@ Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff - -## DisableExplorerRunLegacy_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunLegacy_1 -``` - - - - -This policy setting ignores the customized run list. - -You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts. - -If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional. - -If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list. - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - -Note: To create a customized run list by using a policy setting, use the ""Run these applications at startup"" policy setting. - -Also, see the ""Do not process the run once list"" policy setting. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableExplorerRunLegacy | -| Friendly Name | Do not process the legacy run list | -| Location | User Configuration | -| Path | System > Logon | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | DisableCurrentUserRun | -| ADMX File Name | Logon.admx | - - - - - - - - - -## DisableExplorerRunOnceLegacy_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Logon/DisableExplorerRunOnceLegacy_1 -``` - - - - -This policy setting ignores customized run-once lists. - -You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. - -If you enable this policy setting, the system ignores the run-once list. - -If you disable or do not configure this policy setting, the system runs the programs in the run-once list. - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - -Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. - -Also, see the ""Do not process the legacy run list"" policy setting. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableExplorerRunOnceLegacy | -| Friendly Name | Do not process the run once list | -| Location | User Configuration | -| Path | System > Logon | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | DisableCurrentUserRunOnce | -| ADMX File Name | Logon.admx | - - - - - - - - - -## NoWelcomeTips_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Logon/NoWelcomeTips_1 -``` - - - - -This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. - -If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied. - -Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welcome"" in the Run dialog box. - -If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. - -This setting applies only to Windows 2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server. - -Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click ""Getting Started."" To suppress the welcome screen without specifying a setting, clear the ""Show this screen at startup"" check box on the welcome screen. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoWelcomeTips | -| Friendly Name | Do not display the Getting Started welcome screen at logon | -| Location | User Configuration | -| Path | System | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoWelcomeScreen | -| ADMX File Name | Logon.admx | - - - - - - - - - -## Run_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Logon/Run_1 -``` - - - - -This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. - -If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied. - -To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file. - -If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon. - -Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting. - -Also, see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" settings. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Run | -| Friendly Name | Run these programs at user logon | -| Location | User Configuration | -| Path | System > Logon | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| ADMX File Name | Logon.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 865a8854ec..7cc5313827 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -1,6 +1,6 @@ --- title: ADMX_MicrosoftDefenderAntivirus Policy CSP -description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP +description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa @@ -361,7 +361,7 @@ Real-time protection consists of always-on scanning with file and process behavi - If you enable this policy setting, real-time protection is turned off. -If you either disable or do not configure this policy setting, real-time protection is turned on. +- If you either disable or do not configure this policy setting, real-time protection is turned on. @@ -3255,10 +3255,16 @@ This policy setting allows you to configure heuristics. Suspicious detections wi + > [!TIP] > This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Scan_DisablePackedExeScanning | +| ADMX File Name | WindowsDefender.admx | diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 432f506c62..1956accd4b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -1,6 +1,6 @@ --- title: ADMX_MMC Policy CSP -description: Learn more about the ADMX_MMC Area in Policy CSP +description: Learn more about the ADMX_MMC Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index 29f52008eb..b4f74ad73e 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -1,10 +1,10 @@ --- title: ADMX_MMCSnapins Policy CSP -description: Learn more about the ADMX_MMCSnapins Area in Policy CSP +description: Learn more about the ADMX_MMCSnapins Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MMCSnapins > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,15 +44,17 @@ ms.topic: reference This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -74,7 +74,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -114,15 +114,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -142,7 +144,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -182,15 +184,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -210,7 +214,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -250,15 +254,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -278,13 +284,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ADMComputers | +| Name | MMC_ADMComputers_1 | | Friendly Name | Administrative Templates (Computers) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -318,15 +324,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -346,13 +354,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ADMComputers | +| Name | MMC_ADMComputers_2 | | Friendly Name | Administrative Templates (Computers) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -386,15 +394,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -414,13 +424,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ADMUsers | +| Name | MMC_ADMUsers_1 | | Friendly Name | Administrative Templates (Users) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -454,15 +464,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -482,13 +494,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ADMUsers | +| Name | MMC_ADMUsers_2 | | Friendly Name | Administrative Templates (Users) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -522,15 +534,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -550,7 +564,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -590,15 +604,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -618,7 +634,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -658,15 +674,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -686,7 +704,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -726,15 +744,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -754,7 +774,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -794,15 +814,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -822,7 +844,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -862,15 +884,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -890,7 +914,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -930,15 +954,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -958,7 +984,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -998,15 +1024,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1026,7 +1054,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1066,15 +1094,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1094,7 +1124,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1134,15 +1164,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1162,7 +1194,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1202,15 +1234,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1230,7 +1264,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1270,15 +1304,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1298,13 +1334,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_DeviceManager | +| Name | MMC_DeviceManager_1 | | Friendly Name | Device Manager | | Location | User Configuration | | Path | MMC_RESTRICT > Extension snap-ins | @@ -1338,15 +1374,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1366,13 +1404,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_DeviceManager | +| Name | MMC_DeviceManager_2 | | Friendly Name | Device Manager | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins | @@ -1406,15 +1444,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1434,7 +1474,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1474,15 +1514,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1502,7 +1544,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1542,15 +1584,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1570,7 +1614,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1610,15 +1654,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1638,7 +1684,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1678,15 +1724,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1706,7 +1754,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1746,15 +1794,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1774,13 +1824,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_EventViewer | +| Name | MMC_EventViewer_1 | | Friendly Name | Event Viewer | | Location | User Configuration | | Path | MMC_RESTRICT > Extension snap-ins | @@ -1814,15 +1864,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1842,7 +1894,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1882,15 +1934,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1910,13 +1964,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_EventViewer | +| Name | MMC_EventViewer_3 | | Friendly Name | Event Viewer | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins | @@ -1950,15 +2004,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -1978,13 +2034,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_EventViewer_2 | +| Name | MMC_EventViewer_4 | | Friendly Name | Event Viewer (Windows Vista) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins | @@ -2018,15 +2074,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2046,7 +2104,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2086,15 +2144,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2114,7 +2174,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2154,15 +2214,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2182,13 +2244,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_FolderRedirection | +| Name | MMC_FolderRedirection_1 | | Friendly Name | Folder Redirection | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -2222,15 +2284,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2250,13 +2314,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_FolderRedirection | +| Name | MMC_FolderRedirection_2 | | Friendly Name | Folder Redirection | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -2290,15 +2354,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2318,7 +2384,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2358,15 +2424,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2386,7 +2454,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2426,15 +2494,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2454,7 +2524,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2494,15 +2564,15 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. -If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. +- If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins. If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed. --- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab. +- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users will not have access to the Group Policy tab. To explicitly permit use of the Group Policy tab, enable this setting. If this setting is not configured (or disabled), the Group Policy tab is inaccessible. --- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab. +- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users will have access to the Group Policy tab. To explicitly prohibit use of the Group Policy tab, disable this setting. If this setting is not configured (or enabled), the Group Policy tab is accessible. @@ -2524,7 +2594,7 @@ When the Group Policy tab is inaccessible, it does not appear in the site, domai > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2564,15 +2634,17 @@ When the Group Policy tab is inaccessible, it does not appear in the site, domai This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2592,7 +2664,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2632,15 +2704,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2660,7 +2734,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2700,15 +2774,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2728,7 +2804,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2768,15 +2844,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2796,13 +2874,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_IEMaintenance | +| Name | MMC_IEMaintenance_1 | | Friendly Name | Internet Explorer Maintenance | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -2836,15 +2914,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2864,13 +2944,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_IEMaintenance | +| Name | MMC_IEMaintenance_2 | | Friendly Name | Internet Explorer Maintenance | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -2904,15 +2984,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -2932,7 +3014,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2972,15 +3054,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3000,7 +3084,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3040,15 +3124,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3068,7 +3154,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3108,15 +3194,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3136,7 +3224,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3176,15 +3264,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3204,7 +3294,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3244,15 +3334,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3272,13 +3364,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_IpSecManage | +| Name | MMC_IPSecManage_GP | | Friendly Name | IP Security Policy Management | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -3312,15 +3404,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3340,7 +3434,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3380,15 +3474,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3408,7 +3504,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3448,15 +3544,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3476,7 +3574,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3516,15 +3614,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3544,7 +3644,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3584,15 +3684,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3612,7 +3714,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3652,15 +3754,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3680,7 +3784,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3720,15 +3824,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3748,7 +3854,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3788,15 +3894,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3816,13 +3924,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_NapSnap | +| Name | MMC_NapSnap_GP | | Friendly Name | NAP Client Configuration | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -3856,15 +3964,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3884,7 +3994,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3924,15 +4034,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -3952,7 +4064,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3992,15 +4104,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4020,7 +4134,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4060,15 +4174,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4088,7 +4204,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4128,15 +4244,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4156,7 +4274,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4196,15 +4314,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4224,7 +4344,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4264,15 +4384,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4292,7 +4414,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4332,15 +4454,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4360,7 +4484,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4400,15 +4524,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4428,7 +4554,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4468,15 +4594,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4496,7 +4624,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4536,15 +4664,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4564,7 +4694,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4604,15 +4734,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4632,7 +4764,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4672,15 +4804,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4700,7 +4834,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4740,15 +4874,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4768,7 +4904,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4808,15 +4944,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4836,7 +4974,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4876,15 +5014,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4904,7 +5044,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4944,15 +5084,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -4972,7 +5114,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5012,15 +5154,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5040,7 +5184,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5080,15 +5224,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5108,13 +5254,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ScriptsMachine | +| Name | MMC_ScriptsMachine_1 | | Friendly Name | Scripts (Startup/Shutdown) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -5148,15 +5294,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5176,13 +5324,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ScriptsMachine | +| Name | MMC_ScriptsMachine_2 | | Friendly Name | Scripts (Startup/Shutdown) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -5216,15 +5364,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5244,13 +5394,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ScriptsUser | +| Name | MMC_ScriptsUser_1 | | Friendly Name | Scripts (Logon/Logoff) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -5284,15 +5434,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5312,13 +5464,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_ScriptsUser | +| Name | MMC_ScriptsUser_2 | | Friendly Name | Scripts (Logon/Logoff) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -5352,15 +5504,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5380,13 +5534,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_SecuritySettings | +| Name | MMC_SecuritySettings_1 | | Friendly Name | Security Settings | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -5420,15 +5574,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5448,13 +5604,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_SecuritySettings | +| Name | MMC_SecuritySettings_2 | | Friendly Name | Security Settings | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -5488,15 +5644,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5516,7 +5674,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5556,15 +5714,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5584,7 +5744,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5624,15 +5784,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5652,7 +5814,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5692,15 +5854,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5720,7 +5884,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5760,15 +5924,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5788,7 +5954,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5828,15 +5994,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5856,7 +6024,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5896,15 +6064,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5924,7 +6094,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5964,15 +6134,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -5992,7 +6164,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6032,15 +6204,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6060,7 +6234,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6100,15 +6274,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6128,13 +6304,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_SoftwareInstalationComputers | +| Name | MMC_SoftwareInstalationComputers_1 | | Friendly Name | Software Installation (Computers) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -6168,15 +6344,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6196,13 +6374,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_SoftwareInstalationComputers | +| Name | MMC_SoftwareInstalationComputers_2 | | Friendly Name | Software Installation (Computers) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -6236,15 +6414,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6264,13 +6444,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_SoftwareInstallationUsers | +| Name | MMC_SoftwareInstallationUsers_1 | | Friendly Name | Software Installation (Users) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -6304,15 +6484,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6332,13 +6514,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_SoftwareInstallationUsers | +| Name | MMC_SoftwareInstallationUsers_2 | | Friendly Name | Software Installation (Users) | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Resultant Set of Policy snap-in extensions | @@ -6372,15 +6554,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6400,7 +6584,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6440,15 +6624,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6468,7 +6654,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6508,15 +6694,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6536,7 +6724,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6576,15 +6764,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6604,7 +6794,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6644,15 +6834,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6672,7 +6864,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6712,15 +6904,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6740,7 +6934,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6780,15 +6974,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6808,13 +7004,13 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MMC_WindowsFirewall | +| Name | MMC_WindowsFirewall_GP | | Friendly Name | Windows Firewall with Advanced Security | | Location | User Configuration | | Path | MMC > Restricted/Permitted snap-ins > Group Policy > Group Policy snap-in extensions | @@ -6848,15 +7044,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6876,7 +7074,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6916,15 +7114,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -6944,7 +7144,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6984,15 +7184,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -7012,7 +7214,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7052,15 +7254,17 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo This policy setting permits or prohibits the use of this snap-in. -If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. +- If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. -If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. +- If you disable this policy setting, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in. -If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. +- If this policy setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. If this policy setting is not configured or disabled, this snap-in is prohibited. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in, enable this policy setting. +- If this policy setting is not configured or disabled, this snap-in is prohibited. --- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. If this policy setting is not configured or enabled, the snap-in is permitted. +- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in, disable this policy setting. +- If this policy setting is not configured or enabled, the snap-in is permitted. When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear. @@ -7080,7 +7284,7 @@ When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index 7729557364..3e4935741b 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -1,10 +1,10 @@ --- title: ADMX_MobilePCMobilityCenter Policy CSP -description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP +description: Learn more about the ADMX_MobilePCMobilityCenter Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MobilePCMobilityCenter > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,68 +25,6 @@ ms.topic: reference - -## MobilityCenterEnable_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 -``` - - - - -This policy setting turns off Windows Mobility Center. - -If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. - -If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. - -If you do not configure this policy setting, Windows Mobility Center is on by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | MobilityCenterEnable | -| Friendly Name | Turn off Windows Mobility Center | -| Location | Computer Configuration | -| Path | Windows Components > Windows Mobility Center | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter | -| Registry Value Name | NoMobilityCenter | -| ADMX File Name | MobilePCMobilityCenter.admx | - - - - - - - - ## MobilityCenterEnable_1 @@ -108,11 +44,11 @@ If you do not configure this policy setting, Windows Mobility Center is on by de This policy setting turns off Windows Mobility Center. -If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. +- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. -If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. +- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. -If you do not configure this policy setting, Windows Mobility Center is on by default. +- If you do not configure this policy setting, Windows Mobility Center is on by default. @@ -130,13 +66,13 @@ If you do not configure this policy setting, Windows Mobility Center is on by de > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | MobilityCenterEnable | +| Name | MobilityCenterEnable_1 | | Friendly Name | Turn off Windows Mobility Center | | Location | User Configuration | | Path | Windows Components > Windows Mobility Center | @@ -151,6 +87,68 @@ If you do not configure this policy setting, Windows Mobility Center is on by de + +## MobilityCenterEnable_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2 +``` + + + + +This policy setting turns off Windows Mobility Center. + +- If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. + +- If you disable this policy setting, the user is able to invoke Windows Mobility Center and the .exe file launches it. + +- If you do not configure this policy setting, Windows Mobility Center is on by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | MobilityCenterEnable_2 | +| Friendly Name | Turn off Windows Mobility Center | +| Location | Computer Configuration | +| Path | Windows Components > Windows Mobility Center | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter | +| Registry Value Name | NoMobilityCenter | +| ADMX File Name | MobilePCMobilityCenter.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index 5b7f75dc59..ad7d9672ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -1,10 +1,10 @@ --- title: ADMX_MobilePCPresentationSettings Policy CSP -description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP +description: Learn more about the ADMX_MobilePCPresentationSettings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MobilePCPresentationSettings > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,70 +25,6 @@ ms.topic: reference - -## PresentationSettingsEnable_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 -``` - - - - -This policy setting turns off Windows presentation settings. - -If you enable this policy setting, Windows presentation settings cannot be invoked. - -If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. - -Note: Users will be able to customize their system settings for presentations in Windows Mobility Center. - -If you do not configure this policy setting, Windows presentation settings can be invoked. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PresentationSettingsEnable | -| Friendly Name | Turn off Windows presentation settings | -| Location | Computer Configuration | -| Path | Windows Components > Presentation Settings | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings | -| Registry Value Name | NoPresentationSettings | -| ADMX File Name | MobilePCPresentationSettings.admx | - - - - - - - - ## PresentationSettingsEnable_1 @@ -110,13 +44,14 @@ If you do not configure this policy setting, Windows presentation settings can b This policy setting turns off Windows presentation settings. -If you enable this policy setting, Windows presentation settings cannot be invoked. +- If you enable this policy setting, Windows presentation settings cannot be invoked. -If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. +- If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. -Note: Users will be able to customize their system settings for presentations in Windows Mobility Center. +> [!NOTE] +> Users will be able to customize their system settings for presentations in Windows Mobility Center. -If you do not configure this policy setting, Windows presentation settings can be invoked. +- If you do not configure this policy setting, Windows presentation settings can be invoked. @@ -134,13 +69,13 @@ If you do not configure this policy setting, Windows presentation settings can b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PresentationSettingsEnable | +| Name | PresentationSettingsEnable_1 | | Friendly Name | Turn off Windows presentation settings | | Location | User Configuration | | Path | Windows Components > Presentation Settings | @@ -155,6 +90,71 @@ If you do not configure this policy setting, Windows presentation settings can b + +## PresentationSettingsEnable_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2 +``` + + + + +This policy setting turns off Windows presentation settings. + +- If you enable this policy setting, Windows presentation settings cannot be invoked. + +- If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking, adjust speaker volume, and apply a custom background image. + +> [!NOTE] +> Users will be able to customize their system settings for presentations in Windows Mobility Center. + +- If you do not configure this policy setting, Windows presentation settings can be invoked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PresentationSettingsEnable_2 | +| Friendly Name | Turn off Windows presentation settings | +| Location | Computer Configuration | +| Path | Windows Components > Presentation Settings | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings | +| Registry Value Name | NoPresentationSettings | +| ADMX File Name | MobilePCPresentationSettings.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 4d46d934a5..aac8c8c118 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -1,10 +1,10 @@ --- title: ADMX_MSAPolicy Policy CSP -description: Learn more about the ADMX_MSAPolicy Area in Policy CSP +description: Learn more about the ADMX_MSAPolicy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MSAPolicy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,9 +42,11 @@ ms.topic: reference -This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. +This setting controls whether users can provide Microsoft accounts for authentication for applications or services. +- If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. -It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. +It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. +- If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. @@ -65,7 +65,7 @@ By default, this setting is Disabled. This setting does not affect whether users > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index 3ed691224f..a42f6715cd 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -1,10 +1,10 @@ --- title: ADMX_msched Policy CSP -description: Learn more about the ADMX_msched Area in Policy CSP +description: Learn more about the ADMX_msched Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_msched > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ This policy setting allows you to configure Automatic Maintenance activation bou The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts -If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. +- If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel. -If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. +- If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. @@ -68,13 +66,13 @@ If you disable or do not configure this policy setting, the daily scheduled time > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ActivationBoundary | +| Name | ActivationBoundaryPolicy | | Friendly Name | Automatic Maintenance Activation Boundary | | Location | Computer Configuration | | Path | Windows Components > Maintenance Scheduler | @@ -109,11 +107,11 @@ This policy setting allows you to configure Automatic Maintenance activation ran The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. -If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by upto this time. +- If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by upto this time. -If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. +- If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance. -If you disable this policy setting, no random delay will be applied to Automatic Maintenance. +- If you disable this policy setting, no random delay will be applied to Automatic Maintenance. @@ -131,13 +129,13 @@ If you disable this policy setting, no random delay will be applied to Automatic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RandomDelay | +| Name | RandomDelayPolicy | | Friendly Name | Automatic Maintenance Random Delay | | Location | Computer Configuration | | Path | Windows Components > Maintenance Scheduler | diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 0eec454b10..cdfeba781c 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -1,10 +1,10 @@ --- title: ADMX_MSDT Policy CSP -description: Learn more about the ADMX_MSDT Area in Policy CSP +description: Learn more about the ADMX_MSDT Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MSDT > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,13 @@ ms.topic: reference This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. -If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. +- If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is set to Microsoft Corporation. -If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. +- If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider. -If you do not configure this policy setting, MSDT support mode is enabled by default. +- If you do not configure this policy setting, MSDT support mode is enabled by default. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. @@ -72,7 +70,7 @@ No reboots or service restarts are required for this policy setting to take effe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -116,11 +114,12 @@ Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by These tools are required to completely troubleshoot the problem. If tool download is restricted, it may not be possible to find the root cause of the problem. -If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. +- If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only. +- If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading. -If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. +- If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers. -If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. +- If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately. @@ -144,7 +143,7 @@ This policy setting will only take effect when the Diagnostic Policy Service (DP > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -186,11 +185,11 @@ This policy setting determines the execution level for Microsoft Support Diagnos Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. -If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. +- If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. -If you disable this policy setting, MSDT cannot gather diagnostic data. +- If you disable this policy setting, MSDT cannot gather diagnostic data. -If you do not configure this policy setting, MSDT is turned on by default. +- If you do not configure this policy setting, MSDT is turned on by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -214,7 +213,7 @@ This policy setting will only take effect when the Diagnostic Policy Service (DP > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index 029cad0fa5..637630abaf 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -1,10 +1,10 @@ --- title: ADMX_MSI Policy CSP -description: Learn more about the ADMX_MSI Area in Policy CSP +description: Learn more about the ADMX_MSI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MSI > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,13 @@ ms.topic: reference This policy setting allows users to search for installation files during privileged installations. -If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. +- If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges. Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow. This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting. -If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. +- If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. @@ -70,7 +68,7 @@ If you disable or do not configure this policy setting, by default, only system > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,11 +108,11 @@ If you disable or do not configure this policy setting, by default, only system This policy setting allows users to install programs from removable media during privileged installations. -If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. +- If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges. This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context. -If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. +- If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media. Also, see the "Prevent removable media source for any install" policy setting. @@ -134,7 +132,7 @@ Also, see the "Prevent removable media source for any install" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -174,9 +172,9 @@ Also, see the "Prevent removable media source for any install" policy setting. This policy setting allows users to patch elevated products. -If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. +- If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use. -If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. +- If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs. This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting. @@ -196,7 +194,7 @@ This policy setting does not affect installations that run in the user's securit > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -236,15 +234,15 @@ This policy setting does not affect installations that run in the user's securit This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. -If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. +- If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior. --- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. +- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible. --- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. +- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used. --- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. +- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection. -If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. +- If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible. @@ -262,7 +260,7 @@ If you disable or do not configure this policy setting, Windows Installer will u > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -301,11 +299,11 @@ If you disable or do not configure this policy setting, Windows Installer will u This policy setting prevents users from searching for installation files when they add features or components to an installed program. -If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. +- If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures. This policy setting applies even when the installation is running in the user's security context. -If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. +- If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files. @@ -327,7 +325,7 @@ Also, see the "Enable user to browse for source while elevated" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -367,9 +365,9 @@ Also, see the "Enable user to browse for source while elevated" policy setting. This policy setting controls the ability to turn off all patch optimizations. -If you enable this policy setting, all Patch Optimization options are turned off during the installation. +- If you enable this policy setting, all Patch Optimization options are turned off during the installation. -If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. +- If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing. @@ -387,7 +385,7 @@ If you disable or do not configure this policy setting, it enables faster applic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -426,13 +424,13 @@ If you disable or do not configure this policy setting, it enables faster applic This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. -If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. +- If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior. --- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. +- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property. --- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. +- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy. -If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. +- If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property. @@ -450,7 +448,7 @@ If you disable or do not configure this policy setting, Windows Installer will a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -470,6 +468,70 @@ If you disable or do not configure this policy setting, Windows Installer will a + +## DisableMedia + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMedia +``` + + + + +This policy setting prevents users from installing any programs from removable media. + +- If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. + +This policy setting applies even when the installation is running in the user's security context. + +- If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. + +Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableMedia | +| Friendly Name | Prevent removable media source for any installation | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableMedia | +| ADMX File Name | MSI.admx | + + + + + + + + ## DisableMSI @@ -489,13 +551,13 @@ If you disable or do not configure this policy setting, Windows Installer will a This policy setting restricts the use of Windows Installer. -If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. +- If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. --- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. +- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured. --- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. +- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. --- The "Always" option indicates that Windows Installer is disabled. +- The "Always" option indicates that Windows Installer is disabled. This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs. @@ -515,7 +577,7 @@ This policy setting affects Windows Installer only. It does not prevent users fr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -554,11 +616,12 @@ This policy setting affects Windows Installer only. It does not prevent users fr This policy setting prevents users from using Windows Installer to install patches. -If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. +- If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use. -Note: This policy setting applies only to installations that run in the user's security context. +> [!NOTE] +> This policy setting applies only to installations that run in the user's security context. -If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. +- If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs. Also, see the "Enable user to patch elevated products" policy setting. @@ -578,7 +641,7 @@ Also, see the "Enable user to patch elevated products" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -599,6 +662,68 @@ Also, see the "Enable user to patch elevated products" policy setting. + +## DisableRollback_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_1 +``` + + + + +This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. + +- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. + +This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. + +This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRollback_1 | +| Friendly Name | Prohibit rollback | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| Registry Value Name | DisableRollback | +| ADMX File Name | MSI.admx | + + + + + + + + ## DisableRollback_2 @@ -618,7 +743,7 @@ Also, see the "Enable user to patch elevated products" policy setting. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. -If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. +- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. @@ -640,13 +765,13 @@ This policy setting appears in the Computer Configuration and User Configuration > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableRollback | +| Name | DisableRollback_2 | | Friendly Name | Prohibit rollback | | Location | Computer Configuration | | Path | Windows Components > Windows Installer | @@ -680,9 +805,9 @@ This policy setting appears in the Computer Configuration and User Configuration This policy setting controls the ability to turn off shared components. -If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. +- If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. -If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. +- If you disable or do not configure this policy setting, by default, the shared component functionality is allowed. @@ -700,7 +825,7 @@ If you disable or do not configure this policy setting, by default, the shared c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -742,9 +867,9 @@ This policy setting controls the ability of non-administrators to install update Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. -If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. +- If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications. -If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. +- If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates. @@ -762,7 +887,7 @@ If you disable or do not configure this policy setting, users without administra > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -804,9 +929,9 @@ This policy setting controls the ability for users or administrators to remove W This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators. -If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. +- If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product. -If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." +- If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context." @@ -824,7 +949,7 @@ If you disable or do not configure this policy setting, a user can remove an upd > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -864,9 +989,9 @@ If you disable or do not configure this policy setting, a user can remove an upd This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. -If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. +- If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications. -If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. +- If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application. @@ -884,7 +1009,7 @@ If you disable or do not configure this policy setting, by default, the Windows > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -924,9 +1049,9 @@ If you disable or do not configure this policy setting, by default, the Windows This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want. -If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. +- If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product. -If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. +- If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile. @@ -944,7 +1069,7 @@ If you enable this policy setting and "Hide User Installs" is selected, the inst > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -983,7 +1108,7 @@ If you enable this policy setting and "Hide User Installs" is selected, the inst This policy setting causes the Windows Installer to enforce strict rules for component upgrades. -If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: +- If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following: (1) Remove a component from a feature. This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component. @@ -991,7 +1116,7 @@ This can also occur if you change the GUID of a component. The component identif (2) Add a new feature to the top or middle of an existing feature tree. The new feature must be added as a new leaf feature to an existing feature tree. -If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. +- If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades. @@ -1009,7 +1134,7 @@ If you disable or do not configure this policy setting, the Windows Installer wi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1051,13 +1176,13 @@ This policy controls the percentage of disk space available to the Windows Insta The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied. -If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. +- If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed. If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache. -If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. +- If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size. @@ -1075,7 +1200,7 @@ If you disable or do not configure this policy setting, the Windows Installer wi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1114,9 +1239,9 @@ If you disable or do not configure this policy setting, the Windows Installer wi This policy setting controls the ability to prevent embedded UI. -If you enable this policy setting, no packages on the system can run embedded UI. +- If you enable this policy setting, no packages on the system can run embedded UI. -If you disable or do not configure this policy setting, embedded UI is allowed to run. +- If you disable or do not configure this policy setting, embedded UI is allowed to run. @@ -1134,7 +1259,7 @@ If you disable or do not configure this policy setting, embedded UI is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1178,7 +1303,7 @@ When you enable this policy setting, you can specify the types of events you wan To disable logging, delete all of the letters from the box. -If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." +- If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap." @@ -1196,7 +1321,7 @@ If you disable or do not configure this policy setting, Windows Installer logs t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1235,9 +1360,9 @@ If you disable or do not configure this policy setting, Windows Installer logs t This policy setting allows Web-based programs to install software on the computer without notifying the user. -If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. +- If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. -If you enable this policy setting, the warning is suppressed and allows the installation to proceed. +- If you enable this policy setting, the warning is suppressed and allows the installation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously. @@ -1257,7 +1382,7 @@ This policy setting is designed for enterprises that use Web-based tools to dist > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1278,6 +1403,73 @@ This policy setting is designed for enterprises that use Web-based tools to dist + +## SearchOrder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_MSI/SearchOrder +``` + + + + +This policy setting specifies the order in which Windows Installer searches for installation files. + +- If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). + +- If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: + +- "n" represents the network; + +- "m" represents media; + +- "u" represents URL, or the Internet. + +To exclude a file source, omit or delete the letter representing that source type. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | SearchOrder | +| Friendly Name | Specify the order in which Windows Installer searches for installation files | +| Location | User Configuration | +| Path | Windows Components > Windows Installer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | +| ADMX File Name | MSI.admx | + + + + + + + + ## TransformsSecure @@ -1299,15 +1491,15 @@ This policy setting saves copies of transform files in a secure location on the Transform files consist of instructions to modify or customize a program during installation. -If you enable this policy setting, the transform file is saved in a secure location on the user's computer. +- If you enable this policy setting, the transform file is saved in a secure location on the user's computer. -If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. +- If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation. This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files. -If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. +- If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile. -If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. +- If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network. @@ -1325,7 +1517,7 @@ If you do not configure this policy setting on Windows 2000 Professional, Window > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1346,199 +1538,6 @@ If you do not configure this policy setting on Windows 2000 Professional, Window - -## DisableMedia - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableMedia -``` - - - - -This policy setting prevents users from installing any programs from removable media. - -If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found. - -This policy setting applies even when the installation is running in the user's security context. - -If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs. - -Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableMedia | -| Friendly Name | Prevent removable media source for any installation | -| Location | User Configuration | -| Path | Windows Components > Windows Installer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | -| Registry Value Name | DisableMedia | -| ADMX File Name | MSI.admx | - - - - - - - - - -## DisableRollback_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_MSI/DisableRollback_1 -``` - - - - -This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. - -If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete. - -This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential. - -This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableRollback | -| Friendly Name | Prohibit rollback | -| Location | User Configuration | -| Path | Windows Components > Windows Installer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | -| Registry Value Name | DisableRollback | -| ADMX File Name | MSI.admx | - - - - - - - - - -## SearchOrder - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_MSI/SearchOrder -``` - - - - -This policy setting specifies the order in which Windows Installer searches for installation files. - -If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL). - -If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search: - --- "n" represents the network; - --- "m" represents media; - --- "u" represents URL, or the Internet. - -To exclude a file source, omit or delete the letter representing that source type. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | SearchOrder | -| Friendly Name | Specify the order in which Windows Installer searches for installation files | -| Location | User Configuration | -| Path | Windows Components > Windows Installer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Installer | -| ADMX File Name | MSI.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index f3654d208c..6875c3fba2 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -1,10 +1,10 @@ --- title: ADMX_MsiFileRecovery Policy CSP -description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP +description: Learn more about the ADMX_MsiFileRecovery Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MsiFileRecovery > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -52,15 +50,16 @@ Silent: Detection, troubleshooting, and notification of MSI application to reins Troubleshooting Only: Detection and verification of file corruption will be performed without UI. Recovery is not attempted. -If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. +- If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only. -If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. +- If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. -If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. +- If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh. -Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +> [!NOTE] +> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console. @@ -78,7 +77,7 @@ Note: This policy setting will take effect only when the Diagnostic Policy Servi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md index d4feaa05d2..6b4d108e89 100644 --- a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md +++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md @@ -1,10 +1,10 @@ --- title: ADMX_MSS-legacy Policy CSP -description: Learn more about the ADMX_MSS-legacy Area in Policy CSP +description: Learn more about the ADMX_MSS-legacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_MSS-legacy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -61,10 +59,16 @@ Enable Automatic Logon (not recommended). + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoAdminLogon | +| ADMX File Name | MSS-legacy.admx | @@ -107,10 +111,16 @@ Allow Windows to automatically restart after a system crash (recommended except + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoReboot | +| ADMX File Name | MSS-legacy.admx | @@ -153,10 +163,16 @@ Enable administrative shares on servers (recommended except for highly secure en + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoShareServer | +| ADMX File Name | MSS-legacy.admx | @@ -199,10 +215,16 @@ Enable administrative shares on workstations (recommended except for highly secu + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_AutoShareWks | +| ADMX File Name | MSS-legacy.admx | @@ -244,10 +266,16 @@ Enable administrative shares on workstations (recommended except for highly secu + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_DisableSavePassword | +| ADMX File Name | MSS-legacy.admx | @@ -291,10 +319,16 @@ Allow automatic detection of dead network gateways (could lead to DoS). + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_EnableDeadGWDetect | +| ADMX File Name | MSS-legacy.admx | @@ -337,10 +371,16 @@ Hide Computer From the Browse List (not recommended except for highly secure env + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_HideFromBrowseList | +| ADMX File Name | MSS-legacy.admx | @@ -383,10 +423,16 @@ Define how often keep-alive packets are sent in milliseconds. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_KeepAliveTime | +| ADMX File Name | MSS-legacy.admx | @@ -429,10 +475,16 @@ Configure IPSec exemptions for various types of network traffic. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_NoDefaultExempt | +| ADMX File Name | MSS-legacy.admx | @@ -475,10 +527,16 @@ Enable the computer to stop generating 8.3 style filenames. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_NtfsDisable8dot3NameCreation | +| ADMX File Name | MSS-legacy.admx | @@ -521,10 +579,16 @@ Enable the computer to stop generating 8.3 style filenames. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_PerformRouterDiscovery | +| ADMX File Name | MSS-legacy.admx | @@ -567,10 +631,16 @@ Enable Safe DLL search mode (recommended). + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_SafeDllSearchMode | +| ADMX File Name | MSS-legacy.admx | @@ -613,10 +683,16 @@ he time in seconds before the screen saver grace period expires (0 recommended). + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_ScreenSaverGracePeriod | +| ADMX File Name | MSS-legacy.admx | @@ -659,10 +735,16 @@ Syn attack protection level (protects against DoS). + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_SynAttackProtect | +| ADMX File Name | MSS-legacy.admx | @@ -705,10 +787,16 @@ SYN-ACK retransmissions when a connection request is not acknowledged. + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_TcpMaxConnectResponseRetransmissions | +| ADMX File Name | MSS-legacy.admx | @@ -751,10 +839,16 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_TcpMaxDataRetransmissions | +| ADMX File Name | MSS-legacy.admx | @@ -797,10 +891,16 @@ Define how many times unacknowledged data is retransmitted (3 recommended, 5 is + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_TcpMaxDataRetransmissionsIPv6 | +| ADMX File Name | MSS-legacy.admx | @@ -843,10 +943,16 @@ Percentage threshold for the security event log at which the system will generat + > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_WarningLevel | +| ADMX File Name | MSS-legacy.admx | diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index 95602c2c77..3177e932ac 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -1,10 +1,10 @@ --- title: ADMX_nca Policy CSP -description: Learn more about the ADMX_nca Area in Policy CSP +description: Learn more about the ADMX_nca Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_nca > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,19 +46,19 @@ Specifies resources on your intranet that are normally accessible to DirectAcces Each string can be one of the following types: -- A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1. +- A DNS name or IPv6 address that NCA pings. The syntax is "PING:" followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1. -Note +**Note** We recommend that you use FQDNs instead of IPv6 addresses wherever possible. -Important +**Important** At least one of the entries must be a PING: resource. -- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP: or HTTP:https://2002:836b:1::1/. +- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP: or HTTP:https://2002:836b:1::1/. -- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. +- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt. You must configure this setting to have complete NCA functionality. @@ -80,7 +78,7 @@ You must configure this setting to have complete NCA functionality. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -135,7 +133,7 @@ Specifies commands configured by the administrator for custom logging. These com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -196,7 +194,7 @@ You must configure this setting to have complete NCA functionality. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -233,9 +231,9 @@ You must configure this setting to have complete NCA functionality. -Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation. +Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify "Contoso Intranet Access" for the DirectAccess clients of the Contoso Corporation. -If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”. +If this setting is not configured, the string that appears for DirectAccess connectivity is "Corporate Connection". @@ -253,7 +251,7 @@ If this setting is not configured, the string that appears for DirectAccess conn > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -292,15 +290,13 @@ If this setting is not configured, the string that appears for DirectAccess conn Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. -If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. +If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. **Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. -**Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names. - -The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet. +The ability to disconnect allows users to specify single-label, unqualified names (such as "PRINTSVR") for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet. To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect. -Note +**Note** If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT. If this setting is not configured, users do not have Connect or Disconnect options. @@ -321,7 +317,7 @@ If this setting is not configured, users do not have Connect or Disconnect optio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -379,7 +375,7 @@ Set this to Disabled to keep NCA probing actively all the time. If this setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -439,7 +435,7 @@ If this setting is not configured, the entry for DirectAccess connectivity appea > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -497,7 +493,7 @@ When the user sends the log files to the Administrator, NCA uses the default e-m > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 89b5cd6963..66333d0c19 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -1,10 +1,10 @@ --- title: ADMX_NCSI Policy CSP -description: Learn more about the ADMX_NCSI Area in Policy CSP +description: Learn more about the ADMX_NCSI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_NCSI > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,7 +60,7 @@ This policy setting enables you to specify the expected address of the host name > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -117,7 +115,7 @@ This policy setting enables you to specify the host name of a computer known to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -172,7 +170,7 @@ This policy setting enables you to specify the list of IPv6 corporate site prefi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -227,7 +225,7 @@ This policy setting enables you to specify the URL of the corporate website, aga > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -282,7 +280,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -319,7 +317,8 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit -This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. +This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. +- If you enable this setting, NCSI will allow the DNS lookups to happen on any interface. @@ -337,7 +336,7 @@ This policy setting enables you to specify DNS binding behavior. NCSI by default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -392,7 +391,7 @@ This Policy setting enables you to specify passive polling behavior. NCSI polls > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 9b6d315322..9656e0aa10 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -1,10 +1,10 @@ --- title: ADMX_Netlogon Policy CSP -description: Learn more about the ADMX_Netlogon Area in Policy CSP +description: Learn more about the ADMX_Netlogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index a18568b85f..f59fcc9805 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -1,10 +1,10 @@ --- title: ADMX_NetworkConnections Policy CSP -description: Learn more about the ADMX_NetworkConnections Area in Policy CSP +description: Learn more about the ADMX_NetworkConnections Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_NetworkConnections > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,329 +25,6 @@ ms.topic: reference - -## NC_DoNotShowLocalOnlyIcon - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon -``` - - - - -Specifies whether or not the "local access only" network icon will be shown. - -When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. - -If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NC_DoNotShowLocalOnlyIcon | -| Friendly Name | Do not show the "local access only" network icon | -| Location | Computer Configuration | -| Path | Network > Network Connections | -| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | -| Registry Value Name | NC_DoNotShowLocalOnlyIcon | -| ADMX File Name | NetworkConnections.admx | - - - - - - - - - -## NC_ForceTunneling - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ForceTunneling -``` - - - - -This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. - -When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. - -If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. - -If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. - -If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NC_ForceTunneling | -| Friendly Name | Route all traffic through the internal network | -| Location | Computer Configuration | -| Path | Network > Network Connections | -| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | -| ADMX File Name | NetworkConnections.admx | - - - - - - - - - -## NC_PersonalFirewallConfig - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_PersonalFirewallConfig -``` - - - - -Prohibits use of Internet Connection Firewall on your DNS domain network. - -Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. - -Important: This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. - -The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. - -If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. - -Note: If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. - -If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NC_PersonalFirewallConfig | -| Friendly Name | Prohibit use of Internet Connection Firewall on your DNS domain network | -| Location | Computer Configuration | -| Path | Network > Network Connections | -| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | -| Registry Value Name | NC_PersonalFirewallConfig | -| ADMX File Name | NetworkConnections.admx | - - - - - - - - - -## NC_ShowSharedAccessUI - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ShowSharedAccessUI -``` - - - - -Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. - -ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. - -If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. - -If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) - -By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. - -Note: Internet Connection Sharing is only available when two or more network connections are present. - -Note: When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. - -Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. - -Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NC_ShowSharedAccessUI | -| Friendly Name | Prohibit use of Internet Connection Sharing on your DNS domain network | -| Location | Computer Configuration | -| Path | Network > Network Connections | -| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | -| Registry Value Name | NC_ShowSharedAccessUI | -| ADMX File Name | NetworkConnections.admx | - - - - - - - - - -## NC_StdDomainUserSetLocation - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_StdDomainUserSetLocation -``` - - - - -This policy setting determines whether to require domain users to elevate when setting a network's location. - -If you enable this policy setting, domain users must elevate when setting a network's location. - -If you disable or do not configure this policy setting, domain users can set a network's location without elevating. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NC_StdDomainUserSetLocation | -| Friendly Name | Require domain users to elevate when setting a network's location | -| Location | Computer Configuration | -| Path | Network > Network Connections | -| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | -| Registry Value Name | NC_StdDomainUserSetLocation | -| ADMX File Name | NetworkConnections.admx | - - - - - - - - ## NC_AddRemoveComponents @@ -369,19 +44,22 @@ If you disable or do not configure this policy setting, domain users can set a n Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. +- If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections. -Note: When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. -Note: Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. +> [!NOTE] +> Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. @@ -399,7 +77,7 @@ Note: Nonadministrators are already prohibited from adding and removing connecti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -441,13 +119,15 @@ Determines whether the Advanced Settings item on the Advanced menu in Network Co The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators. +- If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators. -Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. +> [!NOTE] +> Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. @@ -465,7 +145,7 @@ Note: Nonadministrators are already prohibited from accessing the Advanced Setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -505,19 +185,24 @@ Note: Nonadministrators are already prohibited from accessing the Advanced Setti Determines whether users can configure advanced TCP/IP settings. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. +- If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. -Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration. +> [!NOTE] +> This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration. -Note: Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. +> [!NOTE] +> Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. -Tip: To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. +> [!TIP] +> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. -Note: Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. +> [!NOTE] +> Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. @@ -535,7 +220,7 @@ Note: Changing this setting from Enabled to Not Configured does not enable the A > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -575,15 +260,18 @@ Note: Changing this setting from Enabled to Not Configured does not enable the A Determines whether administrators can enable and disable the components used by LAN connections. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. +- If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. -Note: When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. -Note: Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. +> [!NOTE] +> Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. @@ -601,7 +289,7 @@ Note: Nonadministrators are already prohibited from enabling or disabling compon > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -643,19 +331,23 @@ Determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. -If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. +- If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. +- If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. -Important: When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored. +> [!IMPORTANT] +> When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored. -Note: LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> [!NOTE] +> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -673,7 +365,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -713,17 +405,21 @@ Note: This setting does not prevent users from using other programs, such as Int Determines whether users can delete remote access connections. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) +- If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) -Important: When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. +> [!IMPORTANT] +> When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. -Note: LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> [!NOTE] +> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -741,7 +437,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -783,11 +479,12 @@ Determines whether the Remote Acccess Preferences item on the Advanced menu in N The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. +- If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. @@ -805,7 +502,7 @@ If you disable this setting or do not configure it, the Remote Access Preference > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -826,6 +523,66 @@ If you disable this setting or do not configure it, the Remote Access Preference + +## NC_DoNotShowLocalOnlyIcon + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +``` + + + + +Specifies whether or not the "local access only" network icon will be shown. + +When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. + +- If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_DoNotShowLocalOnlyIcon | +| Friendly Name | Do not show the "local access only" network icon | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_DoNotShowLocalOnlyIcon | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + ## NC_EnableAdminProhibits @@ -849,11 +606,12 @@ The set of Network Connections group settings that existed in Windows 2000 Profe By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. -If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. +- If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. -If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. +- If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. -Note: This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. +> [!NOTE] +> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. @@ -871,7 +629,7 @@ Note: This setting is intended to be used in a situation in which the Group Poli > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -892,6 +650,69 @@ Note: This setting is intended to be used in a situation in which the Group Poli + +## NC_ForceTunneling + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ForceTunneling +``` + + + + +This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. + +When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. + +- If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. + +- If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + +- If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_ForceTunneling | +| Friendly Name | Route all traffic through the internal network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + ## NC_IpStateChecking @@ -911,9 +732,9 @@ Note: This setting is intended to be used in a situation in which the Group Poli This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. -If you enable this policy setting, this condition will not be reported as an error to the user. +- If you enable this policy setting, this condition will not be reported as an error to the user. -If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. +- If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. @@ -931,7 +752,7 @@ If you disable or do not configure this policy setting, a DHCP-configured connec > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -973,21 +794,26 @@ Determines whether Administrators and Network Configuration Operators can change This setting determines whether the Properties button for components of a LAN connection is enabled. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators. +- If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators. The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -Note: Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. +> [!NOTE] +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. -Note: When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. -Note: Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. +> [!NOTE] +> Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. -Note: Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. +> [!NOTE] +> Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. @@ -1005,7 +831,7 @@ Note: Nonadministrators are already prohibited from accessing properties of comp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1045,15 +871,17 @@ Note: Nonadministrators are already prohibited from accessing properties of comp Determines whether users can enable/disable LAN connections. -If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. +- If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. +- If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. -Note: Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. +> [!NOTE] +> Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. @@ -1071,7 +899,7 @@ Note: Administrators can still enable/disable LAN connections from Device Manage > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1113,15 +941,19 @@ Determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. +- If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. -Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. +- If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. -Note: Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. +> [!NOTE] +> Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. @@ -1139,7 +971,7 @@ Note: Nonadministrators have the right to view the properties dialog box for a c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1179,15 +1011,18 @@ Note: Nonadministrators have the right to view the properties dialog box for a c Determines whether users can use the New Connection Wizard, which creates new network connections. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. +- If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. -Note: Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. +> [!NOTE] +> Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -1205,7 +1040,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1226,6 +1061,76 @@ Note: This setting does not prevent users from using other programs, such as Int + +## NC_PersonalFirewallConfig + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_PersonalFirewallConfig +``` + + + + +Prohibits use of Internet Connection Firewall on your DNS domain network. + +Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. + +> [!IMPORTANT] +> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. + +The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. + +- If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. + +> [!NOTE] +> If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. + +- If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_PersonalFirewallConfig | +| Friendly Name | Prohibit use of Internet Connection Firewall on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_PersonalFirewallConfig | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + ## NC_RasAllUserProperties @@ -1249,17 +1154,21 @@ To create an all-user remote access connection, on the Connection Availability p This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users. -If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. +- If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box. +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. +- If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. -Note: This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. +- If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -1277,7 +1186,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1319,19 +1228,23 @@ Determines whether users can view and change the properties of components used b This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Properties button is enabled for all users. +- If you disable this setting or do not configure it, the Properties button is enabled for all users. The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. -Note: Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. +> [!NOTE] +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. -Note: When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. +> [!NOTE] +> When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -1349,7 +1262,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1389,11 +1302,12 @@ Note: This setting does not prevent users from using other programs, such as Int Determines whether users can connect and disconnect remote access connections. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. +- If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. @@ -1411,7 +1325,7 @@ If you disable this setting or do not configure it, the Connect and Disconnect o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1455,15 +1369,19 @@ Private connections are those that are available only to one user. To create a p This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. +- If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. -Note: This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. +- If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -1481,7 +1399,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1523,17 +1441,20 @@ Determines whether nonadministrators can rename all-user remote access connectio To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. -If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu. +- If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu. -If you disable this setting, the Rename option is disabled for nonadministrators only. +- If you disable this setting, the Rename option is disabled for nonadministrators only. If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. -Note: This setting does not apply to Administrators +> [!NOTE] +> This setting does not apply to Administrators -Note: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply. +> [!NOTE] +> When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -1551,7 +1472,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1591,17 +1512,20 @@ Note: This setting does not prevent users from using other programs, such as Int Determines whether users can rename LAN or all user remote access connections. -If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. +- If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. -If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). +- If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. -Note: When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. +> [!NOTE] +> When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. @@ -1619,7 +1543,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1659,15 +1583,17 @@ Note: This setting does not prevent users from using other programs, such as Int Determines whether nonadministrators can rename a LAN connection. -If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. +- If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. -If you disable this setting, the Rename option is disabled for nonadministrators only. +- If you disable this setting, the Rename option is disabled for nonadministrators only. -If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections +- If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections -Note: This setting does not apply to Administrators. +> [!NOTE] +> This setting does not apply to Administrators. -Note: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. +> [!NOTE] +> When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. @@ -1685,7 +1611,7 @@ Note: When the "Ability to rename LAN connections or remote access connections a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1727,13 +1653,15 @@ Determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. -If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). +- If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. +- If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. -Note: This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. @@ -1751,7 +1679,7 @@ Note: This setting does not prevent users from using other programs, such as Int > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1772,6 +1700,82 @@ Note: This setting does not prevent users from using other programs, such as Int + +## NC_ShowSharedAccessUI + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_ShowSharedAccessUI +``` + + + + +Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. + +ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. + +- If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. + +- If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) + +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. + +> [!NOTE] +> Internet Connection Sharing is only available when two or more network connections are present. + +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. + +> [!NOTE] +> Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. + +> [!NOTE] +> Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_ShowSharedAccessUI | +| Friendly Name | Prohibit use of Internet Connection Sharing on your DNS domain network | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_ShowSharedAccessUI | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + ## NC_Statistics @@ -1793,11 +1797,12 @@ Determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. -If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box. +- If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box. -Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. +> [!IMPORTANT] +> If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. -If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. +- If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. @@ -1815,7 +1820,7 @@ If you disable this setting or do not configure it, the connection status taskba > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1836,6 +1841,66 @@ If you disable this setting or do not configure it, the connection status taskba + +## NC_StdDomainUserSetLocation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_NetworkConnections/NC_StdDomainUserSetLocation +``` + + + + +This policy setting determines whether to require domain users to elevate when setting a network's location. + +- If you enable this policy setting, domain users must elevate when setting a network's location. + +- If you disable or do not configure this policy setting, domain users can set a network's location without elevating. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NC_StdDomainUserSetLocation | +| Friendly Name | Require domain users to elevate when setting a network's location | +| Location | Computer Configuration | +| Path | Network > Network Connections | +| Registry Key Name | Software\Policies\Microsoft\Windows\Network Connections | +| Registry Value Name | NC_StdDomainUserSetLocation | +| ADMX File Name | NetworkConnections.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index beeb09f493..a4d11fa601 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -1,10 +1,10 @@ --- title: ADMX_OfflineFiles Policy CSP -description: Learn more about the ADMX_OfflineFiles Area in Policy CSP +description: Learn more about the ADMX_OfflineFiles Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_OfflineFiles > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ Makes subfolders available offline whenever their parent folder is made availabl This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders. -If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. +- If you enable this setting, when you make a folder available offline, all folders within that folder are also made available offline. Also, new folders that you create within a folder that is available offline are made available offline when the parent folder is synchronized. -If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. +- If you disable this setting or do not configure it, the system asks users whether they want subfolders to be made available offline when they make a parent folder available offline. @@ -68,7 +66,7 @@ If you disable this setting or do not configure it, the system asks users whethe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -89,6 +87,70 @@ If you disable this setting or do not configure it, the system asks users whethe + +## Pol_AssignedOfflineFiles_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 +``` + + + + +This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. + +- If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. + +- If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). + +- If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_AssignedOfflineFiles_1 | +| Friendly Name | Specify administratively assigned Offline Files | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_AssignedOfflineFiles_2 @@ -108,13 +170,14 @@ If you disable this setting or do not configure it, the system asks users whethe This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. -If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. +- If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. -If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). +- If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). -If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. +- If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. -Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. @@ -132,13 +195,13 @@ Note: This setting appears in the Computer Configuration and User Configuration > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_AssignedOfflineFiles | +| Name | Pol_AssignedOfflineFiles_2 | | Friendly Name | Specify administratively assigned Offline Files | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -171,11 +234,11 @@ Note: This setting appears in the Computer Configuration and User Configuration This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting. -If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. +- If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis. You can also configure Background Sync for network shares that are in user selected Work Offline mode. This mode is in effect when a user selects the Work Offline button for a specific share. When selected, all configured settings will apply to shares in user selected Work Offline mode as well. -If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. +- If you disable or do not configure this policy setting, Windows performs a background sync of offline folders in the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Server 2008 R2, the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012, the default sync interval is 120 minutes. @@ -193,7 +256,7 @@ If you disable or do not configure this policy setting, Windows performs a backg > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -235,17 +298,17 @@ This policy setting limits the amount of disk space that can be used to store of This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it. -If you enable this policy setting, you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can be used by automatically cached files. +- If you enable this policy setting, you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can be used by automatically cached files. -If you disable this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. +- If you disable this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. -If you do not configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet. +- If you do not configure this policy setting, the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit. However, the users can change these values using the Offline Files control applet. -If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjusted downward to 100 percent of the size of the drive. +- If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache, and that drive is the system drive, the total size limit is automatically adjusted downward to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive, the limit is automatically adjusted downward to 100 percent of the size of the drive. -If you enable this setting and specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full. +- If you enable this setting and specify a total size limit less than the amount of space currently used by the Offline Files cache, the total size limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full. -If you enable this setting and specify an auto-cached space limit greater than the total size limit, the auto-cached limit is automatically adjusted downward to equal the total size limit. +- If you enable this setting and specify an auto-cached space limit greater than the total size limit, the auto-cached limit is automatically adjusted downward to equal the total size limit. This setting replaces the Default Cache Size setting used by pre-Windows Vista systems. @@ -265,7 +328,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -285,6 +348,68 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s + +## Pol_CustomGoOfflineActions_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 +``` + + + + +Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. + +To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are disconnected from this server, or type "1" if they cannot. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. + +> [!TIP] +> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_CustomGoOfflineActions_1 | +| Friendly Name | Non-default server disconnect actions | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_CustomGoOfflineActions_2 @@ -308,7 +433,8 @@ To use this setting, click Show. In the Show Contents dialog box in the Value Na This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. -Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. +> [!TIP] +> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. @@ -326,13 +452,13 @@ Tip: To configure this setting without establishing a setting, in Windows Explor > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_CustomGoOfflineActions | +| Name | Pol_CustomGoOfflineActions_2 | | Friendly Name | Non-default server disconnect actions | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -371,13 +497,14 @@ Automatic caching can be set on any network share. When a user opens a file on t This setting does not limit the disk space available for files that user's make available offline manually. -If you enable this setting, you can specify an automatic-cache disk space limit. +- If you enable this setting, you can specify an automatic-cache disk space limit. -If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the system drive. +- If you disable this setting, the system limits the space that automatically cached files occupy to 10 percent of the space on the system drive. -If you do not configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it. +- If you do not configure this setting, disk space for automatically cached files is limited to 10 percent of the system drive by default, but users can change it. -Tip: To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. +> [!TIP] +> To change the amount of disk space used for automatic caching without specifying a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then use the slider bar associated with the "Amount of disk space to use for temporary offline files" option. @@ -395,7 +522,7 @@ Tip: To change the amount of disk space used for automatic caching without speci > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -434,13 +561,14 @@ Tip: To change the amount of disk space used for automatic caching without speci This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network. -If you enable this policy setting, Offline Files is enabled and users cannot disable it. +- If you enable this policy setting, Offline Files is enabled and users cannot disable it. -If you disable this policy setting, Offline Files is disabled and users cannot enable it. +- If you disable this policy setting, Offline Files is disabled and users cannot enable it. -If you do not configure this policy setting, Offline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. +- If you do not configure this policy setting, Offline Files is enabled on Windows client computers, and disabled on computers running Windows Server, unless changed by the user. -Note: Changes to this policy setting do not take effect until the affected computer is restarted. +> [!NOTE] +> Changes to this policy setting do not take effect until the affected computer is restarted. @@ -458,7 +586,7 @@ Note: Changes to this policy setting do not take effect until the affected compu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -500,13 +628,14 @@ This policy setting determines whether offline files are encrypted. Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions. -If you enable this policy setting, all files in the Offline Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface. +- If you enable this policy setting, all files in the Offline Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface. -If you disable this policy setting, all files in the Offline Files cache are unencrypted. This includes existing files as well as files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot encrypt Offline Files through the user interface. +- If you disable this policy setting, all files in the Offline Files cache are unencrypted. This includes existing files as well as files added later, even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the server. The cached copy on the local computer is affected, but the associated network copy is not. The user cannot encrypt Offline Files through the user interface. -If you do not configure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache. +- If you do not configure this policy setting, encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retained, and if the cache is only partially encrypted, the operation completes so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer to encrypt or decrypt the Offline Files cache. -Note: By default, this cache is protected on NTFS partitions by ACLs. +> [!NOTE] +> By default, this cache is protected on NTFS partitions by ACLs. This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is required for this setting to take effect. @@ -526,7 +655,7 @@ This setting is applied at user logon. If this setting is changed after user log > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -547,6 +676,76 @@ This setting is applied at user logon. If this setting is changed after user log + +## Pol_EventLoggingLevel_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EventLoggingLevel_1 +``` + + + + +Determines which events the Offline Files feature records in the event log. + +Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. + +To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. + +"0" records an error when the offline storage cache is corrupted. + +"1" also records an event when the server hosting the offline file is disconnected from the network. + +"2" also records events when the local computer is connected and disconnected from the network. + +"3" also records an event when the server hosting the offline file is reconnected to the network. + +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_EventLoggingLevel_1 | +| Friendly Name | Event logging level | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_EventLoggingLevel_2 @@ -578,7 +777,8 @@ To use this setting, in the "Enter" box, select the number corresponding to the "3" also records an event when the server hosting the offline file is reconnected to the network. -Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. +> [!NOTE] +> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. @@ -596,13 +796,13 @@ Note: This setting appears in the Computer Configuration and User Configuration > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_EventLoggingLevel | +| Name | Pol_EventLoggingLevel_2 | | Friendly Name | Event logging level | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -635,9 +835,9 @@ Note: This setting appears in the Computer Configuration and User Configuration This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. -If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. +- If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline. -If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. +- If you disable or do not configure this policy setting, a user can create a file of any type in the folders that have been made available offline. @@ -655,7 +855,7 @@ If you disable or do not configure this policy setting, a user can create a file > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -700,7 +900,8 @@ This setting is designed to protect files that cannot be separated, such as data To use this setting, type the file name extension in the "Extensions" box. To type more than one extension, separate the extensions with a semicolon (;). -Note: To make changes to this setting effective, you must log off and log on again. +> [!NOTE] +> To make changes to this setting effective, you must log off and log on again. @@ -718,7 +919,7 @@ Note: To make changes to this setting effective, you must log off and log on aga > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -738,6 +939,80 @@ Note: To make changes to this setting effective, you must log off and log on aga + +## Pol_GoOfflineAction_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_GoOfflineAction_1 +``` + + + + +Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. + +This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. + +- If you enable this setting, you can use the "Action" box to specify how computers in the group respond. + +- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. + +- "Never go offline" indicates that network files are not available while the server is inaccessible. + +- If you disable this setting or select the "Work offline" option, users can work offline if disconnected. + +- If you do not configure this setting, users can work offline by default, but they can change this option. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. + +Also, see the "Non-default server disconnect actions" setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_GoOfflineAction_1 | +| Friendly Name | Action on server disconnect | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_GoOfflineAction_2 @@ -759,19 +1034,20 @@ Determines whether network files remain available if the computer is suddenly di This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. +- If you enable this setting, you can use the "Action" box to specify how computers in the group respond. --- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. +- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. --- "Never go offline" indicates that network files are not available while the server is inaccessible. +- "Never go offline" indicates that network files are not available while the server is inaccessible. -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. +- If you disable this setting or select the "Work offline" option, users can work offline if disconnected. -If you do not configure this setting, users can work offline by default, but they can change this option. +- If you do not configure this setting, users can work offline by default, but they can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. +> [!TIP] +> To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. Also, see the "Non-default server disconnect actions" setting. @@ -791,13 +1067,13 @@ Also, see the "Non-default server disconnect actions" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_GoOfflineAction | +| Name | Pol_GoOfflineAction_2 | | Friendly Name | Action on server disconnect | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -811,6 +1087,71 @@ Also, see the "Non-default server disconnect actions" setting. + +## Pol_NoCacheViewer_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoCacheViewer_1 +``` + + + + +Disables the Offline Files folder. + +This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. + +This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoCacheViewer_1 | +| Friendly Name | Prevent use of Offline Files folder | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoCacheViewer | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_NoCacheViewer_2 @@ -836,7 +1177,8 @@ This setting does not prevent users from working offline or from saving local co This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." +> [!TIP] +> To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." @@ -854,13 +1196,13 @@ Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_NoCacheViewer | +| Name | Pol_NoCacheViewer_2 | | Friendly Name | Prevent use of Offline Files folder | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -875,6 +1217,71 @@ Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, c + +## Pol_NoConfigCache_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoConfigCache_1 +``` + + + + +Prevents users from enabling, disabling, or changing the configuration of Offline Files. + +This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. + +This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoConfigCache_1 | +| Friendly Name | Prohibit user configuration of Offline Files | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoConfigCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_NoConfigCache_2 @@ -900,7 +1307,8 @@ This is a comprehensive setting that locks down the configuration you establish This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. +> [!TIP] +> This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. @@ -918,13 +1326,13 @@ Tip: This setting provides a quick method for locking down the default settings > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_NoConfigCache | +| Name | Pol_NoConfigCache_2 | | Friendly Name | Prohibit user configuration of Offline Files | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -939,6 +1347,72 @@ Tip: This setting provides a quick method for locking down the default settings + +## Pol_NoMakeAvailableOffline_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 +``` + + + + +This policy setting prevents users from making network files and folders available offline. + +- If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. + +- If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. + +**Note**: + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. + +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoMakeAvailableOffline_1 | +| Friendly Name | Remove "Make Available Offline" command | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoMakeAvailableOffline | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_NoMakeAvailableOffline_2 @@ -958,11 +1432,11 @@ Tip: This setting provides a quick method for locking down the default settings This policy setting prevents users from making network files and folders available offline. -If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. +- If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. -If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. +- If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. -Notes: +**Note**: This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. @@ -984,13 +1458,13 @@ The "Make Available Offline" command is called "Always available offline" on com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_NoMakeAvailableOffline | +| Name | Pol_NoMakeAvailableOffline_2 | | Friendly Name | Remove "Make Available Offline" command | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1005,6 +1479,77 @@ The "Make Available Offline" command is called "Always available offline" on com + +## Pol_NoPinFiles_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoPinFiles_1 +``` + + + + +This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. + +- If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. + +- If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. + +- If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. + +**Note**: + +This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. + +The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. + +This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. + +If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoPinFiles_1 | +| Friendly Name | Remove "Make Available Offline" for these files and folders | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_NoPinFiles_2 @@ -1024,13 +1569,13 @@ The "Make Available Offline" command is called "Always available offline" on com This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. -If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. +- If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. -If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. +- If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. -If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. +- If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. -Notes: +**Note**: This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. @@ -1056,13 +1601,13 @@ If the "Remove 'Make Available Offline' command" policy setting is enabled, this > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_NoPinFiles | +| Name | Pol_NoPinFiles_2 | | Friendly Name | Remove "Make Available Offline" for these files and folders | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1076,6 +1621,77 @@ If the "Remove 'Make Available Offline' command" policy setting is enabled, this + +## Pol_NoReminders_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoReminders_1 +``` + + + + +Hides or displays reminder balloons, and prevents users from changing the setting. + +Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. + +- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. + +If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. + +If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. + +To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_NoReminders_1 | +| Friendly Name | Turn off reminder balloons | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | NoReminders | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_NoReminders_2 @@ -1097,7 +1713,7 @@ Hides or displays reminder balloons, and prevents users from changing the settin Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. -If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. +- If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. @@ -1107,7 +1723,8 @@ To prevent users from changing the setting while a setting is in effect, the sys This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. +> [!TIP] +> To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. @@ -1125,13 +1742,13 @@ Tip: To display or hide reminder balloons without establishing a setting, in Win > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_NoReminders | +| Name | Pol_NoReminders_2 | | Friendly Name | Turn off reminder balloons | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1169,9 +1786,9 @@ The cached files are temporary and are not available to the user when offline. T This policy setting is triggered by the configured round trip network latency value. We recommend using this policy setting when the network connection to the server is slow. For example, you can configure a value of 60 ms as the round trip latency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less than 60ms, reads to remote files will not be cached. -If you enable this policy setting, transparent caching is enabled and configurable. +- If you enable this policy setting, transparent caching is enabled and configurable. -If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. +- If you disable or do not configure this policy setting, remote files will be not be transparently cached on client computers. @@ -1189,7 +1806,7 @@ If you disable or do not configure this policy setting, remote files will be not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1230,9 +1847,10 @@ Deletes local copies of the user's offline files when the user logs off. This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files. -If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use. +- If you disable this setting or do not configure it, automatically and manually cached copies are retained on the user's computer for later offline use. -Caution: Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. +> [!CAUTION] +> Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost. @@ -1250,7 +1868,7 @@ Caution: Files are not synchronized before they are deleted. Any changes to loca > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1290,9 +1908,9 @@ Caution: Files are not synchronized before they are deleted. Any changes to loca This policy setting allows you to turn on economical application of administratively assigned Offline Files. -If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. +- If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later. -If you disable this policy setting, all administratively assigned folders are synchronized at logon. +- If you disable this policy setting, all administratively assigned folders are synchronized at logon. @@ -1310,7 +1928,7 @@ If you disable this policy setting, all administratively assigned folders are sy > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1331,6 +1949,70 @@ If you disable this policy setting, all administratively assigned folders are sy + +## Pol_ReminderFreq_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderFreq_1 +``` + + + + +Determines how often reminder balloon updates appear. + +- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. + +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_ReminderFreq_1 | +| Friendly Name | Reminder balloon frequency | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_ReminderFreq_2 @@ -1350,13 +2032,14 @@ If you disable this policy setting, all administratively assigned folders are sy Determines how often reminder balloon updates appear. -If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. +- If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. +> [!TIP] +> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. @@ -1374,13 +2057,13 @@ Tip: To set reminder balloon frequency without establishing a setting, in Window > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_ReminderFreq | +| Name | Pol_ReminderFreq_2 | | Friendly Name | Reminder balloon frequency | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1394,6 +2077,65 @@ Tip: To set reminder balloon frequency without establishing a setting, in Window + +## Pol_ReminderInitTimeout_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 +``` + + + + +Determines how long the first reminder balloon for a network status change is displayed. + +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_ReminderInitTimeout_1 | +| Friendly Name | Initial reminder balloon lifetime | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_ReminderInitTimeout_2 @@ -1433,13 +2175,13 @@ This setting appears in the Computer Configuration and User Configuration folder > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_ReminderInitTimeout | +| Name | Pol_ReminderInitTimeout_2 | | Friendly Name | Initial reminder balloon lifetime | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1453,6 +2195,65 @@ This setting appears in the Computer Configuration and User Configuration folder + +## Pol_ReminderTimeout_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderTimeout_1 +``` + + + + +Determines how long updated reminder balloons are displayed. + +Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_ReminderTimeout_1 | +| Friendly Name | Reminder balloon lifetime | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_ReminderTimeout_2 @@ -1492,13 +2293,13 @@ This setting appears in the Computer Configuration and User Configuration folder > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_ReminderTimeout | +| Name | Pol_ReminderTimeout_2 | | Friendly Name | Reminder balloon lifetime | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1531,11 +2332,11 @@ This setting appears in the Computer Configuration and User Configuration folder This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline. -If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. +- If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter. You can configure the slow-link mode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recommend that you always specify a value for Latency, since the round-trip network latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you do not specify a Latency or Throughput value, computers running Windows Vista or Windows Server 2008 will not use the slow-link mode. -If you do not configure this policy setting, computers running Windows Vista or Windows Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency. +- If you do not configure this policy setting, computers running Windows Vista or Windows Server 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans, it may be necessary to configure the latency threshold to be lower than the round-trip network latency. In Windows Vista or Windows Server 2008, once transitioned to slow-link mode, users will continue to operate in slow-link mode until the user clicks the Work Online button on the toolbar in Windows Explorer. Data will only be synchronized to the server if the user manually initiates synchronization by using Sync Center. @@ -1543,7 +2344,7 @@ In Windows 7, Windows Server 2008 R2, Windows 8 or Windows Server 2012, when ope In Windows 8 or Windows Server 2012, set the Latency threshold to 1ms to keep users always working offline in slow-link mode. -If you disable this policy setting, computers will not use the slow-link mode. +- If you disable this policy setting, computers will not use the slow-link mode. @@ -1561,7 +2362,7 @@ If you disable this policy setting, computers will not use the slow-link mode. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1603,11 +2404,12 @@ Configures the threshold value at which Offline Files considers a network connec When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected. -If you enable this setting, you can configure the threshold value that will be used to determine a slow network connection. +- If you enable this setting, you can configure the threshold value that will be used to determine a slow network connection. -If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow. +- If this setting is disabled or not configured, the default threshold value of 64,000 bps is used to determine if a network connection is considered to be slow. -Note: Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. +> [!NOTE] +> Use the following formula when entering the slow link value: [ bps / 100]. For example, if you want to set a threshold value of 128,000 bps, enter a value of 1280. @@ -1625,7 +2427,7 @@ Note: Use the following formula when entering the slow link value: [ bps / 100]. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1645,6 +2447,75 @@ Note: Use the following formula when entering the slow link value: [ bps / 100]. + +## Pol_SyncAtLogoff_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogoff_1 +``` + + + + +Determines whether offline files are fully synchronized when users log off. + +This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. + +- If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. + +- If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. + +- If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogoff_1 | +| Friendly Name | Synchronize all offline files before logging off | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogoff | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_SyncAtLogoff_2 @@ -1666,15 +2537,16 @@ Determines whether offline files are fully synchronized when users log off. This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. +- If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. -If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. +- If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. -If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. +- If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. +> [!TIP] +> To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. @@ -1692,13 +2564,13 @@ Tip: To change the synchronization method without changing a setting, in Windows > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_SyncAtLogoff | +| Name | Pol_SyncAtLogoff_2 | | Friendly Name | Synchronize all offline files before logging off | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1713,6 +2585,75 @@ Tip: To change the synchronization method without changing a setting, in Windows + +## Pol_SyncAtLogon_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogon_1 +``` + + + + +Determines whether offline files are fully synchronized when users log on. + +This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. + +- If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. + +- If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. + +- If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. + +This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. + +> [!TIP] +> To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtLogon_1 | +| Friendly Name | Synchronize all offline files when logging on | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | SyncAtLogon | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_SyncAtLogon_2 @@ -1734,15 +2675,16 @@ Determines whether offline files are fully synchronized when users log on. This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. -If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. +- If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. -If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. +- If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. -If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. +- If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. -Tip: To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. +> [!TIP] +> To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. @@ -1760,13 +2702,13 @@ Tip: To change the synchronization method without setting a setting, in Windows > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_SyncAtLogon | +| Name | Pol_SyncAtLogon_2 | | Friendly Name | Synchronize all offline files when logging on | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1781,6 +2723,68 @@ Tip: To change the synchronization method without setting a setting, in Windows + +## Pol_SyncAtSuspend_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtSuspend_1 +``` + + + + +Determines whether offline files are synchonized before a computer is suspended. + +- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. + +If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. + +> [!NOTE] +> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_SyncAtSuspend_1 | +| Friendly Name | Synchronize offline files before suspend | +| Location | User Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + ## Pol_SyncAtSuspend_2 @@ -1800,11 +2804,12 @@ Tip: To change the synchronization method without setting a setting, in Windows Determines whether offline files are synchonized before a computer is suspended. -If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. +- If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. -Note: If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. +> [!NOTE] +> If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. @@ -1822,13 +2827,13 @@ Note: If the computer is suspended by closing the display on a portable computer > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_SyncAtSuspend | +| Name | Pol_SyncAtSuspend_2 | | Friendly Name | Synchronize offline files before suspend | | Location | Computer Configuration | | Path | Network > Offline Files | @@ -1861,9 +2866,9 @@ Note: If the computer is suspended by closing the display on a portable computer This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. -If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. +- If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans. -If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. +- If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user's network is roaming, near, or over the plan's data limit. The network folder must also be in "slow-link" mode, as specified by the "Configure slow-link mode" policy to avoid network usage. @@ -1881,7 +2886,7 @@ If this setting is disabled or not configured, synchronization will not run in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1902,1045 +2907,6 @@ If this setting is disabled or not configured, synchronization will not run in t - -## Pol_WorkOfflineDisabled_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 -``` - - - - -This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. - -If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. - -If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_WorkOfflineDisabled | -| Friendly Name | Remove "Work offline" command | -| Location | Computer Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | WorkOfflineDisabled | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_AssignedOfflineFiles_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1 -``` - - - - -This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. - -If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. - -If you disable this policy setting, the list of files or folders made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use). - -If you do not configure this policy setting, no files or folders are made available for offline use by Group Policy. - -Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings will be combined and all specified files will be available for offline use. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_AssignedOfflineFiles | -| Friendly Name | Specify administratively assigned Offline Files | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_CustomGoOfflineActions_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1 -``` - - - - -Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting. - -To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they are disconnected from this server, or type "1" if they cannot. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting. - -Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click Advanced. This setting corresponds to the settings in the "Exception list" section. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_CustomGoOfflineActions | -| Friendly Name | Non-default server disconnect actions | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_EventLoggingLevel_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_EventLoggingLevel_1 -``` - - - - -Determines which events the Offline Files feature records in the event log. - -Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record. - -To use this setting, in the "Enter" box, select the number corresponding to the events you want the system to log. The levels are cumulative; that is, each level includes the events in all preceding levels. - -"0" records an error when the offline storage cache is corrupted. - -"1" also records an event when the server hosting the offline file is disconnected from the network. - -"2" also records events when the local computer is connected and disconnected from the network. - -"3" also records an event when the server hosting the offline file is reconnected to the network. - -Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_EventLoggingLevel | -| Friendly Name | Event logging level | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_GoOfflineAction_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_GoOfflineAction_1 -``` - - - - -Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. - -This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. - -If you enable this setting, you can use the "Action" box to specify how computers in the group respond. - --- "Work offline" indicates that the computer can use local copies of network files while the server is inaccessible. - --- "Never go offline" indicates that network files are not available while the server is inaccessible. - -If you disable this setting or select the "Work offline" option, users can work offline if disconnected. - -If you do not configure this setting, users can work offline by default, but they can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To configure this setting without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, click Advanced, and then select an option in the "When a network connection is lost" section. - -Also, see the "Non-default server disconnect actions" setting. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_GoOfflineAction | -| Friendly Name | Action on server disconnect | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_NoCacheViewer_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoCacheViewer_1 -``` - - - - -Disables the Offline Files folder. - -This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location. - -This setting does not prevent users from working offline or from saving local copies of files available offline. Also, it does not prevent them from using other programs, such as Windows Explorer, to view their offline files. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To view the Offline Files Folder, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then click "View Files." - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_NoCacheViewer | -| Friendly Name | Prevent use of Offline Files folder | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | NoCacheViewer | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_NoConfigCache_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoConfigCache_1 -``` - - - - -Prevents users from enabling, disabling, or changing the configuration of Offline Files. - -This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box. - -This is a comprehensive setting that locks down the configuration you establish by using other settings in this folder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: This setting provides a quick method for locking down the default settings for Offline Files. To accept the defaults, just enable this setting. You do not have to disable any other settings in this folder. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_NoConfigCache | -| Friendly Name | Prohibit user configuration of Offline Files | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | NoConfigCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_NoMakeAvailableOffline_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1 -``` - - - - -This policy setting prevents users from making network files and folders available offline. - -If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching. - -If you disable or do not configure this policy setting, users can manually specify files and folders that they want to make available offline. - -Notes: - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. - -The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_NoMakeAvailableOffline | -| Friendly Name | Remove "Make Available Offline" command | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | NoMakeAvailableOffline | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_NoPinFiles_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoPinFiles_1 -``` - - - - -This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command. - -If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank. - -If you disable this policy setting, the list of files and folders is deleted, including any lists inherited from lower precedence GPOs, and the "Make Available Offline" command is displayed for all files and folders. - -If you do not configure this policy setting, the "Make Available Offline" command is available for all files and folders. - -Notes: - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. - -The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. - -This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline" command in File Explorer. - -If the "Remove 'Make Available Offline' command" policy setting is enabled, this setting has no effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_NoPinFiles | -| Friendly Name | Remove "Make Available Offline" for these files and folders | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_NoReminders_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_NoReminders_1 -``` - - - - -Hides or displays reminder balloons, and prevents users from changing the setting. - -Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed. - -If you enable this setting, the system hides the reminder balloons, and prevents users from displaying them. - -If you disable the setting, the system displays the reminder balloons and prevents users from hiding them. - -If this setting is not configured, reminder balloons are displayed by default when you enable offline files, but users can change the setting. - -To prevent users from changing the setting while a setting is in effect, the system disables the "Enable reminders" option on the Offline Files tab - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To display or hide reminder balloons without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Enable reminders" check box. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_NoReminders | -| Friendly Name | Turn off reminder balloons | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | NoReminders | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_ReminderFreq_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderFreq_1 -``` - - - - -Determines how often reminder balloon updates appear. - -If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_ReminderFreq | -| Friendly Name | Reminder balloon frequency | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_ReminderInitTimeout_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderInitTimeout_1 -``` - - - - -Determines how long the first reminder balloon for a network status change is displayed. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_ReminderInitTimeout | -| Friendly Name | Initial reminder balloon lifetime | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_ReminderTimeout_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_ReminderTimeout_1 -``` - - - - -Determines how long updated reminder balloons are displayed. - -Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_ReminderTimeout | -| Friendly Name | Reminder balloon lifetime | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_SyncAtLogoff_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogoff_1 -``` - - - - -Determines whether offline files are fully synchronized when users log off. - -This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. - -If you enable this setting, offline files are fully synchronized. Full synchronization ensures that offline files are complete and current. - -If you disable this setting, the system only performs a quick synchronization. Quick synchronization ensures that files are complete, but does not ensure that they are current. - -If you do not configure this setting, the system performs a quick synchronization by default, but users can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To change the synchronization method without changing a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging off" option. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_SyncAtLogoff | -| Friendly Name | Synchronize all offline files before logging off | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | SyncAtLogoff | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_SyncAtLogon_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtLogon_1 -``` - - - - -Determines whether offline files are fully synchronized when users log on. - -This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. - -If you enable this setting, offline files are fully synchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchronization in Synchronization Manager. - -If this setting is disabled and Synchronization Manager is configured for logon synchronization, the system performs only a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current. - -If you do not configure this setting and Synchronization Manager is configured for logon synchronization, the system performs a quick synchronization by default, but users can change this option. - -This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. - -Tip: To change the synchronization method without setting a setting, in Windows Explorer, on the Tools menu, click Folder Options, click the Offline Files tab, and then select the "Synchronize all offline files before logging on" option. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_SyncAtLogon | -| Friendly Name | Synchronize all offline files when logging on | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| Registry Value Name | SyncAtLogon | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - - -## Pol_SyncAtSuspend_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_SyncAtSuspend_1 -``` - - - - -Determines whether offline files are synchonized before a computer is suspended. - -If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version. - -If you disable or do not configuring this setting, files are not synchronized when the computer is suspended. - -Note: If the computer is suspended by closing the display on a portable computer, files are not synchronized. If multiple users are logged on to the computer at the time the computer is suspended, a synchronization is not performed. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | Pol_SyncAtSuspend | -| Friendly Name | Synchronize offline files before suspend | -| Location | User Configuration | -| Path | Network > Offline Files | -| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | -| ADMX File Name | OfflineFiles.admx | - - - - - - - - ## Pol_WorkOfflineDisabled_1 @@ -2960,9 +2926,9 @@ Note: If the computer is suspended by closing the display on a portable computer This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. -If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. +- If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. -If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. +- If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. @@ -2980,13 +2946,13 @@ If you disable or do not configure this policy setting, the "Work offline" comma > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Pol_WorkOfflineDisabled | +| Name | Pol_WorkOfflineDisabled_1 | | Friendly Name | Remove "Work offline" command | | Location | User Configuration | | Path | Network > Offline Files | @@ -3001,6 +2967,66 @@ If you disable or do not configure this policy setting, the "Work offline" comma + +## Pol_WorkOfflineDisabled_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2 +``` + + + + +This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. + +- If you enable this policy setting, the "Work offline" command is not displayed in File Explorer. + +- If you disable or do not configure this policy setting, the "Work offline" command is displayed in File Explorer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_WorkOfflineDisabled_2 | +| Friendly Name | Remove "Work offline" command | +| Location | Computer Configuration | +| Path | Network > Offline Files | +| Registry Key Name | Software\Policies\Microsoft\Windows\NetCache | +| Registry Value Name | WorkOfflineDisabled | +| ADMX File Name | OfflineFiles.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 89c7226673..936802cf55 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -1,10 +1,10 @@ --- title: ADMX_pca Policy CSP -description: Learn more about the ADMX_pca Area in Policy CSP +description: Learn more about the ADMX_pca Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_pca > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,13 +60,13 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DetectBlockedDriversText | +| Name | DetectBlockedDriversPolicy | | Friendly Name | Notify blocked drivers | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | @@ -117,13 +115,13 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DetectDeprecatedCOMComponentFailuresText | +| Name | DetectDeprecatedCOMComponentFailuresPolicy | | Friendly Name | Detect application failures caused by deprecated COM objects | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | @@ -173,13 +171,13 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DetectDeprecatedComponentFailuresText | +| Name | DetectDeprecatedComponentFailuresPolicy | | Friendly Name | Detect application failures caused by deprecated Windows DLLs | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | @@ -229,13 +227,13 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DetectInstallFailuresText | +| Name | DetectInstallFailuresPolicy | | Friendly Name | Detect application install failures | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | @@ -284,13 +282,13 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DetectUndetectedInstallersText | +| Name | DetectUndetectedInstallersPolicy | | Friendly Name | Detect application installers that need to be run as administrator | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | @@ -340,13 +338,13 @@ This setting exists only for backward compatibility, and is not valid for this v > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DetectUpdateFailuresText | +| Name | DetectUpdateFailuresPolicy | | Friendly Name | Detect applications unable to launch installers under UAC | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | @@ -380,13 +378,14 @@ This setting exists only for backward compatibility, and is not valid for this v This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. -If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. +- If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. -If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. +- If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. -If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. +- If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. -Note: This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. +> [!NOTE] +> This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. @@ -404,13 +403,13 @@ Note: This policy setting has no effect if the "Turn off Program Compatibility A > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisablePcaUIText | +| Name | DisablePcaUIPolicy | | Friendly Name | Detect compatibility issues for applications and drivers | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Application Compatibility Diagnostics | diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 0bd323a6d7..dea0b08208 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -1,10 +1,10 @@ --- title: ADMX_PeerToPeerCaching Policy CSP -description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP +description: Learn more about the ADMX_PeerToPeerCaching Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_PeerToPeerCaching > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -80,13 +78,13 @@ Select one of the following: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_Enable | +| Name | EnableWindowsBranchCache | | Friendly Name | Turn on BranchCache | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -150,13 +148,13 @@ Select one of the following: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_Distributed_Enable | +| Name | EnableWindowsBranchCache_Distributed | | Friendly Name | Set BranchCache Distributed Cache mode | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -226,13 +224,13 @@ Hosted cache clients must trust the server certificate that is issued to the hos > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_HostedCache_Location | +| Name | EnableWindowsBranchCache_Hosted | | Friendly Name | Set BranchCache Hosted Cache mode | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -263,9 +261,10 @@ Hosted cache clients must trust the server certificate that is issued to the hos -This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. +This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. +- If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. -If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. +- If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances: @@ -305,13 +304,13 @@ Select one of the following: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_HostedCacheDiscovery_Enable | +| Name | EnableWindowsBranchCache_HostedCacheDiscovery | | Friendly Name | Enable Automatic Hosted Cache Discovery by Service Connection Point | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -345,11 +344,11 @@ Select one of the following: This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. -If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. +- If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting. This policy setting can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the "Set BranchCache Hosted Cache mode" policy setting, use the hosted cache servers that are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cache Mode." -If you do not configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. +- If you do not configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. Policy configuration @@ -381,13 +380,13 @@ In circumstances where this setting is enabled, you can also select and configur > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_HostedCache_MultipleServers | +| Name | EnableWindowsBranchCache_HostedMultipleServers | | Friendly Name | Configure Hosted Cache Servers | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -450,13 +449,13 @@ In circumstances where this policy setting is enabled, you can also select and c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_SMB_Enable | +| Name | EnableWindowsBranchCache_SMB | | Friendly Name | Configure BranchCache for network files | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -489,9 +488,9 @@ In circumstances where this policy setting is enabled, you can also select and c This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers. -If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. +- If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache. -If you disable or do not configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. +- If you disable or do not configure this policy setting, the cache is set to 5 percent of the total disk space on the client computer. Policy configuration @@ -525,13 +524,13 @@ In circumstances where this setting is enabled, you can also select and configur > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_Cache_Percent | +| Name | SetCachePercent | | Friendly Name | Set percentage of disk space used for client computer cache | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -564,9 +563,9 @@ In circumstances where this setting is enabled, you can also select and configur This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. -If you enable this policy setting, you can configure the age for segments in the data cache. +- If you enable this policy setting, you can configure the age for segments in the data cache. -If you disable or do not configure this policy setting, the age is set to 28 days. +- If you disable or do not configure this policy setting, the age is set to 28 days. Policy configuration @@ -598,13 +597,13 @@ In circumstances where this setting is enabled, you can also select and configur > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_Cache_MaxAge | +| Name | SetDataCacheEntryMaxAge | | Friendly Name | Set age for segments in the data cache | | Location | Computer Configuration | | Path | Network > BranchCache | @@ -637,9 +636,9 @@ In circumstances where this setting is enabled, you can also select and configur This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. -If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." +- If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions." -If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system. +- If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system. Policy configuration @@ -675,13 +674,13 @@ Select from the following versions > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WBC_Downgrading | +| Name | SetDowngrading | | Friendly Name | Configure Client BranchCache Version Support | | Location | Computer Configuration | | Path | Network > BranchCache | diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index 89fc8838fa..bc3212ef5a 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -1,10 +1,10 @@ --- title: ADMX_PenTraining Policy CSP -description: Learn more about the ADMX_PenTraining Area in Policy CSP +description: Learn more about the ADMX_PenTraining Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_PenTraining > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,66 +25,6 @@ ms.topic: reference - -## PenTrainingOff_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PenTraining/PenTrainingOff_2 -``` - - - - -Turns off Tablet PC Pen Training. - -If you enable this policy setting, users cannot open Tablet PC Pen Training. - -If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PenTrainingOff | -| Friendly Name | Turn off Tablet PC Pen Training | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | -| Registry Key Name | SOFTWARE\Policies\Microsoft\PenTraining | -| Registry Value Name | DisablePenTraining | -| ADMX File Name | PenTraining.admx | - - - - - - - - ## PenTrainingOff_1 @@ -106,9 +44,9 @@ If you disable or do not configure this policy setting, users can open Tablet PC Turns off Tablet PC Pen Training. -If you enable this policy setting, users cannot open Tablet PC Pen Training. +- If you enable this policy setting, users cannot open Tablet PC Pen Training. -If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. +- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. @@ -126,13 +64,13 @@ If you disable or do not configure this policy setting, users can open Tablet PC > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PenTrainingOff | +| Name | PenTrainingOff_1 | | Friendly Name | Turn off Tablet PC Pen Training | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | @@ -147,6 +85,66 @@ If you disable or do not configure this policy setting, users can open Tablet PC + +## PenTrainingOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PenTraining/PenTrainingOff_2 +``` + + + + +Turns off Tablet PC Pen Training. + +- If you enable this policy setting, users cannot open Tablet PC Pen Training. + +- If you disable or do not configure this policy setting, users can open Tablet PC Pen Training. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PenTrainingOff_2 | +| Friendly Name | Turn off Tablet PC Pen Training | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Tablet PC Pen Training | +| Registry Key Name | SOFTWARE\Policies\Microsoft\PenTraining | +| Registry Value Name | DisablePenTraining | +| ADMX File Name | PenTraining.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 4b5fd02e91..f422307fe0 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -1,10 +1,10 @@ --- title: ADMX_PerformanceDiagnostics Policy CSP -description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP +description: Learn more about the ADMX_PerformanceDiagnostics Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_PerformanceDiagnostics > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference Determines the execution level for Windows Boot Performance Diagnostics. -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS. +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Boot Performance problems that are handled by the DPS. -If you do not configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default. +- If you do not configure this policy setting, the DPS will enable Windows Boot Performance for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -74,13 +72,13 @@ This policy setting will only take effect when the Diagnostic Policy Service is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WdiScenarioExecutionPolicy | +| Name | WdiScenarioExecutionPolicy_1 | | Friendly Name | Configure Scenario Execution Level | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Windows Boot Performance Diagnostics | @@ -114,11 +112,11 @@ This policy setting will only take effect when the Diagnostic Policy Service is Determines the execution level for Windows System Responsiveness Diagnostics. -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows System Responsiveness problems and indicate to the user that assisted resolution is available. +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows System Responsiveness problems and indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows System Responsiveness problems that are handled by the DPS. +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows System Responsiveness problems that are handled by the DPS. -If you do not configure this policy setting, the DPS will enable Windows System Responsiveness for resolution by default. +- If you do not configure this policy setting, the DPS will enable Windows System Responsiveness for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -142,13 +140,13 @@ This policy setting will only take effect when the Diagnostic Policy Service is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WdiScenarioExecutionPolicy | +| Name | WdiScenarioExecutionPolicy_2 | | Friendly Name | Configure Scenario Execution Level | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Windows System Responsiveness Performance Diagnostics | @@ -182,11 +180,11 @@ This policy setting will only take effect when the Diagnostic Policy Service is Determines the execution level for Windows Shutdown Performance Diagnostics. -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS. +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Shutdown Performance problems that are handled by the DPS. -If you do not configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default. +- If you do not configure this policy setting, the DPS will enable Windows Shutdown Performance for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -210,13 +208,13 @@ This policy setting will only take effect when the Diagnostic Policy Service is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WdiScenarioExecutionPolicy | +| Name | WdiScenarioExecutionPolicy_3 | | Friendly Name | Configure Scenario Execution Level | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Windows Shutdown Performance Diagnostics | @@ -250,11 +248,11 @@ This policy setting will only take effect when the Diagnostic Policy Service is Determines the execution level for Windows Standby/Resume Performance Diagnostics. -If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. +- If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS. -If you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. +- If you do not configure this policy setting, the DPS will enable Windows Standby/Resume Performance for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. @@ -278,13 +276,13 @@ This policy setting will only take effect when the Diagnostic Policy Service is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WdiScenarioExecutionPolicy | +| Name | WdiScenarioExecutionPolicy_4 | | Friendly Name | Configure Scenario Execution Level | | Location | Computer Configuration | | Path | System > Troubleshooting and Diagnostics > Windows Standby/Resume Performance Diagnostics | diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index b2005dd694..8d39627171 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -1,10 +1,10 @@ --- title: ADMX_Power Policy CSP -description: Learn more about the ADMX_Power Area in Policy CSP +description: Learn more about the ADMX_Power Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Power > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. -If you enable this policy setting, network connectivity will be maintained in standby. +- If you enable this policy setting, network connectivity will be maintained in standby. -If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. +- If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. -If you do not configure this policy setting, users control this setting. +- If you do not configure this policy setting, users control this setting. @@ -68,13 +66,13 @@ If you do not configure this policy setting, users control this setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ACConnectivityInStandby | +| Name | ACConnectivityInStandby_2 | | Friendly Name | Allow network connectivity during connected-standby (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -108,9 +106,9 @@ If you do not configure this policy setting, users control this setting. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. -If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). +- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -128,13 +126,13 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ACCriticalSleepTransitionsDisable | +| Name | ACCriticalSleepTransitionsDisable_2 | | Friendly Name | Turn on the ability for applications to prevent sleep transitions (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -168,12 +166,12 @@ If you disable or do not configure this policy setting, users control this setti This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: -Sleep -Hibernate -Shut down -If you disable this policy or do not configure this policy setting, users control this setting. +- If you disable this policy or do not configure this policy setting, users control this setting. @@ -191,13 +189,13 @@ If you disable this policy or do not configure this policy setting, users contro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ACStartMenuButtonAction | +| Name | ACStartMenuButtonAction_2 | | Friendly Name | Select the Start menu Power button action (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Button Settings | @@ -230,9 +228,9 @@ If you disable this policy or do not configure this policy setting, users contro This policy setting allows applications and services to prevent automatic sleep. -If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. +- If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. -If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. +- If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. @@ -250,7 +248,7 @@ If you disable or do not configure this policy setting, applications, services, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -290,9 +288,9 @@ If you disable or do not configure this policy setting, applications, services, This policy setting allows applications and services to prevent automatic sleep. -If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. +- If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. -If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. +- If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. @@ -310,7 +308,7 @@ If you disable or do not configure this policy setting, applications, services, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -350,9 +348,9 @@ If you disable or do not configure this policy setting, applications, services, This policy setting allows you to manage automatic sleep with open network files. -If you enable this policy setting, the computer automatically sleeps when network files are open. +- If you enable this policy setting, the computer automatically sleeps when network files are open. -If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. +- If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. @@ -370,7 +368,7 @@ If you disable or do not configure this policy setting, the computer does not au > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -410,9 +408,9 @@ If you disable or do not configure this policy setting, the computer does not au This policy setting allows you to manage automatic sleep with open network files. -If you enable this policy setting, the computer automatically sleeps when network files are open. +- If you enable this policy setting, the computer automatically sleeps when network files are open. -If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. +- If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. @@ -430,7 +428,7 @@ If you disable or do not configure this policy setting, the computer does not au > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -468,11 +466,11 @@ If you disable or do not configure this policy setting, the computer does not au -This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. +This policy setting specifies the active power plan from a specified power plan's GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. -If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. +- If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. -If you disable or do not configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. @@ -490,13 +488,13 @@ If you disable or do not configure this policy setting, users can see and change > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CustomActiveSchemeOverride | +| Name | CustomActiveSchemeOverride_2 | | Friendly Name | Specify a custom active power plan | | Location | Computer Configuration | | Path | System > Power Management | @@ -529,13 +527,13 @@ If you disable or do not configure this policy setting, users can see and change This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: -Take no action -Sleep -Hibernate -Shut down -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -553,13 +551,13 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCBatteryDischargeAction0 | +| Name | DCBatteryDischargeAction0_2 | | Friendly Name | Critical battery notification action | | Location | Computer Configuration | | Path | System > Power Management > Notification Settings | @@ -592,13 +590,13 @@ If you disable or do not configure this policy setting, users control this setti This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: -Take no action -Sleep -Hibernate -Shut down -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -616,13 +614,13 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCBatteryDischargeAction1 | +| Name | DCBatteryDischargeAction1_2 | | Friendly Name | Low battery notification action | | Location | Computer Configuration | | Path | System > Power Management > Notification Settings | @@ -655,11 +653,11 @@ If you disable or do not configure this policy setting, users control this setti This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. -If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. +- If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. To set the action that is triggered, see the "Critical Battery Notification Action" policy setting. -If you disable this policy setting or do not configure it, users control this setting. +- If you disable this policy setting or do not configure it, users control this setting. @@ -677,13 +675,13 @@ If you disable this policy setting or do not configure it, users control this se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCBatteryDischargeLevel0 | +| Name | DCBatteryDischargeLevel0_2 | | Friendly Name | Critical battery notification level | | Location | Computer Configuration | | Path | System > Power Management > Notification Settings | @@ -716,11 +714,11 @@ If you disable this policy setting or do not configure it, users control this se This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. -If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. +- If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. To set the action that is triggered, see the "Low Battery Notification Action" policy setting. -If you disable this policy setting or do not configure it, users control this setting. +- If you disable this policy setting or do not configure it, users control this setting. @@ -738,13 +736,13 @@ If you disable this policy setting or do not configure it, users control this se > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCBatteryDischargeLevel1 | +| Name | DCBatteryDischargeLevel1_2 | | Friendly Name | Low battery notification level | | Location | Computer Configuration | | Path | System > Power Management > Notification Settings | @@ -777,11 +775,11 @@ If you disable this policy setting or do not configure it, users control this se This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. -If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. +- If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". -If you disable or do not configure this policy setting, users can control this setting. +- If you disable or do not configure this policy setting, users can control this setting. @@ -799,13 +797,13 @@ If you disable or do not configure this policy setting, users can control this s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCBatteryDischargeLevel1UINotification | +| Name | DCBatteryDischargeLevel1UINotification_2 | | Friendly Name | Turn off low battery user notification | | Location | Computer Configuration | | Path | System > Power Management > Notification Settings | @@ -839,11 +837,11 @@ If you disable or do not configure this policy setting, users can control this s This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. -If you enable this policy setting, network connectivity will be maintained in standby. +- If you enable this policy setting, network connectivity will be maintained in standby. -If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. +- If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. -If you do not configure this policy setting, users control this setting. +- If you do not configure this policy setting, users control this setting. @@ -861,13 +859,13 @@ If you do not configure this policy setting, users control this setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCConnectivityInStandby | +| Name | DCConnectivityInStandby_2 | | Friendly Name | Allow network connectivity during connected-standby (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -901,9 +899,9 @@ If you do not configure this policy setting, users control this setting. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. -If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). +- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -921,13 +919,13 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCCriticalSleepTransitionsDisable | +| Name | DCCriticalSleepTransitionsDisable_2 | | Friendly Name | Turn on the ability for applications to prevent sleep transitions (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -961,12 +959,12 @@ If you disable or do not configure this policy setting, users control this setti This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. -If you enable this policy setting, select one of the following actions: +- If you enable this policy setting, select one of the following actions: -Sleep -Hibernate -Shut down -If you disable this policy or do not configure this policy setting, users control this setting. +- If you disable this policy or do not configure this policy setting, users control this setting. @@ -984,13 +982,13 @@ If you disable this policy or do not configure this policy setting, users contro > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCStartMenuButtonAction | +| Name | DCStartMenuButtonAction_2 | | Friendly Name | Select the Start menu Power button action (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Button Settings | @@ -1023,9 +1021,9 @@ If you disable this policy or do not configure this policy setting, users contro This policy setting specifies the period of inactivity before Windows turns off the hard disk. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. -If you disable or do not configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. @@ -1043,13 +1041,13 @@ If you disable or do not configure this policy setting, users can see and change > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DiskACPowerDownTimeOut | +| Name | DiskACPowerDownTimeOut_2 | | Friendly Name | Turn Off the hard disk (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Hard Disk Settings | @@ -1082,9 +1080,9 @@ If you disable or do not configure this policy setting, users can see and change This policy setting specifies the period of inactivity before Windows turns off the hard disk. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. -If you disable or do not configure this policy setting, users can see and change this setting. +- If you disable or do not configure this policy setting, users can see and change this setting. @@ -1102,13 +1100,13 @@ If you disable or do not configure this policy setting, users can see and change > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DiskDCPowerDownTimeOut | +| Name | DiskDCPowerDownTimeOut_2 | | Friendly Name | Turn Off the hard disk (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Hard Disk Settings | @@ -1143,9 +1141,9 @@ This policy setting allows you to configure whether power is automatically turne This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown(). -If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. +- If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. -If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. +- If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. @@ -1163,7 +1161,7 @@ If you disable or do not configure this policy setting, the computer system safe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1203,11 +1201,11 @@ If you disable or do not configure this policy setting, the computer system safe This policy setting allows you to specify if Windows should enable the desktop background slideshow. -If you enable this policy setting, desktop background slideshow is enabled. +- If you enable this policy setting, desktop background slideshow is enabled. -If you disable this policy setting, the desktop background slideshow is disabled. +- If you disable this policy setting, the desktop background slideshow is disabled. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -1225,7 +1223,7 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1265,11 +1263,11 @@ If you disable or do not configure this policy setting, users control this setti This policy setting allows you to specify if Windows should enable the desktop background slideshow. -If you enable this policy setting, desktop background slideshow is enabled. +- If you enable this policy setting, desktop background slideshow is enabled. -If you disable this policy setting, the desktop background slideshow is disabled. +- If you disable this policy setting, the desktop background slideshow is disabled. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -1287,7 +1285,7 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1327,9 +1325,9 @@ If you disable or do not configure this policy setting, users control this setti This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. -If you enable this policy setting, specify a power plan from the Active Power Plan list. +- If you enable this policy setting, specify a power plan from the Active Power Plan list. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -1347,13 +1345,13 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | InboxActiveSchemeOverride | +| Name | InboxActiveSchemeOverride_2 | | Friendly Name | Select an active power plan | | Location | Computer Configuration | | Path | System > Power Management | @@ -1386,9 +1384,9 @@ If you disable or do not configure this policy setting, users control this setti This policy setting allows you to turn off Power Throttling. -If you enable this policy setting, Power Throttling will be turned off. +- If you enable this policy setting, Power Throttling will be turned off. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -1406,7 +1404,7 @@ If you disable or do not configure this policy setting, users control this setti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1427,65 +1425,6 @@ If you disable or do not configure this policy setting, users control this setti - -## ReserveBatteryNotificationLevel - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ReserveBatteryNotificationLevel -``` - - - - -This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. - -If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. - -If you disable or do not configure this policy setting, users can see and change this setting. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ReserveBatteryNotificationLevel | -| Friendly Name | Reserve battery notification level | -| Location | Computer Configuration | -| Path | System > Power Management > Notification Settings | -| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F00 | -| ADMX File Name | Power.admx | - - - - - - - - ## PW_PromptPasswordOnResume @@ -1505,9 +1444,9 @@ If you disable or do not configure this policy setting, users can see and change This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. -If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. +- If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. -If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. +- If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. @@ -1525,7 +1464,7 @@ If you disable or do not configure this policy setting, users control if their c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1546,6 +1485,65 @@ If you disable or do not configure this policy setting, users control if their c + +## ReserveBatteryNotificationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Power/ReserveBatteryNotificationLevel +``` + + + + +This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. + +- If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. + +- If you disable or do not configure this policy setting, users can see and change this setting. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ReserveBatteryNotificationLevel | +| Friendly Name | Reserve battery notification level | +| Location | Computer Configuration | +| Path | System > Power Management > Notification Settings | +| Registry Key Name | Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F00 | +| ADMX File Name | Power.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 336e6879ec..0c13746a26 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -1,10 +1,10 @@ --- title: ADMX_PowerShellExecutionPolicy Policy CSP -description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP +description: Learn more about the ADMX_PowerShellExecutionPolicy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_PowerShellExecutionPolicy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,15 +48,16 @@ ms.topic: reference This policy setting allows you to turn on logging for Windows PowerShell modules. -If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. +- If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. -If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. +- If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. -If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. +- If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. -Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. @@ -76,7 +75,7 @@ Note: This policy setting exists under both Computer Configuration and User Conf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -120,7 +119,7 @@ Note: This policy setting exists under both Computer Configuration and User Conf This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. -If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. +- If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. @@ -128,11 +127,12 @@ The "Allow local scripts and remote signed scripts" policy setting allows any lo The "Allow all scripts" policy setting allows all scripts to run. -If you disable this policy setting, no scripts are allowed to run. +- If you disable this policy setting, no scripts are allowed to run. -Note: This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." +> [!NOTE] +> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." -If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." +- If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." @@ -150,7 +150,7 @@ If you disable or do not configure this policy setting, it reverts to a per-mach > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -194,18 +194,19 @@ If you disable or do not configure this policy setting, it reverts to a per-mach This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. -If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other +- If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. -If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled +- If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. -Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. @@ -223,7 +224,7 @@ Note: This policy setting exists under both Computer Configuration and User Conf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -267,11 +268,12 @@ Note: This policy setting exists under both Computer Configuration and User Conf This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. -If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. +- If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. -If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet. +- If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet. -Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. @@ -289,7 +291,7 @@ Note: This policy setting exists under both Computer Configuration and User Conf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index 554221fd36..c2aa223837 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -1,10 +1,10 @@ --- title: ADMX_PreviousVersions Policy CSP -description: Learn more about the ADMX_PreviousVersions Area in Policy CSP +description: Learn more about the ADMX_PreviousVersions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_PreviousVersions > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,378 +25,6 @@ ms.topic: reference - -## DisableBackupRestore_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableBackupRestore_2 -``` - - - - -This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. - -If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. - -If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. - -If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableBackupRestore | -| Friendly Name | Prevent restoring previous versions from backups | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer > Previous Versions | -| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | -| Registry Value Name | DisableBackupRestore | -| ADMX File Name | PreviousVersions.admx | - - - - - - - - - -## DisableLocalPage_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalPage_2 -``` - - - - -This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. - -If you enable this policy setting, users cannot list or restore previous versions of files on local disks. - -If you disable this policy setting, users cannot list and restore previous versions of files on local disks. - -If you do not configure this policy setting, it defaults to disabled. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableLocalPage | -| Friendly Name | Hide previous versions list for local files | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer > Previous Versions | -| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | -| Registry Value Name | DisableLocalPage | -| ADMX File Name | PreviousVersions.admx | - - - - - - - - - -## DisableLocalRestore_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalRestore_2 -``` - - - - -This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. - -If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. - -If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. - -If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableLocalRestore | -| Friendly Name | Prevent restoring local previous versions | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer > Previous Versions | -| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | -| Registry Value Name | DisableLocalRestore | -| ADMX File Name | PreviousVersions.admx | - - - - - - - - - -## DisableRemotePage_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemotePage_2 -``` - - - - -This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. - -If you enable this policy setting, users cannot list or restore previous versions of files on file shares. - -If you disable this policy setting, users can list and restore previous versions of files on file shares. - -If you do not configure this policy setting, it is disabled by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableRemotePage | -| Friendly Name | Hide previous versions list for remote files | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer > Previous Versions | -| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | -| Registry Value Name | DisableRemotePage | -| ADMX File Name | PreviousVersions.admx | - - - - - - - - - -## DisableRemoteRestore_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemoteRestore_2 -``` - - - - -This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. - -If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. - -If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. - -If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableRemoteRestore | -| Friendly Name | Prevent restoring remote previous versions | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer > Previous Versions | -| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | -| Registry Value Name | DisableRemoteRestore | -| ADMX File Name | PreviousVersions.admx | - - - - - - - - - -## HideBackupEntries_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/HideBackupEntries_2 -``` - - - - -This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. - -If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. - -If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. - -If you do not configure this policy setting, it is disabled by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | HideBackupEntries | -| Friendly Name | Hide previous versions of files on backup location | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer > Previous Versions | -| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | -| Registry Value Name | HideBackupEntries | -| ADMX File Name | PreviousVersions.admx | - - - - - - - - ## DisableBackupRestore_1 @@ -418,11 +44,11 @@ If you do not configure this policy setting, it is disabled by default. This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. -If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. -If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. -If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. @@ -440,13 +66,13 @@ If you do not configure this policy setting, it is disabled by default. The Rest > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableBackupRestore | +| Name | DisableBackupRestore_1 | | Friendly Name | Prevent restoring previous versions from backups | | Location | User Configuration | | Path | WindowsComponents > File Explorer > Previous Versions | @@ -461,6 +87,68 @@ If you do not configure this policy setting, it is disabled by default. The Rest + +## DisableBackupRestore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableBackupRestore_2 +``` + + + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a backup. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a backup. If the Restore button is clicked, Windows attempts to restore the file from the backup media. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file and stored on the backup. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableBackupRestore_2 | +| Friendly Name | Prevent restoring previous versions from backups | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableBackupRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + ## DisableLocalPage_1 @@ -480,11 +168,11 @@ If you do not configure this policy setting, it is disabled by default. The Rest This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. -If you enable this policy setting, users cannot list or restore previous versions of files on local disks. +- If you enable this policy setting, users cannot list or restore previous versions of files on local disks. -If you disable this policy setting, users cannot list and restore previous versions of files on local disks. +- If you disable this policy setting, users cannot list and restore previous versions of files on local disks. -If you do not configure this policy setting, it defaults to disabled. +- If you do not configure this policy setting, it defaults to disabled. @@ -502,13 +190,13 @@ If you do not configure this policy setting, it defaults to disabled. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableLocalPage | +| Name | DisableLocalPage_1 | | Friendly Name | Hide previous versions list for local files | | Location | User Configuration | | Path | WindowsComponents > File Explorer > Previous Versions | @@ -523,6 +211,68 @@ If you do not configure this policy setting, it defaults to disabled. + +## DisableLocalPage_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalPage_2 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. + +- If you enable this policy setting, users cannot list or restore previous versions of files on local disks. + +- If you disable this policy setting, users cannot list and restore previous versions of files on local disks. + +- If you do not configure this policy setting, it defaults to disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocalPage_2 | +| Friendly Name | Hide previous versions list for local files | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalPage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + ## DisableLocalRestore_1 @@ -542,11 +292,11 @@ If you do not configure this policy setting, it defaults to disabled. This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. -If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. -If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. -If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. @@ -564,13 +314,13 @@ If you do not configure this policy setting, it is disabled by default. The Rest > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableLocalRestore | +| Name | DisableLocalRestore_1 | | Friendly Name | Prevent restoring local previous versions | | Location | User Configuration | | Path | WindowsComponents > File Explorer > Previous Versions | @@ -585,6 +335,68 @@ If you do not configure this policy setting, it is disabled by default. The Rest + +## DisableLocalRestore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableLocalRestore_2 +``` + + + + +This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a local file. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button, Windows attempts to restore the file from the local disk. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a local file. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocalRestore_2 | +| Friendly Name | Prevent restoring local previous versions | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableLocalRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + ## DisableRemotePage_1 @@ -604,11 +416,11 @@ If you do not configure this policy setting, it is disabled by default. The Rest This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. -If you enable this policy setting, users cannot list or restore previous versions of files on file shares. +- If you enable this policy setting, users cannot list or restore previous versions of files on file shares. -If you disable this policy setting, users can list and restore previous versions of files on file shares. +- If you disable this policy setting, users can list and restore previous versions of files on file shares. -If you do not configure this policy setting, it is disabled by default. +- If you do not configure this policy setting, it is disabled by default. @@ -626,13 +438,13 @@ If you do not configure this policy setting, it is disabled by default. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableRemotePage | +| Name | DisableRemotePage_1 | | Friendly Name | Hide previous versions list for remote files | | Location | User Configuration | | Path | WindowsComponents > File Explorer > Previous Versions | @@ -647,6 +459,68 @@ If you do not configure this policy setting, it is disabled by default. + +## DisableRemotePage_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemotePage_2 +``` + + + + +This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. + +- If you enable this policy setting, users cannot list or restore previous versions of files on file shares. + +- If you disable this policy setting, users can list and restore previous versions of files on file shares. + +- If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemotePage_2 | +| Friendly Name | Hide previous versions list for remote files | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemotePage | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + ## DisableRemoteRestore_1 @@ -666,11 +540,11 @@ If you do not configure this policy setting, it is disabled by default. This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. -If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. -If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. -If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. @@ -688,13 +562,13 @@ If you do not configure this policy setting, it is disabled by default. The Rest > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableRemoteRestore | +| Name | DisableRemoteRestore_1 | | Friendly Name | Prevent restoring remote previous versions | | Location | User Configuration | | Path | WindowsComponents > File Explorer > Previous Versions | @@ -709,6 +583,68 @@ If you do not configure this policy setting, it is disabled by default. The Rest + +## DisableRemoteRestore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/DisableRemoteRestore_2 +``` + + + + +This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. + +- If you enable this policy setting, the Restore button is disabled when the user selects a previous version corresponding to a file on a file share. + +- If you disable this policy setting, the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button, Windows attempts to restore the file from the file share. + +- If you do not configure this policy setting, it is disabled by default. The Restore button is active when the previous version is of a file on a file share. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableRemoteRestore_2 | +| Friendly Name | Prevent restoring remote previous versions | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | DisableRemoteRestore | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + ## HideBackupEntries_1 @@ -728,11 +664,11 @@ If you do not configure this policy setting, it is disabled by default. The Rest This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. -If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. -If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. -If you do not configure this policy setting, it is disabled by default. +- If you do not configure this policy setting, it is disabled by default. @@ -750,13 +686,13 @@ If you do not configure this policy setting, it is disabled by default. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | HideBackupEntries | +| Name | HideBackupEntries_1 | | Friendly Name | Hide previous versions of files on backup location | | Location | User Configuration | | Path | WindowsComponents > File Explorer > Previous Versions | @@ -771,6 +707,68 @@ If you do not configure this policy setting, it is disabled by default. + +## HideBackupEntries_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_PreviousVersions/HideBackupEntries_2 +``` + + + + +This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. + +- If you enable this policy setting, users cannot see any previous versions corresponding to backup copies, and can see only previous versions corresponding to on-disk restore points. + +- If you disable this policy setting, users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points. + +- If you do not configure this policy setting, it is disabled by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideBackupEntries_2 | +| Friendly Name | Hide previous versions of files on backup location | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer > Previous Versions | +| Registry Key Name | Software\Policies\Microsoft\PreviousVersions | +| Registry Value Name | HideBackupEntries | +| ADMX File Name | PreviousVersions.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index e21e90d625..b85780257a 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1,10 +1,10 @@ --- title: ADMX_Printing Policy CSP -description: Learn more about the ADMX_Printing Area in Policy CSP +description: Learn more about the ADMX_Printing Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Printing > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet. -If you enable this policy setting, Internet printing is activated on this server. +- If you enable this policy setting, Internet printing is activated on this server. -If you disable this policy setting or do not configure it, Internet printing is not activated. +- If you disable this policy setting or do not configure it, Internet printing is not activated. Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing support and this setting must be enabled. -Note: This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. +> [!NOTE] +> This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. @@ -72,7 +71,7 @@ Also, see the "Custom support URL in the Printers folder's left pane" setting in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -114,11 +113,11 @@ Determines if print driver components are isolated from applications instead of Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it. -If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated. +- If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated. -If you disable this policy setting, then print drivers will be loaded within all associated application processes. +- If you disable this policy setting, then print drivers will be loaded within all associated application processes. -Notes: +**Note**: -This policy setting applies only to applications opted into isolation. -This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected. -This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect. @@ -139,7 +138,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -179,11 +178,12 @@ Notes: By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. -If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. +- If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise. -If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder. +- If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder. -Note: Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") +> [!NOTE] +> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.") Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers. @@ -205,7 +205,7 @@ Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Opt > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -242,11 +242,11 @@ Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Opt -If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) +- If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.) -If this policy setting is disabled, the network scan page will not be displayed. +- If this policy setting is disabled, the network scan page will not be displayed. -If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type: +- If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type: Directory printers: 20 TCP/IP printers: 0 Web Services printers: 0 @@ -257,7 +257,8 @@ In order to view available Web Services printers on your network, ensure that ne If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. -In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. +- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. @@ -277,7 +278,7 @@ In Windows 8 and later, Bluetooth printers are not shown so its limit does not a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -317,9 +318,9 @@ In Windows 8 and later, Bluetooth printers are not shown so its limit does not a This policy setting allows you to manage where client computers search for Point and Printer drivers. -If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. +- If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache. -If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail. +- If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail. This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using. By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior. @@ -340,7 +341,7 @@ By default, Windows Ultimate, Professional and Home SKUs will continue to search > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -361,6 +362,69 @@ By default, Windows Ultimate, Professional and Home SKUs will continue to search + +## DownlevelBrowse + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/DownlevelBrowse +``` + + + + +Allows users to use the Add Printer Wizard to search the network for shared printers. + +- If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. + +- If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. + +> [!NOTE] +> This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DownlevelBrowse | +| Friendly Name | Browse the network to find printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| Registry Value Name | Downlevel Browse | +| ADMX File Name | Printing.admx | + + + + + + + + ## EMFDespooling @@ -382,17 +446,20 @@ When printing through a print server, determines whether the print spooler on th This policy setting only effects printing to a Windows print server. -If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server. +- If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server. -If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server. +- If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server. If you do not enable this policy setting, the behavior is the same as disabling it. -Note: This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. +> [!NOTE] +> This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs. -Note: Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior. +> [!NOTE] +> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior. -Note: In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. +> [!NOTE] +> In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy. @@ -410,7 +477,7 @@ Note: In cases where the client print driver does not match the server print dri > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -450,7 +517,7 @@ Note: In cases where the client print driver does not match the server print dri Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. -This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU. +This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine's GPU. @@ -468,13 +535,13 @@ This setting may improve the performance of the XPS Rasterization Service or the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ForceSWRas | +| Name | ForceSoftwareRasterization | | Friendly Name | Always rasterize content to be printed using a software rasterizer | | Location | Computer Configuration | | Path | Printers | @@ -489,6 +556,69 @@ This setting may improve the performance of the XPS Rasterization Service or the + +## IntranetPrintersUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/IntranetPrintersUrl +``` + + + + +Adds a link to an Internet or intranet Web page to the Add Printer Wizard. + +You can use this setting to direct users to a Web page from which they can install printers. + +- If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. + +This setting makes it easy for users to find the printers you want them to add. + +Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IntranetPrintersUrl | +| Friendly Name | Browse a common web site to find printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| ADMX File Name | Printing.admx | + + + + + + + + ## KMPrintersAreBlocked @@ -508,13 +638,14 @@ This setting may improve the performance of the XPS Rasterization Service or the Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors. -If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. +- If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional. -If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. +- If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked. -If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. +- If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed. -Note: By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. +> [!NOTE] +> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue. @@ -532,7 +663,7 @@ Note: By applying this policy, existing kernel-mode drivers will be disabled upo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -553,6 +684,68 @@ Note: By applying this policy, existing kernel-mode drivers will be disabled upo + +## LegacyDefaultPrinterMode + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/LegacyDefaultPrinterMode +``` + + + + +This preference allows you to change default printer management. + +- If you enable this setting, Windows will not manage the default printer. + +- If you disable this setting, Windows will manage the default printer. + +- If you do not configure this setting, default printer management will not change. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LegacyDefaultPrinterMode | +| Friendly Name | Turn off Windows default printer management | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows NT\CurrentVersion\Windows | +| Registry Value Name | LegacyDefaultPrinterMode | +| ADMX File Name | Printing.admx | + + + + + + + + ## MXDWUseLegacyOutputFormatMSXPS @@ -572,9 +765,9 @@ Note: By applying this policy, existing kernel-mode drivers will be disabled upo Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2022. -If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). +- If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps). -If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). +- If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps). @@ -592,7 +785,7 @@ If you disable or do not configure this policy setting, the default MXDW output > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -613,6 +806,68 @@ If you disable or do not configure this policy setting, the default MXDW output + +## NoDeletePrinter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/NoDeletePrinter +``` + + + + +- If this policy setting is enabled, it prevents users from deleting local and network printers. + +If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. + +This setting does not prevent users from running other programs to delete a printer. + +If this policy is disabled, or not configured, users can delete printers using the methods described above. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoDeletePrinter | +| Friendly Name | Prevent deletion of printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoDeletePrinter | +| ADMX File Name | Printing.admx | + + + + + + + + ## NonDomainPrinters @@ -632,7 +887,7 @@ If you disable or do not configure this policy setting, the default MXDW output This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.) -If this setting is disabled, the network scan page will not be displayed. +- If this setting is disabled, the network scan page will not be displayed. If this setting is not configured, the Add Printer wizard will display the default number of printers of each type: TCP/IP printers: 50 @@ -642,7 +897,8 @@ Shared printers: 50 If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0. -In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. +In Windows 10 and later, only TCP/IP printers can be shown in the wizard. +- If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied. In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows. @@ -662,7 +918,7 @@ In Windows 8 and later, Bluetooth printers are not shown so its limit does not a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -683,6 +939,66 @@ In Windows 8 and later, Bluetooth printers are not shown so its limit does not a + +## PackagePointAndPrintOnly + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintOnly +``` + + + + +This policy restricts clients computers to use package point and print only. + +- If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +- If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintOnly | +| Friendly Name | Only use Package Point and print | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintOnly | +| ADMX File Name | Printing.admx | + + + + + + + + ## PackagePointAndPrintOnly_Win7 @@ -702,9 +1018,9 @@ In Windows 8 and later, Bluetooth printers are not shown so its limit does not a This policy restricts clients computers to use package point and print only. -If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. +- If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. +- If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. @@ -722,13 +1038,13 @@ If this setting is disabled, or not configured, users will not be restricted to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PackagePointAndPrintOnly | +| Name | PackagePointAndPrintOnly_Win7 | | Friendly Name | Only use Package Point and print | | Location | Computer Configuration | | Path | Printers | @@ -743,6 +1059,70 @@ If this setting is disabled, or not configured, users will not be restricted to + +## PackagePointAndPrintServerList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintServerList +``` + + + + +Restricts package point and print to approved servers. + +This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. + +Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. + +- If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. + +- If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PackagePointAndPrintServerList | +| Friendly Name | Package Point and print - Approved servers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | +| Registry Value Name | PackagePointAndPrintServerList | +| ADMX File Name | Printing.admx | + + + + + + + + ## PackagePointAndPrintServerList_Win7 @@ -766,9 +1146,9 @@ This policy setting restricts package point and print connections to approved se Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. -If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. +- If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. -If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. +- If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. @@ -786,13 +1166,13 @@ If this setting is disabled, or not configured, package point and print will not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PackagePointAndPrintServerList | +| Name | PackagePointAndPrintServerList_Win7 | | Friendly Name | Package Point and print - Approved servers | | Location | Computer Configuration | | Path | Printers | @@ -824,7 +1204,7 @@ If this setting is disabled, or not configured, package point and print will not -If this policy setting is enabled, it specifies the default location criteria used when searching for printers. +- If this policy setting is enabled, it specifies the default location criteria used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting. @@ -832,7 +1212,7 @@ When Location Tracking is enabled, the system uses the specified location as a c Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. -If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. +- If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer. @@ -850,7 +1230,7 @@ If you disable this setting or do not configure it, and the user does not type a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -891,9 +1271,9 @@ Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers. -If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. +- If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default. -If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). +- If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask). @@ -911,7 +1291,7 @@ If you disable this setting or do not configure it, Location Tracking is disable > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -951,12 +1331,11 @@ If you disable this setting or do not configure it, Location Tracking is disable This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. -If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. +- If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. -If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. +- If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. - -Notes: +**Note**: -Other system or driver policy settings may alter the process in which a print driver is executed. -This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. -This policy setting takes effect without restarting the print spooler service. @@ -977,7 +1356,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1017,11 +1396,11 @@ Notes: This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. -If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. +- If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation. -If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. +- If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver. -Notes: +**Note**: -Other system or driver policy settings may alter the process in which a print driver is executed. -This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. -This policy setting takes effect without restarting the print spooler service. @@ -1042,7 +1421,7 @@ Notes: > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1063,6 +1442,67 @@ Notes: + +## PrinterDirectorySearchScope + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PrinterDirectorySearchScope +``` + + + + +Specifies the Active Directory location where searches for printers begin. + +The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. + +- If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. + +This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PrinterDirectorySearchScope | +| Friendly Name | Default Active Directory path when searching for printers | +| Location | User Configuration | +| Path | Control Panel > Printers | +| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | +| ADMX File Name | Printing.admx | + + + + + + + + ## PrinterServerThread @@ -1084,13 +1524,14 @@ Announces the presence of shared printers to print servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. -If you enable this setting, the print spooler announces shared printers to the print servers. +- If you enable this setting, the print spooler announces shared printers to the print servers. -If you disable this setting, shared printers are not announced to print servers, even if Active Directory is not available. +- If you disable this setting, shared printers are not announced to print servers, even if Active Directory is not available. -If you do not configure this setting, shared printers are announced to servers only when Active Directory is not available. +- If you do not configure this setting, shared printers are announced to servers only when Active Directory is not available. -Note: A client license is used each time a client computer announces a printer to a print browse master on the domain. +> [!NOTE] +> A client license is used each time a client computer announces a printer to a print browse master on the domain. @@ -1108,7 +1549,7 @@ Note: A client license is used each time a client computer announces a printer t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1148,11 +1589,12 @@ Note: A client license is used each time a client computer announces a printer t This policy controls whether the print job name will be included in print event logs. -If you disable or do not configure this policy setting, the print job name will not be included. +- If you disable or do not configure this policy setting, the print job name will not be included. -If you enable this policy setting, the print job name will be included in new log entries. +- If you enable this policy setting, the print job name will be included in new log entries. -Note: This setting does not apply to Branch Office Direct Printing jobs. +> [!NOTE] +> This setting does not apply to Branch Office Direct Printing jobs. @@ -1170,7 +1612,7 @@ Note: This setting does not apply to Branch Office Direct Printing jobs. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1212,9 +1654,9 @@ This policy determines if v4 printer drivers are allowed to run printer extensio V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises. -If you enable this policy setting, then all printer extensions will not be allowed to run. +- If you enable this policy setting, then all printer extensions will not be allowed to run. -If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. +- If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run. @@ -1232,7 +1674,7 @@ If you disable this policy setting or do not configure it, then all printer exte > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1253,440 +1695,6 @@ If you disable this policy setting or do not configure it, then all printer exte - -## DownlevelBrowse - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/DownlevelBrowse -``` - - - - -Allows users to use the Add Printer Wizard to search the network for shared printers. - -If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list. - -If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. - -Note: This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DownlevelBrowse | -| Friendly Name | Browse the network to find printers | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | -| Registry Value Name | Downlevel Browse | -| ADMX File Name | Printing.admx | - - - - - - - - - -## IntranetPrintersUrl - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/IntranetPrintersUrl -``` - - - - -Adds a link to an Internet or intranet Web page to the Add Printer Wizard. - -You can use this setting to direct users to a Web page from which they can install printers. - -If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers. - -This setting makes it easy for users to find the printers you want them to add. - -Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers." - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | IntranetPrintersUrl | -| Friendly Name | Browse a common web site to find printers | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | -| ADMX File Name | Printing.admx | - - - - - - - - - -## LegacyDefaultPrinterMode - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/LegacyDefaultPrinterMode -``` - - - - -This preference allows you to change default printer management. - -If you enable this setting, Windows will not manage the default printer. - -If you disable this setting, Windows will manage the default printer. - -If you do not configure this setting, default printer management will not change. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | SetDefaultPrinterMRUModeOff | -| Friendly Name | Turn off Windows default printer management | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Microsoft\Windows NT\CurrentVersion\Windows | -| Registry Value Name | LegacyDefaultPrinterMode | -| ADMX File Name | Printing.admx | - - - - - - - - - -## NoDeletePrinter - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/NoDeletePrinter -``` - - - - -If this policy setting is enabled, it prevents users from deleting local and network printers. - -If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action. - -This setting does not prevent users from running other programs to delete a printer. - -If this policy is disabled, or not configured, users can delete printers using the methods described above. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoDeletePrinter | -| Friendly Name | Prevent deletion of printers | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoDeletePrinter | -| ADMX File Name | Printing.admx | - - - - - - - - - -## PackagePointAndPrintOnly - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintOnly -``` - - - - -This policy restricts clients computers to use package point and print only. - -If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. - -If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PackagePointAndPrintOnly | -| Friendly Name | Only use Package Point and print | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | -| Registry Value Name | PackagePointAndPrintOnly | -| ADMX File Name | Printing.admx | - - - - - - - - - -## PackagePointAndPrintServerList - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PackagePointAndPrintServerList -``` - - - - -Restricts package point and print to approved servers. - -This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections. - -Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server. - -If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers. - -If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PackagePointAndPrintServerList | -| Friendly Name | Package Point and print - Approved servers | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint | -| Registry Value Name | PackagePointAndPrintServerList | -| ADMX File Name | Printing.admx | - - - - - - - - - -## PrinterDirectorySearchScope - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_Printing/PrinterDirectorySearchScope -``` - - - - -Specifies the Active Directory location where searches for printers begin. - -The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. - -If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory. - -This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PrinterDirectorySearchScope | -| Friendly Name | Default Active Directory path when searching for printers | -| Location | User Configuration | -| Path | Control Panel > Printers | -| Registry Key Name | Software\Policies\Microsoft\Windows NT\Printers\Wizard | -| ADMX File Name | Printing.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index d2d9a11183..dd69376114 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -1,10 +1,10 @@ --- title: ADMX_Printing2 Policy CSP -description: Learn more about the ADMX_Printing2 Area in Policy CSP +description: Learn more about the ADMX_Printing2 Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Printing2 > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. -If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. +- If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers. -If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually. +- If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually. The default behavior is to automatically publish shared printers in Active Directory. -Note: This setting is ignored if the "Allow printers to be published" setting is disabled. +> [!NOTE] +> This setting is ignored if the "Allow printers to be published" setting is disabled. @@ -70,7 +69,7 @@ Note: This setting is ignored if the "Allow printers to be published" setting is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -112,11 +111,12 @@ Determines whether the domain controller can prune (delete from Active Directory By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. -If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond. +- If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond. -If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. +- If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network. -Note: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. +> [!NOTE] +> You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts. @@ -134,7 +134,7 @@ Note: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -178,15 +178,17 @@ The Windows pruning service prunes printer objects from Active Directory when th You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-republishing printers" box: --- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default. +- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default. --- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable. +- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable. --- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. +- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers. -Note: This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. +> [!NOTE] +> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. -Tip: If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. +> [!TIP] +> If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server. @@ -204,7 +206,7 @@ Tip: If you disable automatic pruning, remember to delete printer objects manual > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -247,11 +249,12 @@ The pruning service periodically contacts computers that have published printers By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory. -If you enable this setting, you can change the interval between contact attempts. +- If you enable this setting, you can change the interval between contact attempts. If you do not configure or disable this setting the default values will be used. -Note: This setting is used only on domain controllers. +> [!NOTE] +> This setting is used only on domain controllers. @@ -269,7 +272,7 @@ Note: This setting is used only on domain controllers. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -314,7 +317,8 @@ The thread priority influences the order in which the thread receives processor By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service. -Note: This setting is used only on domain controllers. +> [!NOTE] +> This setting is used only on domain controllers. @@ -332,7 +336,7 @@ Note: This setting is used only on domain controllers. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -375,11 +379,12 @@ The pruning service periodically contacts computers that have published printers By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. -If you enable this setting, you can change the interval between attempts. +- If you enable this setting, you can change the interval between attempts. If you do not configure or disable this setting, the default values are used. -Note: This setting is used only on domain controllers. +> [!NOTE] +> This setting is used only on domain controllers. @@ -397,7 +402,7 @@ Note: This setting is used only on domain controllers. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -438,13 +443,15 @@ Specifies whether or not to log events when the pruning service on a domain cont The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory. -If you enable this policy setting, the contact events are recorded in the event log. +- If you enable this policy setting, the contact events are recorded in the event log. -If you disable or do not configure this policy setting, the contact events are not recorded in the event log. +- If you disable or do not configure this policy setting, the contact events are not recorded in the event log. -Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. +> [!NOTE] +> This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. -Note: This setting is used only on domain controllers. +> [!NOTE] +> This setting is used only on domain controllers. @@ -462,7 +469,7 @@ Note: This setting is used only on domain controllers. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -524,7 +531,7 @@ The spooler must be restarted for changes to this policy to take effect. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -586,7 +593,7 @@ To disable verification, disable this setting, or enable this setting and select > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 8d788b646e..1d7a70b423 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -1,10 +1,10 @@ --- title: ADMX_Programs Policy CSP -description: Learn more about the ADMX_Programs Area in Policy CSP +description: Learn more about the ADMX_Programs Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Programs > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,7 +46,7 @@ This setting removes the Set Program Access and Defaults page from the Programs The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. -If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. +- If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. @@ -70,7 +68,7 @@ This setting does not prevent the Default Programs icon from appearing on the St > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -114,11 +112,12 @@ This setting prevents users from accessing the "Get Programs" page from the Prog Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. -If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. +- If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. -If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. +- If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. -Note: If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. +> [!NOTE] +> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. @@ -136,7 +135,7 @@ Note: If the "Hide Programs Control Panel" setting is enabled, this setting is i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -178,7 +177,7 @@ This setting prevents users from accessing "Installed Updates" page from the "Vi "Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. -If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. +- If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. This setting does not prevent users from using other tools and methods to install or uninstall programs. @@ -198,7 +197,7 @@ This setting does not prevent users from using other tools and methods to instal > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -238,7 +237,7 @@ This setting does not prevent users from using other tools and methods to instal This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. -If this setting is disabled or not configured, "Programs and Features" will be available to all users. +- If this setting is disabled or not configured, "Programs and Features" will be available to all users. This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. @@ -258,7 +257,7 @@ This setting does not prevent users from using other tools and methods to view o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -300,7 +299,7 @@ This setting prevents users from using the Programs Control Panel in Category Vi The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. -If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. +- If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. When enabled, this setting takes precedence over the other settings in this folder. @@ -322,7 +321,7 @@ This setting does not prevent users from using other tools and methods to instal > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -362,7 +361,7 @@ This setting does not prevent users from using other tools and methods to instal This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. -If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. +- If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. @@ -382,7 +381,7 @@ This setting does not prevent users from using other tools and methods to config > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -428,7 +427,8 @@ Enabling this feature does not prevent users from navigating to Windows Marketpl If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users. -Note: If the "Hide Programs control Panel" setting is enabled, this setting is ignored. +> [!NOTE] +> If the "Hide Programs control Panel" setting is enabled, this setting is ignored. @@ -446,7 +446,7 @@ Note: If the "Hide Programs control Panel" setting is enabled, this setting is i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index 0d81b19812..a2094c9c4e 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -1,6 +1,6 @@ --- title: ADMX_PushToInstall Policy CSP -description: Learn more about the ADMX_PushToInstall Area in Policy CSP +description: Learn more about the ADMX_PushToInstall Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md index 4447d06173..d81a28a193 100644 --- a/windows/client-management/mdm/policy-csp-admx-qos.md +++ b/windows/client-management/mdm/policy-csp-admx-qos.md @@ -1,10 +1,10 @@ --- title: ADMX_QOS Policy CSP -description: Learn more about the ADMX_QOS Area in Policy CSP +description: Learn more about the ADMX_QOS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_QOS > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,11 +46,12 @@ Specifies the maximum number of outstanding packets permitted on the system. Whe "Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent. -If you enable this setting, you can limit the number of outstanding packets. +- If you enable this setting, you can limit the number of outstanding packets. -If you disable this setting or do not configure it, then the setting has no effect on the system. +- If you disable this setting or do not configure it, then the setting has no effect on the system. -Important: If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -70,7 +69,7 @@ Important: If the maximum number of outstanding packets is specified in the regi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -111,11 +110,12 @@ Determines the percentage of connection bandwidth that the system can reserve. T By default, the Packet Scheduler limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default. -If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve. +- If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve. -If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection. +- If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection. -Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter. @@ -133,7 +133,7 @@ Important: If a bandwidth limit is set for a particular network adapter in the r > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -174,11 +174,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. +- If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -196,7 +197,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -237,11 +238,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. +- If you enable this setting, you can change the default DSCP value associated with the Best Effort service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -259,7 +261,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -298,11 +300,12 @@ Important: If the DSCP value for this service type is specified in the registry Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Best Effort service type. +- If you enable this setting, you can change the default priority value associated with the Best Effort service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -320,7 +323,7 @@ Important: If the Layer-2 priority value for this service type is specified in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -361,11 +364,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. +- If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. -If you disable this setting, the system uses the default DSCP value of 24 (0x18). +- If you disable this setting, the system uses the default DSCP value of 24 (0x18). -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -383,7 +387,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -424,11 +428,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. +- If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -446,7 +451,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -485,11 +490,12 @@ Important: If the DSCP value for this service type is specified in the registry Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Controlled Load service type. +- If you enable this setting, you can change the default priority value associated with the Controlled Load service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -507,7 +513,7 @@ Important: If the Layer-2 priority value for this service type is specified in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -548,11 +554,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. +- If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. -If you disable this setting, the system uses the default DSCP value of 40 (0x28). +- If you disable this setting, the system uses the default DSCP value of 40 (0x28). -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -570,7 +577,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -611,11 +618,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. +- If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -633,7 +641,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -672,11 +680,12 @@ Important: If the DSCP value for this service type is specified in the registry Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Guaranteed service type. +- If you enable this setting, you can change the default priority value associated with the Guaranteed service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -694,7 +703,7 @@ Important: If the Layer-2 priority value for this service type is specified in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -735,11 +744,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Network Control service type. +- If you enable this setting, you can change the default DSCP value associated with the Network Control service type. -If you disable this setting, the system uses the default DSCP value of 48 (0x30). +- If you disable this setting, the system uses the default DSCP value of 48 (0x30). -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -757,7 +767,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -798,11 +808,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Network Control service type. +- If you enable this setting, you can change the default DSCP value associated with the Network Control service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -820,7 +831,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -859,11 +870,12 @@ Important: If the DSCP value for this service type is specified in the registry Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Network Control service type. +- If you enable this setting, you can change the default priority value associated with the Network Control service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -881,7 +893,7 @@ Important: If the Layer-2 priority value for this service type is specified in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -920,11 +932,12 @@ Important: If the Layer-2 priority value for this service type is specified in t Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with nonconforming packets. +- If you enable this setting, you can change the default priority value associated with nonconforming packets. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -942,7 +955,7 @@ Important: If the Layer-2 priority value for nonconforming packets is specified > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -983,11 +996,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. +- If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -1005,7 +1019,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1046,11 +1060,12 @@ Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value f This setting applies only to packets that do not conform to the flow specification. -If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. +- If you enable this setting, you can change the default DSCP value associated with the Qualitative service type. -If you disable this setting, the system uses the default DSCP value of 0. +- If you disable this setting, the system uses the default DSCP value of 0. -Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -1068,7 +1083,7 @@ Important: If the DSCP value for this service type is specified in the registry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1107,11 +1122,12 @@ Important: If the DSCP value for this service type is specified in the registry Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. -If you enable this setting, you can change the default priority value associated with the Qualitative service type. +- If you enable this setting, you can change the default priority value associated with the Qualitative service type. -If you disable this setting, the system uses the default priority value of 0. +- If you disable this setting, the system uses the default priority value of 0. -Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter. @@ -1129,7 +1145,7 @@ Important: If the Layer-2 priority value for this service type is specified in t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1168,11 +1184,12 @@ Important: If the Layer-2 priority value for this service type is specified in t Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry. -If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. +- If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds. -If you disable this setting or do not configure it, the setting has no effect on the system. +- If you disable this setting or do not configure it, the setting has no effect on the system. -Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. +> [!IMPORTANT] +> If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter. @@ -1190,7 +1207,7 @@ Important: If a timer resolution is specified in the registry for a particular n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index fcc3ae8253..2c6b557f6b 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -1,6 +1,6 @@ --- title: ADMX_Radar Policy CSP -description: Learn more about the ADMX_Radar Area in Policy CSP +description: Learn more about the ADMX_Radar Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 9163e7efe9..1ac41a1abb 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -1,10 +1,10 @@ --- title: ADMX_Reliability Policy CSP -description: Learn more about the ADMX_Reliability Area in Policy CSP +description: Learn more about the ADMX_Reliability Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Reliability > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. -If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. +- If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. -If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. +- If you disable this policy setting, the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. -If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. +- If you do not configure this policy setting, the Persistent System Timestamp is refreshed according the default, which is every 60 seconds beginning with Windows Server 2003. -Note: This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. +> [!NOTE] +> This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel. @@ -70,7 +69,7 @@ Note: This feature might interfere with power configuration settings that turn o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,11 +109,11 @@ Note: This feature might interfere with power configuration settings that turn o This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. -If you enable this policy setting, error reporting includes unplanned shutdown events. +- If you enable this policy setting, error reporting includes unplanned shutdown events. -If you disable this policy setting, unplanned shutdown events are not included in error reporting. +- If you disable this policy setting, unplanned shutdown events are not included in error reporting. -If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. +- If you do not configure this policy setting, users can adjust this setting using the control panel, which is set to "Upload unplanned shutdown events" by default. Also see the "Configure Error Reporting" policy setting. @@ -134,7 +133,7 @@ Also see the "Configure Error Reporting" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -176,13 +175,14 @@ This policy setting defines when the Shutdown Event Tracker System State Data fe The system state data file contains information about the basic system state as well as the state of all running processes. -If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. +- If you enable this policy setting, the System State Data feature is activated when the user indicates that the shutdown or restart is unplanned. -If you disable this policy setting, the System State Data feature is never activated. +- If you disable this policy setting, the System State Data feature is never activated. -If you do not configure this policy setting, the default behavior for the System State Data feature occurs. +- If you do not configure this policy setting, the default behavior for the System State Data feature occurs. -Note: By default, the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all supported versions. +> [!NOTE] +> By default, the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all supported versions. @@ -200,7 +200,7 @@ Note: By default, the System State Data feature is always enabled on Windows Ser > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -240,17 +240,18 @@ Note: By default, the System State Data feature is always enabled on Windows Ser The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. -If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. +- If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. -If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) +- If you enable this policy setting and choose "Server Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running Windows Server. (See "Supported on" for supported versions.) -If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) +- If you enable this policy setting and choose "Workstation Only" from the drop-down menu list, the Shutdown Event Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.) -If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer. +- If you disable this policy setting, the Shutdown Event Tracker is not displayed when you shut down the computer. -If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. +- If you do not configure this policy setting, the default behavior for the Shutdown Event Tracker occurs. -Note: By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. +> [!NOTE] +> By default, the Shutdown Event Tracker is only displayed on computers running Windows Server. @@ -268,7 +269,7 @@ Note: By default, the Shutdown Event Tracker is only displayed on computers runn > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 324ddf127c..faee594f91 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -1,10 +1,10 @@ --- title: ADMX_RemoteAssistance Policy CSP -description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP +description: Learn more about the ADMX_RemoteAssistance Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_RemoteAssistance > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance. -If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. +- If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer. -If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. +- If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer. -If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. +- If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel. @@ -68,7 +66,7 @@ If you do not configure this policy setting, users can configure the setting in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -122,11 +120,11 @@ For example: -No full window drag -Turn off background -If you enable this policy setting, bandwidth optimization occurs at the level specified. +- If you enable this policy setting, bandwidth optimization occurs at the level specified. -If you disable this policy setting, application-based settings are used. +- If you disable this policy setting, application-based settings are used. -If you do not configure this policy setting, application-based settings are used. +- If you do not configure this policy setting, application-based settings are used. @@ -144,7 +142,7 @@ If you do not configure this policy setting, application-based settings are used > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 1623673a7b..27e48cd062 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -1,10 +1,10 @@ --- title: ADMX_RemovableStorage Policy CSP -description: Learn more about the ADMX_RemovableStorage Area in Policy CSP +description: Learn more about the ADMX_RemovableStorage Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_RemovableStorage > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,6 +25,69 @@ ms.topic: reference + +## AccessRights_RebootTime_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/AccessRights_RebootTime_1 +``` + + + + +This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. + +- If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. + +- If you disable or do not configure this setting, the operating system does not force a reboot. + +> [!NOTE] +> If no reboot is forced, the access right does not take effect until the operating system is restarted. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AccessRights_RebootTime_1 | +| Friendly Name | Set time (in seconds) to force reboot | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | RebootTimeinSeconds_state | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## AccessRights_RebootTime_2 @@ -46,11 +107,12 @@ ms.topic: reference This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. -If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. +- If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. -If you disable or do not configure this setting, the operating system does not force a reboot. +- If you disable or do not configure this setting, the operating system does not force a reboot. -Note: If no reboot is forced, the access right does not take effect until the operating system is restarted. +> [!NOTE] +> If no reboot is forced, the access right does not take effect until the operating system is restarted. @@ -68,13 +130,13 @@ Note: If no reboot is forced, the access right does not take effect until the op > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AccessRights_RebootTime | +| Name | AccessRights_RebootTime_2 | | Friendly Name | Set time (in seconds) to force reboot | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -108,9 +170,9 @@ Note: If no reboot is forced, the access right does not take effect until the op This policy setting denies execute access to the CD and DVD removable storage class. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. @@ -128,13 +190,13 @@ If you disable or do not configure this policy setting, execute access is allowe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CDandDVD_DenyExecute_Access | +| Name | CDandDVD_DenyExecute_Access_2 | | Friendly Name | CD and DVD: Deny execute access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -149,6 +211,66 @@ If you disable or do not configure this policy setting, execute access is allowe + +## CDandDVD_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to the CD and DVD removable storage class. + +- If you enable this policy setting, read access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyRead_Access_1 | +| Friendly Name | CD and DVD: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## CDandDVD_DenyRead_Access_2 @@ -168,9 +290,9 @@ If you disable or do not configure this policy setting, execute access is allowe This policy setting denies read access to the CD and DVD removable storage class. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -188,13 +310,13 @@ If you disable or do not configure this policy setting, read access is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CDandDVD_DenyRead_Access | +| Name | CDandDVD_DenyRead_Access_2 | | Friendly Name | CD and DVD: Deny read access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -209,6 +331,66 @@ If you disable or do not configure this policy setting, read access is allowed t + +## CDandDVD_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to the CD and DVD removable storage class. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CDandDVD_DenyWrite_Access_1 | +| Friendly Name | CD and DVD: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## CDandDVD_DenyWrite_Access_2 @@ -228,9 +410,9 @@ If you disable or do not configure this policy setting, read access is allowed t This policy setting denies write access to the CD and DVD removable storage class. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. @@ -248,13 +430,13 @@ If you disable or do not configure this policy setting, write access is allowed > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CDandDVD_DenyWrite_Access | +| Name | CDandDVD_DenyWrite_Access_2 | | Friendly Name | CD and DVD: Deny write access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -269,6 +451,66 @@ If you disable or do not configure this policy setting, write access is allowed + +## CustomClasses_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to custom removable storage classes. + +- If you enable this policy setting, read access is denied to these removable storage classes. + +- If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyRead_Access_1 | +| Friendly Name | Custom Classes: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## CustomClasses_DenyRead_Access_2 @@ -288,9 +530,9 @@ If you disable or do not configure this policy setting, write access is allowed This policy setting denies read access to custom removable storage classes. -If you enable this policy setting, read access is denied to these removable storage classes. +- If you enable this policy setting, read access is denied to these removable storage classes. -If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. +- If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. @@ -308,13 +550,13 @@ If you disable or do not configure this policy setting, read access is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CustomClasses_DenyRead_Access | +| Name | CustomClasses_DenyRead_Access_2 | | Friendly Name | Custom Classes: Deny read access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -329,6 +571,66 @@ If you disable or do not configure this policy setting, read access is allowed t + +## CustomClasses_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to custom removable storage classes. + +- If you enable this policy setting, write access is denied to these removable storage classes. + +- If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomClasses_DenyWrite_Access_1 | +| Friendly Name | Custom Classes: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## CustomClasses_DenyWrite_Access_2 @@ -348,9 +650,9 @@ If you disable or do not configure this policy setting, read access is allowed t This policy setting denies write access to custom removable storage classes. -If you enable this policy setting, write access is denied to these removable storage classes. +- If you enable this policy setting, write access is denied to these removable storage classes. -If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. +- If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. @@ -368,13 +670,13 @@ If you disable or do not configure this policy setting, write access is allowed > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CustomClasses_DenyWrite_Access | +| Name | CustomClasses_DenyWrite_Access_2 | | Friendly Name | Custom Classes: Deny write access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -408,9 +710,9 @@ If you disable or do not configure this policy setting, write access is allowed This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. @@ -428,13 +730,13 @@ If you disable or do not configure this policy setting, execute access is allowe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | FloppyDrives_DenyExecute_Access | +| Name | FloppyDrives_DenyExecute_Access_2 | | Friendly Name | Floppy Drives: Deny execute access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -449,6 +751,66 @@ If you disable or do not configure this policy setting, execute access is allowe + +## FloppyDrives_DenyRead_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 +``` + + + + +This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. + +- If you enable this policy setting, read access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyRead_Access_1 | +| Friendly Name | Floppy Drives: Deny read access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## FloppyDrives_DenyRead_Access_2 @@ -468,9 +830,9 @@ If you disable or do not configure this policy setting, execute access is allowe This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -488,13 +850,13 @@ If you disable or do not configure this policy setting, read access is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | FloppyDrives_DenyRead_Access | +| Name | FloppyDrives_DenyRead_Access_2 | | Friendly Name | Floppy Drives: Deny read access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -509,6 +871,66 @@ If you disable or do not configure this policy setting, read access is allowed t + +## FloppyDrives_DenyWrite_Access_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 +``` + + + + +This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | FloppyDrives_DenyWrite_Access_1 | +| Friendly Name | Floppy Drives: Deny write access | +| Location | User Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## FloppyDrives_DenyWrite_Access_2 @@ -528,9 +950,9 @@ If you disable or do not configure this policy setting, read access is allowed t This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. @@ -548,13 +970,13 @@ If you disable or do not configure this policy setting, write access is allowed > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | FloppyDrives_DenyWrite_Access | +| Name | FloppyDrives_DenyWrite_Access_2 | | Friendly Name | Floppy Drives: Deny write access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -588,9 +1010,9 @@ If you disable or do not configure this policy setting, write access is allowed This policy setting grants normal users direct access to removable storage devices in remote sessions. -If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. +- If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions. -If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. +- If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions. @@ -608,7 +1030,7 @@ If you disable or do not configure this policy setting, remote users cannot open > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -648,9 +1070,9 @@ If you disable or do not configure this policy setting, remote users cannot open This policy setting denies execute access to removable disks. -If you enable this policy setting, execute access is denied to this removable storage class. +- If you enable this policy setting, execute access is denied to this removable storage class. -If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. @@ -668,13 +1090,13 @@ If you disable or do not configure this policy setting, execute access is allowe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RemovableDisks_DenyExecute_Access | +| Name | RemovableDisks_DenyExecute_Access_2 | | Friendly Name | Removable Disks: Deny execute access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -689,850 +1111,6 @@ If you disable or do not configure this policy setting, execute access is allowe - -## RemovableDisks_DenyRead_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 -``` - - - - -This policy setting denies read access to removable disks. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RemovableDisks_DenyRead_Access | -| Friendly Name | Removable Disks: Deny read access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Read | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## RemovableStorageClasses_DenyAll_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 -``` - - - - -Configure access to all removable storage classes. - -This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. - -If you enable this policy setting, no access is allowed to any removable storage class. - -If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RemovableStorageClasses_DenyAll_Access | -| Friendly Name | All Removable Storage classes: Deny all access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | -| Registry Value Name | Deny_All | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## TapeDrives_DenyExecute_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 -``` - - - - -This policy setting denies execute access to the Tape Drive removable storage class. - -If you enable this policy setting, execute access is denied to this removable storage class. - -If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TapeDrives_DenyExecute_Access | -| Friendly Name | Tape Drives: Deny execute access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Execute | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## TapeDrives_DenyRead_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 -``` - - - - -This policy setting denies read access to the Tape Drive removable storage class. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TapeDrives_DenyRead_Access | -| Friendly Name | Tape Drives: Deny read access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Read | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## TapeDrives_DenyWrite_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 -``` - - - - -This policy setting denies write access to the Tape Drive removable storage class. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TapeDrives_DenyWrite_Access | -| Friendly Name | Tape Drives: Deny write access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Write | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## WPDDevices_DenyRead_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 -``` - - - - -This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WPDDevices_DenyRead_Access | -| Friendly Name | WPD Devices: Deny read access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | -| Registry Value Name | Deny_Read | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## WPDDevices_DenyWrite_Access_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 -``` - - - - -This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WPDDevices_DenyWrite_Access | -| Friendly Name | WPD Devices: Deny write access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | -| Registry Value Name | Deny_Write | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## AccessRights_RebootTime_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/AccessRights_RebootTime_1 -``` - - - - -This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. - -If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot. - -If you disable or do not configure this setting, the operating system does not force a reboot. - -Note: If no reboot is forced, the access right does not take effect until the operating system is restarted. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AccessRights_RebootTime | -| Friendly Name | Set time (in seconds) to force reboot | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | -| Registry Value Name | RebootTimeinSeconds_state | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## CDandDVD_DenyRead_Access_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1 -``` - - - - -This policy setting denies read access to the CD and DVD removable storage class. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CDandDVD_DenyRead_Access | -| Friendly Name | CD and DVD: Deny read access | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Read | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## CDandDVD_DenyWrite_Access_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1 -``` - - - - -This policy setting denies write access to the CD and DVD removable storage class. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CDandDVD_DenyWrite_Access | -| Friendly Name | CD and DVD: Deny write access | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Write | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## CustomClasses_DenyRead_Access_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1 -``` - - - - -This policy setting denies read access to custom removable storage classes. - -If you enable this policy setting, read access is denied to these removable storage classes. - -If you disable or do not configure this policy setting, read access is allowed to these removable storage classes. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CustomClasses_DenyRead_Access | -| Friendly Name | Custom Classes: Deny read access | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read | -| Registry Value Name | Deny_Read | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## CustomClasses_DenyWrite_Access_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1 -``` - - - - -This policy setting denies write access to custom removable storage classes. - -If you enable this policy setting, write access is denied to these removable storage classes. - -If you disable or do not configure this policy setting, write access is allowed to these removable storage classes. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CustomClasses_DenyWrite_Access | -| Friendly Name | Custom Classes: Deny write access | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write | -| Registry Value Name | Deny_Write | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## FloppyDrives_DenyRead_Access_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1 -``` - - - - -This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. - -If you enable this policy setting, read access is denied to this removable storage class. - -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | FloppyDrives_DenyRead_Access | -| Friendly Name | Floppy Drives: Deny read access | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Read | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - - -## FloppyDrives_DenyWrite_Access_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1 -``` - - - - -This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | FloppyDrives_DenyWrite_Access | -| Friendly Name | Floppy Drives: Deny write access | -| Location | User Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | -| Registry Value Name | Deny_Write | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - ## RemovableDisks_DenyRead_Access_1 @@ -1552,9 +1130,9 @@ If you disable or do not configure this policy setting, write access is allowed This policy setting denies read access to removable disks. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -1572,13 +1150,13 @@ If you disable or do not configure this policy setting, read access is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RemovableDisks_DenyRead_Access | +| Name | RemovableDisks_DenyRead_Access_1 | | Friendly Name | Removable Disks: Deny read access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1593,6 +1171,66 @@ If you disable or do not configure this policy setting, read access is allowed t + +## RemovableDisks_DenyRead_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2 +``` + + + + +This policy setting denies read access to removable disks. + +- If you enable this policy setting, read access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableDisks_DenyRead_Access_2 | +| Friendly Name | Removable Disks: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## RemovableDisks_DenyWrite_Access_1 @@ -1612,11 +1250,12 @@ If you disable or do not configure this policy setting, read access is allowed t This policy setting denies write access to removable disks. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." +> [!NOTE] +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." @@ -1634,13 +1273,13 @@ Note: To require that users write data to BitLocker-protected storage, enable th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RemovableDisks_DenyWrite_Access | +| Name | RemovableDisks_DenyWrite_Access_1 | | Friendly Name | Removable Disks: Deny write access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1676,9 +1315,9 @@ Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. -If you enable this policy setting, no access is allowed to any removable storage class. +- If you enable this policy setting, no access is allowed to any removable storage class. -If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. +- If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. @@ -1696,13 +1335,13 @@ If you disable or do not configure this policy setting, write and read accesses > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RemovableStorageClasses_DenyAll_Access | +| Name | RemovableStorageClasses_DenyAll_Access_1 | | Friendly Name | All Removable Storage classes: Deny all access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1717,6 +1356,128 @@ If you disable or do not configure this policy setting, write and read accesses + +## RemovableStorageClasses_DenyAll_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2 +``` + + + + +Configure access to all removable storage classes. + +This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. + +- If you enable this policy setting, no access is allowed to any removable storage class. + +- If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemovableStorageClasses_DenyAll_Access_2 | +| Friendly Name | All Removable Storage classes: Deny all access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices | +| Registry Value Name | Deny_All | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + + +## TapeDrives_DenyExecute_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2 +``` + + + + +This policy setting denies execute access to the Tape Drive removable storage class. + +- If you enable this policy setting, execute access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, execute access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyExecute_Access_2 | +| Friendly Name | Tape Drives: Deny execute access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Execute | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## TapeDrives_DenyRead_Access_1 @@ -1736,9 +1497,9 @@ If you disable or do not configure this policy setting, write and read accesses This policy setting denies read access to the Tape Drive removable storage class. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -1756,13 +1517,13 @@ If you disable or do not configure this policy setting, read access is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TapeDrives_DenyRead_Access | +| Name | TapeDrives_DenyRead_Access_1 | | Friendly Name | Tape Drives: Deny read access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1777,6 +1538,66 @@ If you disable or do not configure this policy setting, read access is allowed t + +## TapeDrives_DenyRead_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2 +``` + + + + +This policy setting denies read access to the Tape Drive removable storage class. + +- If you enable this policy setting, read access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyRead_Access_2 | +| Friendly Name | Tape Drives: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## TapeDrives_DenyWrite_Access_1 @@ -1796,9 +1617,9 @@ If you disable or do not configure this policy setting, read access is allowed t This policy setting denies write access to the Tape Drive removable storage class. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. @@ -1816,13 +1637,13 @@ If you disable or do not configure this policy setting, write access is allowed > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TapeDrives_DenyWrite_Access | +| Name | TapeDrives_DenyWrite_Access_1 | | Friendly Name | Tape Drives: Deny write access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1837,6 +1658,66 @@ If you disable or do not configure this policy setting, write access is allowed + +## TapeDrives_DenyWrite_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2 +``` + + + + +This policy setting denies write access to the Tape Drive removable storage class. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TapeDrives_DenyWrite_Access_2 | +| Friendly Name | Tape Drives: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## WPDDevices_DenyRead_Access_1 @@ -1856,9 +1737,9 @@ If you disable or do not configure this policy setting, write access is allowed This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -1876,13 +1757,13 @@ If you disable or do not configure this policy setting, read access is allowed t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WPDDevices_DenyRead_Access | +| Name | WPDDevices_DenyRead_Access_1 | | Friendly Name | WPD Devices: Deny read access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1897,6 +1778,66 @@ If you disable or do not configure this policy setting, read access is allowed t + +## WPDDevices_DenyRead_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2 +``` + + + + +This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +- If you enable this policy setting, read access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyRead_Access_2 | +| Friendly Name | WPD Devices: Deny read access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Read | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## WPDDevices_DenyWrite_Access_1 @@ -1916,9 +1857,9 @@ If you disable or do not configure this policy setting, read access is allowed t This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. @@ -1936,13 +1877,13 @@ If you disable or do not configure this policy setting, write access is allowed > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WPDDevices_DenyWrite_Access | +| Name | WPDDevices_DenyWrite_Access_1 | | Friendly Name | WPD Devices: Deny write access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -1957,6 +1898,66 @@ If you disable or do not configure this policy setting, write access is allowed + +## WPDDevices_DenyWrite_Access_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2 +``` + + + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access_2 | +| Friendly Name | WPD Devices: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 5970b4ca01..b37b7eb63d 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -1,10 +1,10 @@ --- title: ADMX_RPC Policy CSP -description: Learn more about the ADMX_RPC Area in Policy CSP +description: Learn more about the ADMX_RPC Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_RPC > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,27 +46,31 @@ This policy setting controls whether the RPC runtime generates extended error in Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs). -If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. +- If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition. -If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. +- If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition. -If you enable this policy setting, the RPC runtime will generate extended error information. You must select an error response type in the drop-down box. +- If you enable this policy setting, the RPC runtime will generate extended error information. You must select an error response type in the drop-down box. --- "Off" disables all extended error information for all processes. RPC only generates an error code. +- "Off" disables all extended error information for all processes. RPC only generates an error code. --- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. +- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. --- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. +- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field. --- "On" enables extended error information for all processes. +- "On" enables extended error information for all processes. -Note: For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). +> [!NOTE] +> For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK). -Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. +> [!NOTE] +> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information. -Note: The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. +> [!NOTE] +> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely. -Note: This policy setting will not be applied until the system is rebooted. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. @@ -86,7 +88,7 @@ Note: This policy setting will not be applied until the system is rebooted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -127,17 +129,18 @@ This policy setting controls whether the RPC Runtime ignores delegation failures The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. -If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. +- If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. -If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. +- If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. -If you enable this policy setting, then: +- If you enable this policy setting, then: --- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. +- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation. --- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. +- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. -Note: This policy setting will not be applied until the system is rebooted. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. @@ -155,7 +158,7 @@ Note: This policy setting will not be applied until the system is rebooted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -200,13 +203,14 @@ This policy setting is only applicable when the RPC Client, the RPC Server and t The minimum allowed value for this policy setting is 90 seconds. The maximum is 7200 seconds (2 hours). -If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. +- If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used. -If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. +- If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used. -If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. +- If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds. -Note: This policy setting will not be applied until the system is rebooted. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. @@ -224,7 +228,7 @@ Note: This policy setting will not be applied until the system is rebooted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -263,27 +267,30 @@ Note: This policy setting will not be applied until the system is rebooted. This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems. -If you disable this policy setting, the RPC runtime defaults to "Auto2" level. +- If you disable this policy setting, the RPC runtime defaults to "Auto2" level. -If you do not configure this policy setting, the RPC defaults to "Auto2" level. +- If you do not configure this policy setting, the RPC defaults to "Auto2" level. -If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. +- If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information. --- "None" indicates that the system does not maintain any RPC state information. +- "None" indicates that the system does not maintain any RPC state information -**Note**: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. +> [!NOTE] +> Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations. --- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. +- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory. --- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. +- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server. --- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. +- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity. --- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem. +- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem. -Note: To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. +> [!NOTE] +> To retrieve the RPC state information from a system that maintains it, you must use a debugging tool. -Note: This policy setting will not be applied until the system is rebooted. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. @@ -301,7 +308,7 @@ Note: This policy setting will not be applied until the system is rebooted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md index b0eae0e07b..3a57924050 100644 --- a/windows/client-management/mdm/policy-csp-admx-sam.md +++ b/windows/client-management/mdm/policy-csp-admx-sam.md @@ -1,10 +1,10 @@ --- title: ADMX_sam Policy CSP -description: Learn more about the ADMX_sam Area in Policy CSP +description: Learn more about the ADMX_sam Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_sam > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,19 +44,19 @@ ms.topic: reference This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability. -For more information on the ROCA vulnerability, please see: +For more information on the ROCA vulnerability, please see - + - + -If you enable this policy setting the following options are supported: +- If you enable this policy setting the following options are supported -Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. +Ignore during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. -Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). +Audit during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). -Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). +Block during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). This setting only takes effect on domain controllers. @@ -66,9 +64,9 @@ If not configured, domain controllers will default to using their local configur A reboot is not required for changes to this setting to take effect. -Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. +**Note** to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs. -More information is available at . +More information is available at . @@ -86,7 +84,7 @@ More information is available at > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 63f4bdafb9..dc87193ebf 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -1,10 +1,10 @@ --- title: ADMX_Scripts Policy CSP -description: Learn more about the ADMX_Scripts Area in Policy CSP +description: Learn more about the ADMX_Scripts Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index e75309b1c2..3ec7284be3 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -1,10 +1,10 @@ --- title: ADMX_sdiageng Policy CSP -description: Learn more about the ADMX_sdiageng Area in Policy CSP +description: Learn more about the ADMX_sdiageng Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_sdiageng > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" -If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. +- If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. -If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service. +- If you disable this policy setting, users can only access and search troubleshooting content that is available locally on their computers, even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows Online Troubleshooting Service. @@ -66,7 +64,7 @@ If you disable this policy setting, users can only access and search troubleshoo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,11 +104,11 @@ If you disable this policy setting, users can only access and search troubleshoo This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. -If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. +- If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. -If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel. +- If you disable this policy setting, users cannot access or run the troubleshooting tools from the Control Panel. -Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. +**Note** that this setting also controls a user's ability to launch standalone troubleshooting packs such as those found in .diagcab files. @@ -128,7 +126,7 @@ Note that this setting also controls a user's ability to launch standalone troub > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -168,9 +166,9 @@ Note that this setting also controls a user's ability to launch standalone troub This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. -If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. +- If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. -If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. +- If you disable or do not configure this policy setting, the scripted diagnostics execution engine runs all digitally signed packages. @@ -188,7 +186,7 @@ If you disable or do not configure this policy setting, the scripted diagnostics > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index fdc494d23c..91f8df9c49 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -1,10 +1,10 @@ --- title: ADMX_sdiagschd Policy CSP -description: Learn more about the ADMX_sdiagschd Area in Policy CSP +description: Learn more about the ADMX_sdiagschd Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_sdiagschd > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,13 @@ ms.topic: reference Determines whether scheduled diagnostics will run to proactively detect and resolve system problems. -If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. +- If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. If you choose detection, troubleshooting and resolution, Windows will resolve some of these problems silently without requiring user input. -If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. +- If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve problems on a scheduled basis. -If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. +- If you do not configure this policy setting, local troubleshooting preferences will take precedence, as configured in the control panel. If no local troubleshooting preference is configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by default. No reboots or service restarts are required for this policy to take effect: changes take effect immediately. @@ -74,7 +72,7 @@ This policy setting will only take effect when the Task Scheduler service is in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index d98d017b34..6bc06ebc29 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -1,10 +1,10 @@ --- title: ADMX_Securitycenter Policy CSP -description: Learn more about the ADMX_Securitycenter Area in Policy CSP +description: Learn more about the ADMX_Securitycenter Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Securitycenter > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,19 +44,17 @@ ms.topic: reference This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. -Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. +**Note** that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. If you do not congifure this policy setting, the Security Center is turned off for domain members. -If you enable this policy setting, Security Center is turned on for all users. +- If you enable this policy setting, Security Center is turned on for all users. -If you disable this policy setting, Security Center is turned off for domain members. +- If you disable this policy setting, Security Center is turned off for domain members. Windows XP SP2 ---------------------- -In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. - -**Note** that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers. +In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. **Note** that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers. Windows Vista --------------------- @@ -80,7 +76,7 @@ In Windows Vista, this policy setting monitors essential security settings to in > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index d1318c4c1e..31322c5681 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -1,10 +1,10 @@ --- title: ADMX_Sensors Policy CSP -description: Learn more about the ADMX_Sensors Area in Policy CSP +description: Learn more about the ADMX_Sensors Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Sensors > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,126 +25,6 @@ ms.topic: reference - -## DisableLocationScripting_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocationScripting_2 -``` - - - - -This policy setting turns off scripting for the location feature. - -If you enable this policy setting, scripts for the location feature will not run. - -If you disable or do not configure this policy setting, all location scripts will run. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableLocationScripting | -| Friendly Name | Turn off location scripting | -| Location | Computer Configuration | -| Path | Windows Components > Location and Sensors | -| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | -| Registry Value Name | DisableLocationScripting | -| ADMX File Name | Sensors.admx | - - - - - - - - - -## DisableSensors_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableSensors_2 -``` - - - - -This policy setting turns off the sensor feature for this computer. - -If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. - -If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableSensors | -| Friendly Name | Turn off sensors | -| Location | Computer Configuration | -| Path | Windows Components > Location and Sensors | -| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | -| Registry Value Name | DisableSensors | -| ADMX File Name | Sensors.admx | - - - - - - - - ## DisableLocation_1 @@ -166,9 +44,9 @@ If you disable or do not configure this policy setting, all programs on this com This policy setting turns off the location feature for this computer. -If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. +- If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. -If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. +- If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. @@ -186,13 +64,13 @@ If you disable or do not configure this policy setting, all programs on this com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableLocation | +| Name | DisableLocation_1 | | Friendly Name | Turn off location | | Location | User Configuration | | Path | Windows Components > Location and Sensors | @@ -226,9 +104,9 @@ If you disable or do not configure this policy setting, all programs on this com This policy setting turns off scripting for the location feature. -If you enable this policy setting, scripts for the location feature will not run. +- If you enable this policy setting, scripts for the location feature will not run. -If you disable or do not configure this policy setting, all location scripts will run. +- If you disable or do not configure this policy setting, all location scripts will run. @@ -246,13 +124,13 @@ If you disable or do not configure this policy setting, all location scripts wil > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableLocationScripting | +| Name | DisableLocationScripting_1 | | Friendly Name | Turn off location scripting | | Location | User Configuration | | Path | Windows Components > Location and Sensors | @@ -267,6 +145,66 @@ If you disable or do not configure this policy setting, all location scripts wil + +## DisableLocationScripting_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableLocationScripting_2 +``` + + + + +This policy setting turns off scripting for the location feature. + +- If you enable this policy setting, scripts for the location feature will not run. + +- If you disable or do not configure this policy setting, all location scripts will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLocationScripting_2 | +| Friendly Name | Turn off location scripting | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableLocationScripting | +| ADMX File Name | Sensors.admx | + + + + + + + + ## DisableSensors_1 @@ -286,9 +224,9 @@ If you disable or do not configure this policy setting, all location scripts wil This policy setting turns off the sensor feature for this computer. -If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. +- If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. -If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. +- If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. @@ -306,13 +244,13 @@ If you disable or do not configure this policy setting, all programs on this com > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableSensors | +| Name | DisableSensors_1 | | Friendly Name | Turn off sensors | | Location | User Configuration | | Path | Windows Components > Location and Sensors | @@ -327,6 +265,66 @@ If you disable or do not configure this policy setting, all programs on this com + +## DisableSensors_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_Sensors/DisableSensors_2 +``` + + + + +This policy setting turns off the sensor feature for this computer. + +- If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. + +- If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSensors_2 | +| Friendly Name | Turn off sensors | +| Location | Computer Configuration | +| Path | Windows Components > Location and Sensors | +| Registry Key Name | Software\Policies\Microsoft\Windows\LocationAndSensors | +| Registry Value Name | DisableSensors | +| ADMX File Name | Sensors.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index 931cd6af39..3bebbb38c2 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -1,10 +1,10 @@ --- title: ADMX_ServerManager Policy CSP -description: Learn more about the ADMX_ServerManager Area in Policy CSP +description: Learn more about the ADMX_ServerManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ServerManager > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to turn off the automatic display of the Manage Your Server page. -If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. +- If you enable this policy setting, the Manage Your Server page is not displayed each time an administrator logs on to the server. -If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. However, if the administrator has selected the "Don’t display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. +- If you disable or do not configure this policy setting, the Manage Your Server page is displayed each time an administrator logs on to the server. However, if the administrator has selected the "Don't display this page at logon" option at the bottom of the Manage Your Server page, the page is not displayed. @@ -68,7 +66,7 @@ If you disable or do not configure this policy setting, the Manage Your Server p > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,11 +106,11 @@ If you disable or do not configure this policy setting, the Manage Your Server p This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 2008 and Windows Server 2008 R2. -If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. +- If you enable this policy setting, the Initial Configuration Tasks window is not displayed when an administrator logs on to the server. -If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. +- If you disable this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. -If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. +- If you do not configure this policy setting, the Initial Configuration Tasks window is displayed when an administrator logs on to the server. However, if an administrator selects the "Do not show this window at logon" option, the window is not displayed on subsequent logons. @@ -130,7 +128,7 @@ If you do not configure this policy setting, the Initial Configuration Tasks win > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -170,13 +168,14 @@ If you do not configure this policy setting, the Initial Configuration Tasks win This policy setting allows you to turn off the automatic display of Server Manager at logon. -If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. +- If you enable this policy setting, Server Manager is not displayed automatically when a user logs on to the server. -If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. +- If you disable this policy setting, Server Manager is displayed automatically when a user logs on to the server. -If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager automatically at logon” (Windows Server 2012) option is selected, the console is not displayed automatically at logon. +- If you do not configure this policy setting, Server Manager is displayed when a user logs on to the server. However, if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or "Do not start Server Manager automatically at logon" (Windows Server 2012) option is selected, the console is not displayed automatically at logon. -Note: Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. +> [!NOTE] +> Regardless of the status of this policy setting, Server Manager is available from the Start menu or the Windows taskbar. @@ -194,7 +193,7 @@ Note: Regardless of the status of this policy setting, Server Manager is availab > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -234,11 +233,13 @@ Note: Regardless of the status of this policy setting, Server Manager is availab This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers. -If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2), or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that is configured in the Server Manager console. +- If you enable this policy setting, Server Manager uses the refresh interval specified in the policy setting instead of the "Configure Refresh Interval" setting (in Windows Server 2008 and Windows Server 2008 R2), or the "Refresh the data shown in Server Manager every [x] [minutes/hours/days]" setting (in Windows Server 2012) that is configured in the Server Manager console. -If you disable this policy setting, Server Manager does not refresh automatically. If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. +- If you disable this policy setting, Server Manager does not refresh automatically. +- If you do not configure this policy setting, Server Manager uses the refresh interval settings that are specified in the Server Manager console. -Note: The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. +> [!NOTE] +> The default refresh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2, or 10 minutes in Windows Server 2012. @@ -256,7 +257,7 @@ Note: The default refresh interval for Server Manager is two minutes in Windows > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index 55228646cb..98279f859e 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -1,10 +1,10 @@ --- title: ADMX_Servicing Policy CSP -description: Learn more about the ADMX_Servicing Area in Policy CSP +description: Learn more about the ADMX_Servicing Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Servicing > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. -If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon. +- If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon. -The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file. For example “wim:\\server\share\install.wim:3”. +The network location can be either a folder, or a WIM file. If it is a WIM file, the location should be specified by prefixing the path with "wim:" and include the index of the image to use in the WIM file. For example "wim:\\server\share\install.wim:3". -If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. +- If you disable or do not configure this policy setting, or if the required files cannot be found at the locations specified in this policy setting, the files will be downloaded from Windows Update, if that is allowed by the policy settings for the computer. @@ -68,13 +66,13 @@ If you disable or do not configure this policy setting, or if the required files > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CloudFulfillmentGPO | +| Name | Servicing | | Friendly Name | Specify settings for optional component installation and component repair | | Location | Computer Configuration | | Path | System | diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 45c357c51b..4525405908 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -1,10 +1,10 @@ --- title: ADMX_SettingSync Policy CSP -description: Learn more about the ADMX_SettingSync Area in Policy CSP +description: Learn more about the ADMX_SettingSync Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_SettingSync > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "app settings" group will not be synced. +- If you enable this policy setting, the "app settings" group will not be synced. Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. @@ -68,7 +66,7 @@ If you do not set or disable this setting, syncing of the "app settings" group i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,7 +106,7 @@ If you do not set or disable this setting, syncing of the "app settings" group i Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "AppSync" group will not be synced. +- If you enable this policy setting, the "AppSync" group will not be synced. Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. @@ -130,7 +128,7 @@ If you do not set or disable this setting, syncing of the "AppSync" group is on > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -170,7 +168,7 @@ If you do not set or disable this setting, syncing of the "AppSync" group is on Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "passwords" group will not be synced. +- If you enable this policy setting, the "passwords" group will not be synced. Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. @@ -192,7 +190,7 @@ If you do not set or disable this setting, syncing of the "passwords" group is o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -232,7 +230,7 @@ If you do not set or disable this setting, syncing of the "passwords" group is o Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "desktop personalization" group will not be synced. +- If you enable this policy setting, the "desktop personalization" group will not be synced. Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. @@ -254,7 +252,7 @@ If you do not set or disable this setting, syncing of the "desktop personalizati > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -294,7 +292,7 @@ If you do not set or disable this setting, syncing of the "desktop personalizati Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "personalize" group will not be synced. +- If you enable this policy setting, the "personalize" group will not be synced. Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. @@ -316,7 +314,7 @@ If you do not set or disable this setting, syncing of the "personalize" group is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -356,7 +354,7 @@ If you do not set or disable this setting, syncing of the "personalize" group is Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. -If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. +- If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. @@ -378,7 +376,7 @@ If you do not set or disable this setting, "sync your settings" is on by default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -418,7 +416,7 @@ If you do not set or disable this setting, "sync your settings" is on by default Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "Start layout" group will not be synced. +- If you enable this policy setting, the "Start layout" group will not be synced. Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. @@ -440,7 +438,7 @@ If you do not set or disable this setting, syncing of the "Start layout" group i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -480,7 +478,7 @@ If you do not set or disable this setting, syncing of the "Start layout" group i Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. -If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. +- If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. If you do not set or disable this setting, syncing on metered connections is configurable by the user. @@ -500,7 +498,7 @@ If you do not set or disable this setting, syncing on metered connections is con > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -540,7 +538,7 @@ If you do not set or disable this setting, syncing on metered connections is con Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. -If you enable this policy setting, the "Other Windows settings" group will not be synced. +- If you enable this policy setting, the "Other Windows settings" group will not be synced. Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. @@ -562,7 +560,7 @@ If you do not set or disable this setting, syncing of the "Other Windows setting > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 92e980608b..0380f886fb 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -1,10 +1,10 @@ --- title: ADMX_SharedFolders Policy CSP -description: Learn more about the ADMX_SharedFolders Area in Policy CSP +description: Learn more about the ADMX_SharedFolders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_SharedFolders > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). -If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . +- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . -If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. +- If you disable this policy setting, users cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled -**Note**: The default is to allow shared folders to be published when this setting is not configured. +> [!NOTE] +> The default is to allow shared folders to be published when this setting is not configured. @@ -68,7 +67,7 @@ If you disable this policy setting, users cannot publish DFS roots in AD DS and > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,11 +107,12 @@ If you disable this policy setting, users cannot publish DFS roots in AD DS and This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). -If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. +- If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. -If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled. +- If you disable this policy setting, users cannot publish shared folders in AD DS, and the "Publish in Active Directory" option is disabled -**Note**: The default is to allow shared folders to be published when this setting is not configured. +> [!NOTE] +> The default is to allow shared folders to be published when this setting is not configured. @@ -130,7 +130,7 @@ If you disable this policy setting, users cannot publish shared folders in AD DS > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 1a0e859eda..ca00b3af93 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -1,10 +1,10 @@ --- title: ADMX_Sharing Policy CSP -description: Learn more about the ADMX_Sharing Area in Policy CSP +description: Learn more about the ADMX_Sharing Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Sharing > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network. -If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features. +- If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features. -If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup. +- If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup. This policy setting is not configured by default. @@ -70,7 +68,7 @@ You must restart the computer for this policy setting to take effect. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,9 +108,9 @@ You must restart the computer for this policy setting to take effect. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. -If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. +- If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. -If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer. +- If you disable or don't configure this policy setting, users can share files out of their user profile after an administrator has opted in the computer. @@ -130,7 +128,7 @@ If you disable or don't configure this policy setting, users can share files out > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e13b8bc97f..d51369a170 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -1,10 +1,10 @@ --- title: ADMX_ShellCommandPromptRegEditTools Policy CSP -description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP +description: Learn more about the ADMX_ShellCommandPromptRegEditTools Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_ShellCommandPromptRegEditTools > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. -If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. +- If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. -If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. +- If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. -Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. +> [!NOTE] +> Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. @@ -68,7 +67,7 @@ Note: Do not prevent the computer from running batch files if the computer uses > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -107,9 +106,9 @@ Note: Do not prevent the computer from running batch files if the computer uses Disables the Windows registry editor Regedit.exe. -If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. +- If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. -If you disable this policy setting or do not configure it, users can run Regedit.exe normally. +- If you disable this policy setting or do not configure it, users can run Regedit.exe normally. To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting. @@ -129,7 +128,7 @@ To prevent users from using other administrative tools, use the "Run only specif > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -168,14 +167,16 @@ To prevent users from using other administrative tools, use the "Run only specif Prevents Windows from running the programs you specify in this policy setting. -If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. +- If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. -If you disable this policy setting or do not configure it, users can run any programs. +- If you disable this policy setting or do not configure it, users can run any programs. This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. -Note: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. -Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). +> [!NOTE] +> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +> [!NOTE] +> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). @@ -193,7 +194,7 @@ Note: To create a list of allowed applications, click Show. In the Show Contents > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -233,14 +234,16 @@ Note: To create a list of allowed applications, click Show. In the Show Contents Limits the Windows programs that users have permission to run on the computer. -If you enable this policy setting, users can only run programs that you add to the list of allowed applications. +- If you enable this policy setting, users can only run programs that you add to the list of allowed applications. -If you disable this policy setting or do not configure it, users can run all applications. +- If you disable this policy setting or do not configure it, users can run all applications. This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer. -Note: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. -Note: To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). +> [!NOTE] +> Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting. +> [!NOTE] +> To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe). @@ -258,7 +261,7 @@ Note: To create a list of allowed applications, click Show. In the Show Contents > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index eee03d598e..8b5f6ce6f4 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -1,10 +1,10 @@ --- title: ADMX_Smartcard Policy CSP -description: Learn more about the ADMX_Smartcard Area in Policy CSP +description: Learn more about the ADMX_Smartcard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Smartcard > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,12 +46,12 @@ This policy setting lets you allow certificates without an Extended Key Usage (E In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. -If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: +- If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card: - Certificates with no EKU - Certificates with an All Purpose EKU - Certificates with a Client Authentication EKU -If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. +- If you disable or do not configure this policy setting, only certificates that contain the smart card logon object identifier can be used to log on with a smart card. @@ -71,7 +69,7 @@ If you disable or do not configure this policy setting, only certificates that c > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -113,9 +111,9 @@ This policy setting lets you determine whether the integrated unblock feature wi In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. -If you enable this policy setting, the integrated unblock feature will be available. +- If you enable this policy setting, the integrated unblock feature will be available. -If you disable or do not configure this policy setting then the integrated unblock feature will not be available. +- If you disable or do not configure this policy setting then the integrated unblock feature will not be available. @@ -133,7 +131,7 @@ If you disable or do not configure this policy setting then the integrated unblo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -173,9 +171,9 @@ If you disable or do not configure this policy setting then the integrated unblo This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. -If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. +- If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. -If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen. +- If you disable or do not configure this policy setting, any available smart card signature key-based certificates will not be listed on the logon screen. @@ -193,7 +191,7 @@ If you disable or do not configure this policy setting, any available smart card > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -235,9 +233,9 @@ This policy setting permits those certificates to be displayed for logon that ar Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. -If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired. +- If you enable this policy setting certificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired. -If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen. +- If you disable or do not configure this policy setting, certificates which are expired or not yet valid will not be listed on the logon screen. @@ -255,7 +253,7 @@ If you disable or do not configure this policy setting, certificates which are e > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -295,9 +293,9 @@ If you disable or do not configure this policy setting, certificates which are e This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. -If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. +- If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. -If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook. +- If you disable this policy setting, certificate propagation will not occur and the certificates will not be made available to applications such as Outlook. @@ -315,7 +313,7 @@ If you disable this policy setting, certificate propagation will not occur and t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -353,7 +351,9 @@ If you disable this policy setting, certificate propagation will not occur and t -This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate clean up will occur on log off. +This policy setting allows you to manage the clean up behavior of root certificates. +- If you enable this policy setting then root certificate cleanup will occur according to the option selected. +- If you disable or do not configure this setting then root certificate clean up will occur on log off. @@ -371,7 +371,7 @@ This policy setting allows you to manage the clean up behavior of root certifica > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -410,11 +410,12 @@ This policy setting allows you to manage the clean up behavior of root certifica This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. -If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. +- If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card -**Note**: For this policy setting to work the following policy setting must also be enabled: Turn on certificate propagation from smart card. +> [!NOTE] +> For this policy setting to work the following policy setting must also be enabled Turn on certificate propagation from smart card. -If you disable this policy setting then root certificates will not be propagated from the smart card. +- If you disable this policy setting then root certificates will not be propagated from the smart card. @@ -432,7 +433,7 @@ If you disable this policy setting then root certificates will not be propagated > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -472,11 +473,12 @@ If you disable this policy setting then root certificates will not be propagated This policy setting prevents plaintext PINs from being returned by Credential Manager. -If you enable this policy setting, Credential Manager does not return a plaintext PIN. +- If you enable this policy setting, Credential Manager does not return a plaintext PIN. -If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager. +- If you disable or do not configure this policy setting, plaintext PINs can be returned by Credential Manager. -Note: Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. +> [!NOTE] +> Enabling this policy setting could prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by this policy setting. @@ -494,7 +496,7 @@ Note: Enabling this policy setting could prevent certain smart cards from workin > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -534,12 +536,14 @@ Note: Enabling this policy setting could prevent certain smart cards from workin This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. -If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. +- If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. -If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain. +- If you disable or do not configure this policy setting, ECC certificates on a smart card cannot be used to log on to a domain. -Note: This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. -Note: If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. +> [!NOTE] +> This policy setting only affects a user's ability to log on to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting. +> [!NOTE] +> If you use an ECDSA key to log on, you must also have an associated ECDH key to permit logons when you are not connected to the network. @@ -557,7 +561,7 @@ Note: If you use an ECDSA key to log on, you must also have an associated ECDH k > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -599,13 +603,14 @@ This policy settings lets you configure if all your valid logon certificates are During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). -If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown. +If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certificate that is used for logon on Windows 2000, Windows XP, and Windows 2003 Server will be shown, otherwise the the certificate with the expiration time furthest in the future will be shown -**Note**: This setting will be applied after the following policy: "Allow time invalid certificates" +> [!NOTE] +> This setting will be applied after the following policy "Allow time invalid certificates" -If you enable or do not configure this policy setting, filtering will take place. +- If you enable or do not configure this policy setting, filtering will take place. -If you disable this policy setting, no filtering will take place. +- If you disable this policy setting, no filtering will take place. @@ -623,7 +628,7 @@ If you disable this policy setting, no filtering will take place. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -665,9 +670,9 @@ This policy setting allows you to manage the reading of all certificates from th During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. -If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. +- If you enable this setting, then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP. -If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon. +- If you disable or do not configure this setting, Windows will only attempt to read the default certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available for logon. @@ -685,7 +690,7 @@ If you disable or do not configure this setting, Windows will only attempt to re > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -725,11 +730,12 @@ If you disable or do not configure this setting, Windows will only attempt to re This policy setting allows you to manage the displayed message when a smart card is blocked. -If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. +- If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked -**Note**: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon. +> [!NOTE] +> The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon. -If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. +- If you disable or do not configure this policy setting, the default message will be displayed to the user when the smart card is blocked, if the integrated unblock feature is enabled. @@ -747,7 +753,7 @@ If you disable or do not configure this policy setting, the default message will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -788,7 +794,7 @@ This policy setting lets you reverse the subject name from how it is stored in t By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. -If you enable this policy setting or do not configure this setting, then the subject name will be reversed. +- If you enable this policy setting or do not configure this setting, then the subject name will be reversed. If you disable , the subject name will be displayed as it appears in the certificate. @@ -808,7 +814,7 @@ If you disable , the subject name will be displayed as it appears in the certifi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -848,11 +854,12 @@ If you disable , the subject name will be displayed as it appears in the certifi This policy setting allows you to control whether Smart Card Plug and Play is enabled. -If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. +- If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. -If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader. +- If you disable this policy setting, Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card Reader. -Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. +> [!NOTE] +> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. @@ -870,7 +877,7 @@ Note: This policy setting is applied only for smart cards that have passed the W > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -910,11 +917,12 @@ Note: This policy setting is applied only for smart cards that have passed the W This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. -If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. +- If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. -If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed. +- If you disable this policy setting, a confirmation message will not be displayed when a smart card device driver is installed. -Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. +> [!NOTE] +> This policy setting is applied only for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process. @@ -932,7 +940,7 @@ Note: This policy setting is applied only for smart cards that have passed the W > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -972,9 +980,9 @@ Note: This policy setting is applied only for smart cards that have passed the W This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. -If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. +- If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. -If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed. +- If you disable or do not configure this policy setting, an optional field that allows users to enter their user name or user name and domain will not be displayed. @@ -992,7 +1000,7 @@ If you disable or do not configure this policy setting, an optional field that a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 55d1ca2653..3621590388 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -1,10 +1,10 @@ --- title: ADMX_Snmp Policy CSP -description: Learn more about the ADMX_Snmp Area in Policy CSP +description: Learn more about the ADMX_Snmp Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Snmp > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,15 +48,17 @@ SNMP is a protocol designed to give a user the capability to remotely manage a c A valid community is a community recognized by the SNMP service, while a community is a group of hosts (servers, workstations, hubs, and routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets from the network. -If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community. +- If you enable this policy setting, the SNMP agent only accepts requests from management systems within the communities it recognizes, and only SNMP Read operation is allowed for the community. -If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. +- If you disable or do not configure this policy setting, the SNMP service takes the Valid Communities configured on the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control. -Note: It is good practice to use a cryptic community name. +> [!NOTE] +> It is good practice to use a cryptic community name. -Note: This policy setting has no effect if the SNMP agent is not installed on the client computer. +> [!NOTE] +> This policy setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Specify permitted managers" and "Specify trap configuration". @@ -78,7 +78,7 @@ Also, see the other two SNMP settings: "Specify permitted managers" and "Specify > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -121,13 +121,14 @@ Simple Network Management Protocol is a protocol designed to give a user the cap The manager is located on the host computer on the network. The manager's role is to poll the agents for certain requested information. -If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting. +- If you enable this policy setting, the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting. -If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. +- If you disable or do not configure this policy setting, SNMP service takes the permitted managers configured on the local computer instead. Best practice: For security purposes, it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control. -Note: This policy setting has no effect if the SNMP agent is not installed on the client computer. +> [!NOTE] +> This policy setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name". @@ -147,7 +148,7 @@ Also, see the other two SNMP policy settings: "Specify trap configuration" and " > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -190,11 +191,12 @@ Simple Network Management Protocol is a protocol designed to give a user the cap This policy setting allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchronously. -If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community. +- If you enable this policy setting, the SNMP service sends trap messages to the hosts within the "public" community. -If you disable or do not configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. +- If you disable or do not configure this policy setting, the SNMP service takes the trap configuration configured on the local computer instead. -Note: This setting has no effect if the SNMP agent is not installed on the client computer. +> [!NOTE] +> This setting has no effect if the SNMP agent is not installed on the client computer. Also, see the other two SNMP settings: "Specify permitted managers" and "Specify Community Name". @@ -214,7 +216,7 @@ Also, see the other two SNMP settings: "Specify permitted managers" and "Specify > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index a66d9243e6..2c0c32056e 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -1,6 +1,6 @@ --- title: ADMX_SoundRec Policy CSP -description: Learn more about the ADMX_SoundRec Area in Policy CSP +description: Learn more about the ADMX_SoundRec Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index bf1efd462a..11e6d2fff2 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -1,6 +1,6 @@ --- title: ADMX_srmfci Policy CSP -description: Learn more about the ADMX_srmfci Area in Policy CSP +description: Learn more about the ADMX_srmfci Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index 0d3f1d6f32..b4ffcc734a 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -1,10 +1,10 @@ --- title: ADMX_StartMenu Policy CSP -description: Learn more about the ADMX_StartMenu Area in Policy CSP +description: Learn more about the ADMX_StartMenu Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1244,9 +1244,7 @@ Prevents users from adding the Favorites menu to the Start menu or classic Start -This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. - -**Note** that this does not remove the search box from the new style Start menu. +This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. **Note** that this does not remove the search box from the new style Start menu. - If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 525c916e6c..1880514363 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -1,10 +1,10 @@ --- title: ADMX_SystemRestore Policy CSP -description: Learn more about the ADMX_SystemRestore Area in Policy CSP +description: Learn more about the ADMX_SystemRestore Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_SystemRestore > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,9 +48,9 @@ This policy setting allows you to turn off System Restore configuration through System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting. -If you enable this policy setting, the option to configure System Restore through System Protection is disabled. +- If you enable this policy setting, the option to configure System Restore through System Protection is disabled. -If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. +- If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. @@ -72,7 +70,7 @@ Also, see the "Turn off System Restore" policy setting. If the "Turn off System > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md index ed25251ac2..b83e3d74c0 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md @@ -1,10 +1,10 @@ --- title: ADMX_TabletPCInputPanel Policy CSP -description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP +description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_TabletPCInputPanel > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,538 +25,6 @@ ms.topic: reference - -## AutoComplete_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2 -``` - - - - -Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoComplete | -| Friendly Name | Turn off AutoComplete integration with Input Panel | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | DisableACIntegration | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## EdgeTarget_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2 -``` - - - - -Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. - -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | EdgeTarget | -| Friendly Name | Prevent Input Panel tab from appearing | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | DisableEdgeTarget | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## IPTIPTarget_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2 -``` - - - - -Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. - -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | IPTIPTarget | -| Friendly Name | For tablet pen input, don’t show the Input Panel icon | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | HideIPTIPTarget | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## IPTIPTouchTarget_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2 -``` - - - - -Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | IPTIPTouchTarget | -| Friendly Name | For touch input, don’t show the Input Panel icon | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | HideIPTIPTouchTarget | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## PasswordSecurity_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2 -``` - - - - -Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. - -Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. - -Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PasswordSecurity | -| Friendly Name | Turn off password security in Input Panel | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | PasswordSecurityState | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## Prediction_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2 -``` - - - - -Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. - -Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | EnablePrediction | -| Friendly Name | Disable text prediction | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | DisablePrediction | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## RareChar_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2 -``` - - - - -Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. - -Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RareChar | -| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | IncludeRareChar | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - - -## ScratchOut_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2 -``` - - - - -Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. - -The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. - -Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. - -If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. - -If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ScratchOut | -| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Input Panel | -| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | -| Registry Value Name | ScratchOutState | -| ADMX File Name | TabletPCInputPanel.admx | - - - - - - - - ## AutoComplete_1 @@ -580,11 +46,11 @@ Turns off the integration of application auto complete lists with Tablet PC Inpu Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. +- If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. @@ -602,13 +68,13 @@ If you do not configure this policy, application auto complete lists will appear > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AutoComplete | +| Name | AutoComplete_1 | | Friendly Name | Turn off AutoComplete integration with Input Panel | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -623,6 +89,70 @@ If you do not configure this policy, application auto complete lists will appear + +## AutoComplete_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2 +``` + + + + +Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoComplete_2 | +| Friendly Name | Turn off AutoComplete integration with Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableACIntegration | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## EdgeTarget_1 @@ -644,13 +174,14 @@ Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. +- If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. @@ -668,13 +199,13 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | EdgeTarget | +| Name | EdgeTarget_1 | | Friendly Name | Prevent Input Panel tab from appearing | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -689,6 +220,73 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + +## EdgeTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2 +``` + + + + +Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EdgeTarget_2 | +| Friendly Name | Prevent Input Panel tab from appearing | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisableEdgeTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## IPTIPTarget_1 @@ -710,13 +308,14 @@ Prevents the Tablet PC Input Panel icon from appearing next to any text entry ar Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. -Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel. +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. @@ -734,13 +333,13 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IPTIPTarget | +| Name | IPTIPTarget_1 | | Friendly Name | For tablet pen input, don’t show the Input Panel icon | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -755,6 +354,73 @@ Caution: If you enable both the “Prevent Input Panel from appearing next to te + +## IPTIPTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2 +``` + + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + +> [!CAUTION] +> If you enable both the "Prevent Input Panel from appearing next to text entry areas" policy and the "Prevent Input Panel tab from appearing" policy, and disable the "Show Input Panel taskbar icon" policy, the user will then have no way to access Input Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTarget_2 | +| Friendly Name | For tablet pen input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## IPTIPTouchTarget_1 @@ -776,11 +442,11 @@ Prevents the Tablet PC Input Panel icon from appearing next to any text entry ar Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. @@ -798,13 +464,13 @@ If you do not configure this policy, Input Panel will appear next to text entry > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IPTIPTouchTarget | +| Name | IPTIPTouchTarget_1 | | Friendly Name | For touch input, don’t show the Input Panel icon | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -819,6 +485,70 @@ If you do not configure this policy, Input Panel will appear next to text entry + +## IPTIPTouchTarget_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2 +``` + + + + +Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | IPTIPTouchTarget_2 | +| Friendly Name | For touch input, don’t show the Input Panel icon | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | HideIPTIPTouchTarget | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## PasswordSecurity_1 @@ -840,21 +570,22 @@ Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k. Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low." At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "High" from the drop-down box, password security is set to "High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. +- If you do not configure this policy, password security is set to "Medium-High" by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. -Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords. +> [!CAUTION] +> If you lower password security settings, people who can see the user's screen might be able to see their passwords. @@ -872,13 +603,13 @@ Caution: If you lower password security settings, people who can see the user’ > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PasswordSecurity | +| Name | PasswordSecurity_1 | | Friendly Name | Turn off password security in Input Panel | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -893,6 +624,81 @@ Caution: If you lower password security settings, people who can see the user’ + +## PasswordSecurity_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2 +``` + + + + +Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy and choose "Low" from the drop-down box, password security is set to "Low." At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "Medium-Low" from the drop-down box, password security is set to "Medium-Low." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "Medium" from the drop-down box, password security is set to "Medium." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose to "Medium-High" from the drop-down box, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "High" from the drop-down box, password security is set to "High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, password security is set to "Medium-High." At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, password security is set to "Medium-High" by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista. + +> [!CAUTION] +> If you lower password security settings, people who can see the user's screen might be able to see their passwords. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PasswordSecurity_2 | +| Friendly Name | Turn off password security in Input Panel | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | PasswordSecurityState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## Prediction_1 @@ -914,11 +720,11 @@ Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. +- If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. @@ -936,13 +742,13 @@ If you do not configure this policy, Input Panel will provide text prediction su > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | EnablePrediction | +| Name | Prediction_1 | | Friendly Name | Disable text prediction | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -957,6 +763,70 @@ If you do not configure this policy, Input Panel will provide text prediction su + +## Prediction_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2 +``` + + + + +Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language. + +Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Prediction_2 | +| Friendly Name | Disable text prediction | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | DisablePrediction | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## RareChar_1 @@ -978,11 +848,11 @@ Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is co Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). +- If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). @@ -1000,13 +870,13 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RareChar | +| Name | RareChar_1 | | Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -1021,6 +891,70 @@ If you do not configure this policy, rarely used Chinese, Kanji, and Hanja chara + +## RareChar_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2 +``` + + + + +Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed. + +Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RareChar_2 | +| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | IncludeRareChar | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + ## ScratchOut_1 @@ -1044,15 +978,15 @@ The tolerant gestures let users scratch out ink in Input Panel by using striketh Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. -If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "All" from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you enable this policy and choose "None," users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. +- If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. -If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. +- If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. @@ -1070,13 +1004,13 @@ If you do not configure this policy, users will be able to use both the tolerant > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ScratchOut | +| Name | ScratchOut_1 | | Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Input Panel | @@ -1091,6 +1025,76 @@ If you do not configure this policy, users will be able to use both the tolerant + +## ScratchOut_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2 +``` + + + + +Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. + +The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. + +Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. + +- If you enable this policy and choose "All" from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you enable this policy and choose "None," users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. + +- If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ScratchOut_2 | +| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Input Panel | +| Registry Key Name | software\policies\microsoft\TabletTip\1.7 | +| Registry Value Name | ScratchOutState | +| ADMX File Name | TabletPCInputPanel.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 732206ca69..bb04b3fb84 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -1,10 +1,10 @@ --- title: ADMX_TabletShell Policy CSP -description: Learn more about the ADMX_TabletShell Area in Policy CSP +description: Learn more about the ADMX_TabletShell Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_TabletShell > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,682 +25,6 @@ ms.topic: reference - -## DisableInkball_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableInkball_2 -``` - - - - -Prevents start of InkBall game. - -If you enable this policy, the InkBall game will not run. - -If you disable this policy, the InkBall game will run. - -If you do not configure this policy, the InkBall game will run. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableInkball | -| Friendly Name | Do not allow Inkball to run | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Accessories | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | DisableInkball | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## DisableJournal_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableJournal_2 -``` - - - - -Prevents start of Windows Journal. - -If you enable this policy, the Windows Journal accessory will not run. - -If you disable this policy, the Windows Journal accessory will run. - -If you do not configure this policy, the Windows Journal accessory will run. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableJournal | -| Friendly Name | Do not allow Windows Journal to be run | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Accessories | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | DisableJournal | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## DisableNoteWriterPrinting_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableNoteWriterPrinting_2 -``` - - - - -Prevents printing to Journal Note Writer. - -If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. - -If you disable this policy, you will be able to use this feature to print to a Journal Note. - -If you do not configure this policy, users will be able to use this feature to print to a Journal Note. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableNoteWriterPrinting | -| Friendly Name | Do not allow printing to Journal Note Writer | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Accessories | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | DisableNoteWriterPrinting | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## DisableSnippingTool_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableSnippingTool_2 -``` - - - - -Prevents the snipping tool from running. - -If you enable this policy setting, the Snipping Tool will not run. - -If you disable this policy setting, the Snipping Tool will run. - -If you do not configure this policy setting, the Snipping Tool will run. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableSnippingTool | -| Friendly Name | Do not allow Snipping Tool to run | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Accessories | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | DisableSnippingTool | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## PreventBackEscMapping_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventBackEscMapping_2 -``` - - - - -Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. - -If you enable this policy, a button assigned to Back will not map to ESC. - -If you disable this policy, Back->ESC mapping will occur. - -If you do not configure this policy, Back->ESC mapping will occur. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventBackEscMapping | -| Friendly Name | Prevent Back-ESC mapping | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Hardware Buttons | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | PreventButtonBackEscapeMapping | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## PreventFlicks_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicks_2 -``` - - - - -Makes pen flicks and all related features unavailable. - -If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. - -If you disable or do not configure this policy, pen flicks and related features are available. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventFlicks | -| Friendly Name | Prevent flicks | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Pen UX Behaviors | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | PreventFlicks | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## PreventFlicksLearningMode_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicksLearningMode_2 -``` - - - - -Makes pen flicks learning mode unavailable. - -If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. - -If you disable or do not configure this policy, all the features described above will be available. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventFlicksLearningMode | -| Friendly Name | Prevent Flicks Learning Mode | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Pen Flicks Learning | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | PreventFlicksLearningMode | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## PreventLaunchApp_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventLaunchApp_2 -``` - - - - -Prevents the user from launching an application from a Tablet PC hardware button. - -If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). - -If you disable this policy, applications can be launched from a hardware button. - -If you do not configure this policy, applications can be launched from a hardware button. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventLaunchApp | -| Friendly Name | Prevent launch an application | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Hardware Buttons | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | PreventButtonApplicationLaunch | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## PreventPressAndHold_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventPressAndHold_2 -``` - - - - -Prevents press and hold actions on hardware buttons, so that only one action is available per button. - -If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." - -If you disable this policy, press and hold actions for buttons will be available. - -If you do not configure this policy, press and hold actions will be available. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventPressAndHold | -| Friendly Name | Prevent press and hold | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Hardware Buttons | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | PreventButtonPressAndHold | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## TurnOffButtons_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffButtons_2 -``` - - - - -Turns off Tablet PC hardware buttons. - -If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. - -If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. - -If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TurnOffButtons | -| Friendly Name | Turn off hardware buttons | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Hardware Buttons | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | TurnOffButtons | -| ADMX File Name | TabletShell.admx | - - - - - - - - - -## TurnOffFeedback_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffFeedback_2 -``` - - - - -Disables visual pen action feedback, except for press and hold feedback. - -If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. - -If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TurnOffFeedback | -| Friendly Name | Turn off pen feedback | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Cursors | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | TurnOffPenFeedback | -| ADMX File Name | TabletShell.admx | - - - - - - - - ## DisableInkball_1 @@ -722,11 +44,11 @@ If you disable or do not configure this policy, visual feedback and pen cursors Prevents start of InkBall game. -If you enable this policy, the InkBall game will not run. +- If you enable this policy, the InkBall game will not run. -If you disable this policy, the InkBall game will run. +- If you disable this policy, the InkBall game will run. -If you do not configure this policy, the InkBall game will run. +- If you do not configure this policy, the InkBall game will run. @@ -744,13 +66,13 @@ If you do not configure this policy, the InkBall game will run. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableInkball | +| Name | DisableInkball_1 | | Friendly Name | Do not allow Inkball to run | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Accessories | @@ -765,6 +87,68 @@ If you do not configure this policy, the InkBall game will run. + +## DisableInkball_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableInkball_2 +``` + + + + +Prevents start of InkBall game. + +- If you enable this policy, the InkBall game will not run. + +- If you disable this policy, the InkBall game will run. + +- If you do not configure this policy, the InkBall game will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableInkball_2 | +| Friendly Name | Do not allow Inkball to run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableInkball | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## DisableJournal_1 @@ -784,11 +168,11 @@ If you do not configure this policy, the InkBall game will run. Prevents start of Windows Journal. -If you enable this policy, the Windows Journal accessory will not run. +- If you enable this policy, the Windows Journal accessory will not run. -If you disable this policy, the Windows Journal accessory will run. +- If you disable this policy, the Windows Journal accessory will run. -If you do not configure this policy, the Windows Journal accessory will run. +- If you do not configure this policy, the Windows Journal accessory will run. @@ -806,13 +190,13 @@ If you do not configure this policy, the Windows Journal accessory will run. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableJournal | +| Name | DisableJournal_1 | | Friendly Name | Do not allow Windows Journal to be run | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Accessories | @@ -827,6 +211,68 @@ If you do not configure this policy, the Windows Journal accessory will run. + +## DisableJournal_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableJournal_2 +``` + + + + +Prevents start of Windows Journal. + +- If you enable this policy, the Windows Journal accessory will not run. + +- If you disable this policy, the Windows Journal accessory will run. + +- If you do not configure this policy, the Windows Journal accessory will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableJournal_2 | +| Friendly Name | Do not allow Windows Journal to be run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableJournal | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## DisableNoteWriterPrinting_1 @@ -846,11 +292,11 @@ If you do not configure this policy, the Windows Journal accessory will run. Prevents printing to Journal Note Writer. -If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. +- If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. -If you disable this policy, you will be able to use this feature to print to a Journal Note. +- If you disable this policy, you will be able to use this feature to print to a Journal Note. -If you do not configure this policy, users will be able to use this feature to print to a Journal Note. +- If you do not configure this policy, users will be able to use this feature to print to a Journal Note. @@ -868,13 +314,13 @@ If you do not configure this policy, users will be able to use this feature to p > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableNoteWriterPrinting | +| Name | DisableNoteWriterPrinting_1 | | Friendly Name | Do not allow printing to Journal Note Writer | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Accessories | @@ -889,6 +335,68 @@ If you do not configure this policy, users will be able to use this feature to p + +## DisableNoteWriterPrinting_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableNoteWriterPrinting_2 +``` + + + + +Prevents printing to Journal Note Writer. + +- If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. + +- If you disable this policy, you will be able to use this feature to print to a Journal Note. + +- If you do not configure this policy, users will be able to use this feature to print to a Journal Note. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableNoteWriterPrinting_2 | +| Friendly Name | Do not allow printing to Journal Note Writer | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableNoteWriterPrinting | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## DisableSnippingTool_1 @@ -908,11 +416,11 @@ If you do not configure this policy, users will be able to use this feature to p Prevents the snipping tool from running. -If you enable this policy setting, the Snipping Tool will not run. +- If you enable this policy setting, the Snipping Tool will not run. -If you disable this policy setting, the Snipping Tool will run. +- If you disable this policy setting, the Snipping Tool will run. -If you do not configure this policy setting, the Snipping Tool will run. +- If you do not configure this policy setting, the Snipping Tool will run. @@ -930,13 +438,13 @@ If you do not configure this policy setting, the Snipping Tool will run. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableSnippingTool | +| Name | DisableSnippingTool_1 | | Friendly Name | Do not allow Snipping Tool to run | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Accessories | @@ -951,6 +459,68 @@ If you do not configure this policy setting, the Snipping Tool will run. + +## DisableSnippingTool_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/DisableSnippingTool_2 +``` + + + + +Prevents the snipping tool from running. + +- If you enable this policy setting, the Snipping Tool will not run. + +- If you disable this policy setting, the Snipping Tool will run. + +- If you do not configure this policy setting, the Snipping Tool will run. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSnippingTool_2 | +| Friendly Name | Do not allow Snipping Tool to run | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Accessories | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | DisableSnippingTool | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## PreventBackEscMapping_1 @@ -970,11 +540,11 @@ If you do not configure this policy setting, the Snipping Tool will run. Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. -If you enable this policy, a button assigned to Back will not map to ESC. +- If you enable this policy, a button assigned to Back will not map to ESC. -If you disable this policy, Back->ESC mapping will occur. +- If you disable this policy, Back->ESC mapping will occur. -If you do not configure this policy, Back->ESC mapping will occur. +- If you do not configure this policy, Back->ESC mapping will occur. @@ -992,13 +562,13 @@ If you do not configure this policy, Back->ESC mapping will occur. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventBackEscMapping | +| Name | PreventBackEscMapping_1 | | Friendly Name | Prevent Back-ESC mapping | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Hardware Buttons | @@ -1013,6 +583,68 @@ If you do not configure this policy, Back->ESC mapping will occur. + +## PreventBackEscMapping_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventBackEscMapping_2 +``` + + + + +Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. + +- If you enable this policy, a button assigned to Back will not map to ESC. + +- If you disable this policy, Back->ESC mapping will occur. + +- If you do not configure this policy, Back->ESC mapping will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventBackEscMapping_2 | +| Friendly Name | Prevent Back-ESC mapping | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonBackEscapeMapping | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## PreventFlicks_1 @@ -1032,9 +664,9 @@ If you do not configure this policy, Back->ESC mapping will occur. Makes pen flicks and all related features unavailable. -If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. +- If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. -If you disable or do not configure this policy, pen flicks and related features are available. +- If you disable or do not configure this policy, pen flicks and related features are available. @@ -1052,13 +684,13 @@ If you disable or do not configure this policy, pen flicks and related features > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventFlicks | +| Name | PreventFlicks_1 | | Friendly Name | Prevent flicks | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Pen UX Behaviors | @@ -1073,6 +705,66 @@ If you disable or do not configure this policy, pen flicks and related features + +## PreventFlicks_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicks_2 +``` + + + + +Makes pen flicks and all related features unavailable. + +- If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pen flicks tray icon. + +- If you disable or do not configure this policy, pen flicks and related features are available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicks_2 | +| Friendly Name | Prevent flicks | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Pen UX Behaviors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicks | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## PreventFlicksLearningMode_1 @@ -1092,9 +784,9 @@ If you disable or do not configure this policy, pen flicks and related features Makes pen flicks learning mode unavailable. -If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. +- If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. -If you disable or do not configure this policy, all the features described above will be available. +- If you disable or do not configure this policy, all the features described above will be available. @@ -1112,13 +804,13 @@ If you disable or do not configure this policy, all the features described above > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventFlicksLearningMode | +| Name | PreventFlicksLearningMode_1 | | Friendly Name | Prevent Flicks Learning Mode | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Pen Flicks Learning | @@ -1133,6 +825,66 @@ If you disable or do not configure this policy, all the features described above + +## PreventFlicksLearningMode_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventFlicksLearningMode_2 +``` + + + + +Makes pen flicks learning mode unavailable. + +- If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However, pen flicks, the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. + +- If you disable or do not configure this policy, all the features described above will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventFlicksLearningMode_2 | +| Friendly Name | Prevent Flicks Learning Mode | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Pen Flicks Learning | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventFlicksLearningMode | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## PreventLaunchApp_1 @@ -1152,11 +904,11 @@ If you disable or do not configure this policy, all the features described above Prevents the user from launching an application from a Tablet PC hardware button. -If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). +- If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). -If you disable this policy, applications can be launched from a hardware button. +- If you disable this policy, applications can be launched from a hardware button. -If you do not configure this policy, applications can be launched from a hardware button. +- If you do not configure this policy, applications can be launched from a hardware button. @@ -1174,13 +926,13 @@ If you do not configure this policy, applications can be launched from a hardwar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventLaunchApp | +| Name | PreventLaunchApp_1 | | Friendly Name | Prevent launch an application | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Hardware Buttons | @@ -1195,6 +947,68 @@ If you do not configure this policy, applications can be launched from a hardwar + +## PreventLaunchApp_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventLaunchApp_2 +``` + + + + +Prevents the user from launching an application from a Tablet PC hardware button. + +- If you enable this policy, applications cannot be launched from a hardware button, and "Launch an application" is removed from the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab). + +- If you disable this policy, applications can be launched from a hardware button. + +- If you do not configure this policy, applications can be launched from a hardware button. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLaunchApp_2 | +| Friendly Name | Prevent launch an application | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonApplicationLaunch | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## PreventPressAndHold_1 @@ -1214,11 +1028,11 @@ If you do not configure this policy, applications can be launched from a hardwar Prevents press and hold actions on hardware buttons, so that only one action is available per button. -If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." +- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." -If you disable this policy, press and hold actions for buttons will be available. +- If you disable this policy, press and hold actions for buttons will be available. -If you do not configure this policy, press and hold actions will be available. +- If you do not configure this policy, press and hold actions will be available. @@ -1236,13 +1050,13 @@ If you do not configure this policy, press and hold actions will be available. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PreventPressAndHold | +| Name | PreventPressAndHold_1 | | Friendly Name | Prevent press and hold | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Hardware Buttons | @@ -1257,6 +1071,68 @@ If you do not configure this policy, press and hold actions will be available. + +## PreventPressAndHold_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/PreventPressAndHold_2 +``` + + + + +Prevents press and hold actions on hardware buttons, so that only one action is available per button. + +- If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: "Some settings are controlled by Group Policy. If a setting is unavailable, contact your system administrator." + +- If you disable this policy, press and hold actions for buttons will be available. + +- If you do not configure this policy, press and hold actions will be available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventPressAndHold_2 | +| Friendly Name | Prevent press and hold | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | PreventButtonPressAndHold | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## TurnOffButtons_1 @@ -1276,11 +1152,11 @@ If you do not configure this policy, press and hold actions will be available. Turns off Tablet PC hardware buttons. -If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. +- If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. -If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. +- If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. -If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. +- If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. @@ -1298,13 +1174,13 @@ If you do not configure this policy, user and OEM defined button actions will oc > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TurnOffButtons | +| Name | TurnOffButtons_1 | | Friendly Name | Turn off hardware buttons | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Hardware Buttons | @@ -1319,6 +1195,68 @@ If you do not configure this policy, user and OEM defined button actions will oc + +## TurnOffButtons_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffButtons_2 +``` + + + + +Turns off Tablet PC hardware buttons. + +- If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. + +- If you disable this policy, user and OEM defined button actions will occur when the buttons are pressed. + +- If you do not configure this policy, user and OEM defined button actions will occur when the buttons are pressed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffButtons_2 | +| Friendly Name | Turn off hardware buttons | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Hardware Buttons | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffButtons | +| ADMX File Name | TabletShell.admx | + + + + + + + + ## TurnOffFeedback_1 @@ -1338,9 +1276,9 @@ If you do not configure this policy, user and OEM defined button actions will oc Disables visual pen action feedback, except for press and hold feedback. -If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. +- If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. -If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. +- If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. @@ -1358,13 +1296,13 @@ If you disable or do not configure this policy, visual feedback and pen cursors > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TurnOffFeedback | +| Name | TurnOffFeedback_1 | | Friendly Name | Turn off pen feedback | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Cursors | @@ -1379,6 +1317,66 @@ If you disable or do not configure this policy, visual feedback and pen cursors + +## TurnOffFeedback_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TabletShell/TurnOffFeedback_2 +``` + + + + +Disables visual pen action feedback, except for press and hold feedback. + +- If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. + +- If you disable or do not configure this policy, visual feedback and pen cursors will be shown unless the user disables them in Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffFeedback_2 | +| Friendly Name | Turn off pen feedback | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Cursors | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPenFeedback | +| ADMX File Name | TabletShell.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index ddb5e01490..d5babf1d77 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -1,10 +1,10 @@ --- title: ADMX_Taskbar Policy CSP -description: Learn more about the ADMX_Taskbar Area in Policy CSP +description: Learn more about the ADMX_Taskbar Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 7800785cd6..a0b38a0dd1 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -1,10 +1,10 @@ --- title: ADMX_tcpip Policy CSP -description: Learn more about the ADMX_tcpip Area in Policy CSP +description: Learn more about the ADMX_tcpip Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_tcpip > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. -If you enable this policy setting, you can specify a relay name for a 6to4 host. +- If you enable this policy setting, you can specify a relay name for a 6to4 host. -If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. +- If you disable or do not configure this policy setting, the local host setting is used, and you cannot specify a relay name for a 6to4 host. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, the local host setting i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -105,9 +103,9 @@ If you disable or do not configure this policy setting, the local host setting i This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. -If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. +- If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. @@ -125,7 +123,7 @@ If you disable or do not configure this policy setting, the local host setting i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -164,9 +162,9 @@ If you disable or do not configure this policy setting, the local host setting i This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. -If you enable this policy setting, you can configure 6to4 with one of the following settings: +- If you enable this policy setting, you can configure 6to4 with one of the following settings: Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available. @@ -190,7 +188,7 @@ Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -229,9 +227,9 @@ Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be This policy setting allows you to configure IP Stateless Autoconfiguration Limits. -If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. +- If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. -If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. +- If you disable this policy setting, IP Stateless Autoconfiguration Limits will be disabled and system will not limit the number of autoconfigured addresses and routes. @@ -249,7 +247,7 @@ If you disable this policy setting, IP Stateless Autoconfiguration Limits will b > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -289,9 +287,9 @@ If you disable this policy setting, IP Stateless Autoconfiguration Limits will b This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. -If you disable or do not configure this policy setting, the local host settings are used. +- If you disable or do not configure this policy setting, the local host settings are used. -If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: +- If you enable this policy setting, you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with one of the following settings: Policy Default State: The IP-HTTPS interface is used when there are no other connectivity options. @@ -315,7 +313,7 @@ Policy Disabled State: No IP-HTTPS interfaces are present on the host. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -354,9 +352,9 @@ Policy Disabled State: No IP-HTTPS interfaces are present on the host. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. -If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. +- If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. @@ -374,7 +372,7 @@ If you disable or do not configure this policy setting, the local host setting i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -413,9 +411,9 @@ If you disable or do not configure this policy setting, the local host setting i This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. -If you enable this policy setting, you can configure ISATAP with one of the following settings: +- If you enable this policy setting, you can configure ISATAP with one of the following settings: Policy Default State: No ISATAP interfaces are present on the host. @@ -439,7 +437,7 @@ Policy Disabled State: No ISATAP interfaces are present on the host. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -478,9 +476,9 @@ Policy Disabled State: No ISATAP interfaces are present on the host. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. -If you enable this policy setting, you can customize a UDP port for the Teredo client. +- If you enable this policy setting, you can customize a UDP port for the Teredo client. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. @@ -498,7 +496,7 @@ If you disable or do not configure this policy setting, the local host setting i > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -537,7 +535,7 @@ If you disable or do not configure this policy setting, the local host setting i This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. -If you disable or do not configure this policy setting, the local host setting is used. +- If you disable or do not configure this policy setting, the local host setting is used. This policy setting contains only one state: @@ -559,7 +557,7 @@ Policy Enabled State: If Default Qualified is enabled, Teredo will attempt quali > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -598,11 +596,12 @@ Policy Enabled State: If Default Qualified is enabled, Teredo will attempt quali This policy setting allows you to configure the Teredo refresh rate. -Note: On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. +> [!NOTE] +> On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. -If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. +- If you enable this policy setting, you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device, Teredo might stop working or connectivity might be intermittent. -If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. +- If you disable or do not configure this policy setting, the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds. @@ -620,7 +619,7 @@ If you disable or do not configure this policy setting, the refresh rate is conf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -659,9 +658,9 @@ If you disable or do not configure this policy setting, the refresh rate is conf This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. -If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. +- If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. -If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. +- If you disable or do not configure this policy setting, the local settings on the computer are used to determine the Teredo server name. @@ -679,7 +678,7 @@ If you disable or do not configure this policy setting, the local settings on th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -718,9 +717,9 @@ If you disable or do not configure this policy setting, the local settings on th This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. -If you disable or do not configure this policy setting, the local host settings are used. +- If you disable or do not configure this policy setting, the local host settings are used. -If you enable this policy setting, you can configure Teredo with one of the following settings: +- If you enable this policy setting, you can configure Teredo with one of the following settings: Default: The default state is "Client." @@ -746,7 +745,7 @@ Enterprise Client: The Teredo interface is always present, even if the host is o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -785,11 +784,11 @@ Enterprise Client: The Teredo interface is always present, even if the host is o This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. -If you do not configure this policy setting, the local host settings are used. +- If you do not configure this policy setting, the local host settings are used. -If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectivity and throughput problems and take appropriate measures. +- If you enable this policy setting, Window Scaling Heuristics will be enabled and system will try to identify connectivity and throughput problems and take appropriate measures. -If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued by Firewalls or other middle boxes. +- If you disable this policy setting, Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued by Firewalls or other middle boxes. @@ -807,7 +806,7 @@ If you disable this policy setting, Window Scaling Heuristics will be disabled a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index f0b95d516f..e293e8cf71 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1,10 +1,10 @@ --- title: ADMX_TerminalServer Policy CSP -description: Learn more about the ADMX_TerminalServer Area in Policy CSP +description: Learn more about the ADMX_TerminalServer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -174,7 +174,7 @@ A certificate is needed to authenticate an RD Session Host server when TLS 1.0, If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. -If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. +- If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. > [!NOTE] > If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. @@ -863,7 +863,8 @@ By default, Remote Desktop Services automatically designates the client default -This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. +This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. +- If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. @@ -921,9 +922,9 @@ This policy setting specifies whether the Remote Desktop Connection can use hard Controls whether a user can save passwords using Remote Desktop Connection. -If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. +- If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection +- If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection @@ -3817,7 +3818,8 @@ Do not connect if authentication fails: The client establishes a connection to t -This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. +This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. +- If you disable or do not configure this policy, we will always use software encoding. @@ -5413,7 +5415,7 @@ UI Automation gives programs access to most UI elements, which lets you use assi Remote Desktop sessions don't currently support UI Automation redirection. -If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session. +- If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session. - If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps. diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index c4d4ef836d..8e006a237e 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -1,10 +1,10 @@ --- title: ADMX_Thumbnails Policy CSP -description: Learn more about the ADMX_Thumbnails Area in Policy CSP +description: Learn more about the ADMX_Thumbnails Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Thumbnails > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ This policy setting allows you to configure how File Explorer displays thumbnail File Explorer displays thumbnail images by default. -If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images. +- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images. -If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. +- If you disable or do not configure this policy setting, File Explorer displays only thumbnail images. @@ -68,7 +66,7 @@ If you disable or do not configure this policy setting, File Explorer displays o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,9 +108,9 @@ This policy setting allows you to configure how File Explorer displays thumbnail File Explorer displays thumbnail images on network folders by default. -If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders. +- If you enable this policy setting, File Explorer displays only icons and never displays thumbnail images on network folders. -If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. +- If you disable or do not configure this policy setting, File Explorer displays only thumbnail images on network folders. @@ -130,7 +128,7 @@ If you disable or do not configure this policy setting, File Explorer displays o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -172,9 +170,9 @@ Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. -If you enable this policy setting, File Explorer does not create, read from, or write to thumbs.db files. +- If you enable this policy setting, File Explorer does not create, read from, or write to thumbs.db files. -If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. +- If you disable or do not configure this policy setting, File Explorer creates, reads from, and writes to thumbs.db files. @@ -192,7 +190,7 @@ If you disable or do not configure this policy setting, File Explorer creates, r > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index bf55bebadf..28c4c48fb4 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -1,10 +1,10 @@ --- title: ADMX_TouchInput Policy CSP -description: Learn more about the ADMX_TouchInput Area in Policy CSP +description: Learn more about the ADMX_TouchInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_TouchInput > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,137 +25,6 @@ ms.topic: reference - -## PanningEverywhereOff_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/PanningEverywhereOff_2 -``` - - - - -Turn off Panning -Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. - -If you enable this setting, the user will not be able to pan windows by touch. - -If you disable this setting, the user can pan windows by touch. - -If you do not configure this setting, Touch Panning is on by default. - -Note: Changes to this setting will not take effect until the user logs off. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | SingleFingerPanningOff | -| Friendly Name | Turn off Touch Panning | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Touch Input | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | TurnOffPanning | -| ADMX File Name | TouchInput.admx | - - - - - - - - - -## TouchInputOff_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/TouchInputOff_2 -``` - - - - -Turn off Tablet PC touch input - -Turns off touch input, which allows the user to interact with their computer using their finger. - -If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. - -If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. - -If you do not configure this setting, touch input is on by default. - -Note: Changes to this setting will not take effect until the user logs off. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TouchInputOff | -| Friendly Name | Turn off Tablet PC touch input | -| Location | Computer Configuration | -| Path | WindowsComponents > Tablet PC > Touch Input | -| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | -| Registry Value Name | TurnOffTouchInput | -| ADMX File Name | TouchInput.admx | - - - - - - - - ## PanningEverywhereOff_1 @@ -178,13 +45,14 @@ Note: Changes to this setting will not take effect until the user logs off. Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. -If you enable this setting, the user will not be able to pan windows by touch. +- If you enable this setting, the user will not be able to pan windows by touch. -If you disable this setting, the user can pan windows by touch. +- If you disable this setting, the user can pan windows by touch. -If you do not configure this setting, Touch Panning is on by default. +- If you do not configure this setting, Touch Panning is on by default. -Note: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -202,13 +70,13 @@ Note: Changes to this setting will not take effect until the user logs off. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | SingleFingerPanningOff | +| Name | PanningEverywhereOff_1 | | Friendly Name | Turn off Touch Panning | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Touch Input | @@ -223,6 +91,72 @@ Note: Changes to this setting will not take effect until the user logs off. + +## PanningEverywhereOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/PanningEverywhereOff_2 +``` + + + + +Turn off Panning +Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. + +- If you enable this setting, the user will not be able to pan windows by touch. + +- If you disable this setting, the user can pan windows by touch. + +- If you do not configure this setting, Touch Panning is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PanningEverywhereOff_2 | +| Friendly Name | Turn off Touch Panning | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffPanning | +| ADMX File Name | TouchInput.admx | + + + + + + + + ## TouchInputOff_1 @@ -244,13 +178,14 @@ Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. -If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. -If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. -If you do not configure this setting, touch input is on by default. +- If you do not configure this setting, touch input is on by default. -Note: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -268,13 +203,13 @@ Note: Changes to this setting will not take effect until the user logs off. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TouchInputOff | +| Name | TouchInputOff_1 | | Friendly Name | Turn off Tablet PC touch input | | Location | User Configuration | | Path | WindowsComponents > Tablet PC > Touch Input | @@ -289,6 +224,73 @@ Note: Changes to this setting will not take effect until the user logs off. + +## TouchInputOff_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_TouchInput/TouchInputOff_2 +``` + + + + +Turn off Tablet PC touch input + +Turns off touch input, which allows the user to interact with their computer using their finger. + +- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. + +- If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. + +- If you do not configure this setting, touch input is on by default. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TouchInputOff_2 | +| Friendly Name | Turn off Tablet PC touch input | +| Location | Computer Configuration | +| Path | WindowsComponents > Tablet PC > Touch Input | +| Registry Key Name | SOFTWARE\Policies\Microsoft\TabletPC | +| Registry Value Name | TurnOffTouchInput | +| ADMX File Name | TouchInput.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index e130165336..9237bb81e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -1,10 +1,10 @@ --- title: ADMX_TPM Policy CSP -description: Learn more about the ADMX_TPM Area in Policy CSP +description: Learn more about the ADMX_TPM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_TPM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. -If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. +- If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. -If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. +- If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, only those TPM commands > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -104,7 +102,7 @@ If you disable or do not configure this policy setting, only those TPM commands -This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. @@ -122,7 +120,7 @@ This policy setting configures the system to prompt the user to clear the TPM if > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -162,11 +160,11 @@ This policy setting configures the system to prompt the user to clear the TPM if This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. +- If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands. -If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. +- If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Group Policy and local lists of blocked TPM commands. @@ -184,7 +182,7 @@ If you disable or do not configure this policy setting, Windows will block the T > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -224,11 +222,11 @@ If you disable or do not configure this policy setting, Windows will block the T This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. -If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. +- If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. -If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands. +- If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Group Policy and default lists of blocked TPM commands. @@ -246,7 +244,7 @@ If you disable or do not configure this policy setting, Windows will block the T > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -302,7 +300,7 @@ This group policy enables Device Health Attestation reporting (DHA-report) on su > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -344,7 +342,7 @@ This policy setting configures how much of the TPM owner authorization informati You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. -If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. +- If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used. @@ -352,7 +350,8 @@ Choose the operating system managed TPM authentication setting of "Delegated" to Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting might cause issues with some TPM-based applications. -Note: If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. +> [!NOTE] +> If the operating system managed TPM authentication setting is changed from "Full" to "Delegated", the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. @@ -370,7 +369,7 @@ Note: If the operating system managed TPM authentication setting is changed from > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -441,7 +440,7 @@ If this value is not configured, a default value of 480 minutes (8 hours) is use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -515,7 +514,7 @@ A value of zero means the OS will not allow standard users to send commands to t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -589,7 +588,7 @@ A value of zero means the OS will not allow standard users to send commands to t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -627,9 +626,7 @@ A value of zero means the OS will not allow standard users to send commands to t -This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. - -**Note** that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. +This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. **Note** that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. @@ -647,7 +644,7 @@ This policy setting configures the TPM to use the Dictionary Attack Prevention P > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index d6f1454a45..15da8637a6 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -1,10 +1,10 @@ --- title: ADMX_UserExperienceVirtualization Policy CSP -description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP +description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_UserExperienceVirtualization > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,9 +48,9 @@ ms.topic: reference This policy setting configures the synchronization of user settings of Calculator. By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. -If you enable this policy setting, the Calculator user settings continue to synchronize. -If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Calculator user settings continue to synchronize. +- If you disable this policy setting, Calculator user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -70,7 +68,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -112,12 +110,12 @@ If you do not configure this policy setting, any defined values will be deleted. -This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. -When SyncMethod is set to “None,” the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. -Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users’ computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. +This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users' computers. With Sync Method set to "SyncProvider," the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. +When SyncMethod is set to "None," the UE-V Agent uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. +Set SyncMethod to "External" when an external synchronization engine is being deployed for settings sync. This could use OneDrive, Work Folders, SharePoint or any other engine that uses a local folder to synchronize data between users' computers. In this mode, UE-V writes settings data to the local folder specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take place. With notifications enabled, UE-V users receive a message when the settings sync is delayed. The notification delay policy setting defines the delay before a notification appears. -If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. -If you do not configure this policy setting, any defined values will be deleted. +- If you disable this policy setting, the sync provider is used to synchronize settings between computers and the settings storage location. +- If you do not configure this policy setting, any defined values will be deleted. @@ -135,7 +133,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -176,10 +174,10 @@ If you do not configure this policy setting, any defined values will be deleted. -This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. -If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. -If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. -If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. +This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was installed or to "last-known-good" configurations. Only enable this policy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection containing the virtual computers. +- If you enable this policy setting, the UE-V rollback state is copied to the settings storage location on logout and restored on login. +- If you disable this policy setting, no UE-V rollback state is copied to the settings storage location. +- If you do not configure this policy, no UE-V rollback state is copied to the settings storage location. @@ -197,7 +195,7 @@ If you do not configure this policy, no UE-V rollback state is copied to the set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -236,9 +234,9 @@ If you do not configure this policy, no UE-V rollback state is copied to the set This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. -If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. -If you disable this policy setting, the Company Settings Center does not display an IT Contact link. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. +- If you disable this policy setting, the Company Settings Center does not display an IT Contact link. +- If you do not configure this policy setting, any defined values will be deleted. @@ -256,7 +254,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -294,9 +292,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. -If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. -If you disable this policy setting, the Company Settings Center does not display an IT Contact link. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. +- If you disable this policy setting, the Company Settings Center does not display an IT Contact link. +- If you do not configure this policy setting, any defined values will be deleted. @@ -314,13 +312,13 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ContactITURL | +| Name | ContactITUrl | | Friendly Name | Contact IT URL | | Location | Computer Configuration | | Path | Windows Components > Microsoft User Experience Virtualization | @@ -357,10 +355,11 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. -If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps. -If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. -If you do not configure this policy setting, any defined values are deleted. -Note: If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. +- If you enable this policy setting, the UE-V Agent will not synchronize settings for Windows apps. +- If you disable this policy setting, the UE-V Agent will synchronize settings for Windows apps. +- If you do not configure this policy setting, any defined values are deleted. +> [!NOTE] +> If the user connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows. @@ -378,7 +377,7 @@ Note: If the user connects their Microsoft account for their computer then the U > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -422,9 +421,9 @@ Note: If the user connects their Microsoft account for their computer then the U This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. -If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. -If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. +- If you disable this policy setting, all Windows Settings are excluded from the settings synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -442,7 +441,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -497,7 +496,7 @@ This policy setting allows you to enable or disable User Experience Virtualizati > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -541,9 +540,9 @@ This policy setting allows you to enable or disable User Experience Virtualizati This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. -If you enable this policy setting, Finance user settings continue to sync. -If you disable this policy setting, Finance user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Finance user settings continue to sync. +- If you disable this policy setting, Finance user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -561,7 +560,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -603,7 +602,7 @@ This policy setting enables a notification in the system tray that appears when By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. With this setting disabled, no notification appears. -If you do not configure this policy setting, any defined values are deleted. +- If you do not configure this policy setting, any defined values are deleted. @@ -621,7 +620,7 @@ If you do not configure this policy setting, any defined values are deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -665,9 +664,9 @@ If you do not configure this policy setting, any defined values are deleted. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. -If you enable this policy setting, Games user settings continue to sync. -If you disable this policy setting, Games user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Games user settings continue to sync. +- If you disable this policy setting, Games user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -685,7 +684,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -729,9 +728,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. -If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. -If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 10 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -749,7 +748,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -793,9 +792,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. -If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. -If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 11 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -813,7 +812,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -857,9 +856,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Internet Explorer 8. By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. -If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. -If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Internet Explorer 8 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 8 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -877,7 +876,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -921,9 +920,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. -If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. -If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. +- If you disable this policy setting, Internet Explorer 9 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -941,7 +940,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -985,9 +984,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. -If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. -If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. +- If you disable this policy setting, the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1005,7 +1004,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1048,9 +1047,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. -If you enable this policy setting, Maps user settings continue to sync. -If you disable this policy setting, Maps user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Maps user settings continue to sync. +- If you disable this policy setting, Maps user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1068,7 +1067,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1111,8 +1110,8 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. -If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. -If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. +- If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. +- If you disable or do not configure this policy setting, no event is written to the event log to report settings package size. @@ -1130,7 +1129,7 @@ If you disable or do not configure this policy setting, no event is written to t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1173,9 +1172,9 @@ If you disable or do not configure this policy setting, no event is written to t This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Access 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1193,7 +1192,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1236,9 +1235,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. -If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. -If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. +- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2010 applications are enabled, this policy setting should not be disabled +- If you do not configure this policy setting, any defined values will be deleted. @@ -1256,7 +1255,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1299,9 +1298,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Excel 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1319,7 +1318,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1362,9 +1361,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. -If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft InfoPath 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1382,7 +1381,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1425,9 +1424,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Lync 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1445,7 +1444,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1489,9 +1488,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. -If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft OneNote 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1509,7 +1508,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1552,9 +1551,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Outlook 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1572,7 +1571,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1615,9 +1614,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. -If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1635,7 +1634,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1678,9 +1677,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Project 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1698,7 +1697,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1741,9 +1740,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Publisher 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1761,7 +1760,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1804,9 +1803,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. -If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1824,7 +1823,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1867,9 +1866,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. -If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft SharePoint Workspace 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1887,7 +1886,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1930,9 +1929,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Visio 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -1950,7 +1949,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1993,9 +1992,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. -If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. -If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Word 2010 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2013,7 +2012,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2056,9 +2055,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Access 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2076,7 +2075,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2119,9 +2118,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Access 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2139,7 +2138,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2182,9 +2181,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. -If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. -If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. +- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2013 applications are enabled, this policy setting should not be disabled. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2202,7 +2201,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2245,9 +2244,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. -If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. -If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. +- If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2265,7 +2264,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2308,9 +2307,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Excel 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Excel 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2328,7 +2327,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2371,9 +2370,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Excel 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2391,7 +2390,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2434,9 +2433,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. -If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft InfoPath 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2454,7 +2453,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2497,9 +2496,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. -If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft InfoPath 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2517,7 +2516,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2560,9 +2559,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Lync 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2580,7 +2579,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2623,9 +2622,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Lync 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2643,7 +2642,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2686,9 +2685,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. -If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. -If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. +- If you disable this policy setting, OneDrive for Business 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2706,7 +2705,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2749,9 +2748,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. -If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft OneNote 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2769,7 +2768,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2812,9 +2811,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. -If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft OneNote 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2832,7 +2831,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2875,9 +2874,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Outlook 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2895,7 +2894,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2938,9 +2937,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Outlook 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -2958,7 +2957,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3001,9 +3000,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. -If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft PowerPoint 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3021,7 +3020,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3064,9 +3063,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. -If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft PowerPoint 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3084,7 +3083,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3127,9 +3126,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Project 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3147,7 +3146,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3190,9 +3189,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Project 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3210,7 +3209,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3253,9 +3252,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Publisher 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3273,7 +3272,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3316,9 +3315,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Publisher 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3336,7 +3335,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3379,9 +3378,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. -If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3399,7 +3398,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3442,9 +3441,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. -If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3462,7 +3461,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3505,9 +3504,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. -If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. -If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. +- If you disable this policy setting, Microsoft Office 2013 Upload Center user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3525,7 +3524,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3568,9 +3567,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Visio 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3588,7 +3587,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3631,9 +3630,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Visio 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3651,7 +3650,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3694,9 +3693,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. -If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. -If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Word 2013 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3714,7 +3713,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3757,9 +3756,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. -If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Word 2013 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3777,7 +3776,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3820,9 +3819,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Access 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3840,7 +3839,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3883,9 +3882,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Access 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3903,7 +3902,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3946,9 +3945,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. -If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. -If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. +- If you disable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Microsoft Office Suite 2016 applications are enabled, this policy setting should not be disabled. +- If you do not configure this policy setting, any defined values will be deleted. @@ -3966,7 +3965,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4009,9 +4008,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. -If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. -If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. +- If you disable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4029,7 +4028,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4072,9 +4071,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Excel 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4092,7 +4091,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4135,9 +4134,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Excel 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4155,7 +4154,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4198,9 +4197,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Lync 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4218,7 +4217,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4261,9 +4260,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Lync 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4281,7 +4280,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4324,9 +4323,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. -If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. -If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. +- If you disable this policy setting, OneDrive for Business 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4344,7 +4343,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4387,9 +4386,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. -If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft OneNote 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4407,7 +4406,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4450,9 +4449,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. -If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft OneNote 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4470,7 +4469,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4513,9 +4512,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Outlook 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4533,7 +4532,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4576,9 +4575,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Outlook 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4596,7 +4595,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4639,9 +4638,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. -If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft PowerPoint 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4659,7 +4658,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4702,9 +4701,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. -If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft PowerPoint 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4722,7 +4721,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4765,9 +4764,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Project 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4785,7 +4784,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4828,9 +4827,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Project 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4848,7 +4847,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4891,9 +4890,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Publisher 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4911,7 +4910,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4954,9 +4953,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Publisher 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -4974,7 +4973,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5017,9 +5016,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. -If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. -If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. +- If you disable this policy setting, Microsoft Office 2016 Upload Center user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5037,7 +5036,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5080,9 +5079,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Visio 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5100,7 +5099,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5143,9 +5142,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Visio 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5163,7 +5162,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5206,9 +5205,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. -If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. -If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. +- If you disable this policy setting, Microsoft Word 2016 user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5226,7 +5225,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5269,9 +5268,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. -If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. -If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. +- If you disable this policy setting, certain user settings of Microsoft Word 2016 will not be backed up. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5289,7 +5288,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5331,10 +5330,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5352,7 +5351,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5394,10 +5393,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5415,7 +5414,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5457,10 +5456,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. -If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. -If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +- If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. +- If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5478,7 +5477,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5520,10 +5519,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. -If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. -If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +- If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. +- If you disable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5541,7 +5540,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5583,10 +5582,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5604,7 +5603,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5646,10 +5645,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5667,7 +5666,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5709,10 +5708,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5730,7 +5729,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5772,10 +5771,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5793,7 +5792,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5835,10 +5834,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5856,7 +5855,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5898,10 +5897,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5919,7 +5918,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -5961,10 +5960,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -5982,7 +5981,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6024,10 +6023,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6045,7 +6044,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6087,10 +6086,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6108,7 +6107,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6150,10 +6149,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6171,7 +6170,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6213,10 +6212,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6234,7 +6233,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6276,10 +6275,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6297,7 +6296,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6339,10 +6338,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6360,7 +6359,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6402,10 +6401,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6423,7 +6422,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6465,10 +6464,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6486,7 +6485,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6528,10 +6527,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6549,7 +6548,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6591,10 +6590,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6612,7 +6611,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6654,10 +6653,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6675,7 +6674,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6717,10 +6716,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6738,7 +6737,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6780,10 +6779,10 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. -Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. -If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. -If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. -If you do not configure this policy setting, any defined values will be deleted. +Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user's work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +- If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. +- If you disable this policy setting, Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6801,7 +6800,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6844,9 +6843,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. -If you enable this policy setting, Music user settings continue to sync. -If you disable this policy setting, Music user settings are excluded from the synchronizing settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Music user settings continue to sync. +- If you disable this policy setting, Music user settings are excluded from the synchronizing settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6864,7 +6863,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6908,9 +6907,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. -If you enable this policy setting, News user settings continue to sync. -If you disable this policy setting, News user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, News user settings continue to sync. +- If you disable this policy setting, News user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6928,7 +6927,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -6972,9 +6971,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. -If you enable this policy setting, the Notepad user settings continue to synchronize. -If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the Notepad user settings continue to synchronize. +- If you disable this policy setting, Notepad user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -6992,7 +6991,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7036,9 +7035,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. -If you enable this policy setting, Reader user settings continue to sync. -If you disable this policy setting, Reader user settings are excluded from the synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Reader user settings continue to sync. +- If you disable this policy setting, Reader user settings are excluded from the synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7056,7 +7055,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7100,8 +7099,8 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. -If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. -If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. +- If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. +- If you disable or do not configure this policy setting, the default value of 2000 milliseconds is used. @@ -7119,7 +7118,7 @@ If you disable or do not configure this policy setting, the default value of 200 > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7161,8 +7160,8 @@ If you disable or do not configure this policy setting, the default value of 200 This policy setting configures where the settings package files that contain user settings are stored. -If you enable this policy setting, the user settings are stored in the specified location. -If you disable or do not configure this policy setting, the user settings are stored in the user’s home directory if configured for your environment. +- If you enable this policy setting, the user settings are stored in the specified location. +- If you disable or do not configure this policy setting, the user settings are stored in the user's home directory if configured for your environment. @@ -7180,7 +7179,7 @@ If you disable or do not configure this policy setting, the user settings are st > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7218,11 +7217,12 @@ If you disable or do not configure this policy setting, the user settings are st This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. -If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. +- If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored. If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used. -If you disable this policy setting, the UE-V Agent will not use the custom settings location templates. If you disable this policy setting after it has been enabled, the UE-V Agent will not restore the default Microsoft templates. -If you do not configure this policy setting, any defined values will be deleted. +- If you disable this policy setting, the UE-V Agent will not use the custom settings location templates. +- If you disable this policy setting after it has been enabled, the UE-V Agent will not restore the default Microsoft templates. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7240,7 +7240,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7283,9 +7283,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. -If you enable this policy setting, Sports user settings continue to sync. -If you disable this policy setting, Sports user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Sports user settings continue to sync. +- If you disable this policy setting, Sports user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7303,7 +7303,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7363,7 +7363,7 @@ This policy setting allows you to enable or disable User Experience Virtualizati > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7409,7 +7409,7 @@ This policy setting defines whether the User Experience Virtualization (UE-V) Ag By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. With this setting disabled, the UE-V Agent does not synchronize settings over a metered connection. -If you do not configure this policy setting, any defined values are deleted. +- If you do not configure this policy setting, any defined values are deleted. @@ -7427,13 +7427,13 @@ If you do not configure this policy setting, any defined values are deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | SyncSettingsOverMetered | +| Name | SyncOverMeteredNetwork | | Friendly Name | Sync settings over metered connections | | Location | Computer and User Configuration | | Path | Windows Components > Microsoft User Experience Virtualization | @@ -7473,7 +7473,7 @@ This policy setting defines whether the User Experience Virtualization (UE-V) Ag By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. With this setting disabled, the UE-V Agent will not synchronize settings over a metered connection that is roaming. -If you do not configure this policy setting, any defined values are deleted. +- If you do not configure this policy setting, any defined values are deleted. @@ -7491,13 +7491,13 @@ If you do not configure this policy setting, any defined values are deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | SyncSettingsOverMeteredRoaming | +| Name | SyncOverMeteredNetworkWhenRoaming | | Friendly Name | Sync settings over metered connections even when roaming | | Location | Computer and User Configuration | | Path | Windows Components > Microsoft User Experience Virtualization | @@ -7533,10 +7533,10 @@ If you do not configure this policy setting, any defined values are deleted. -This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. -If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. -If you disable this policy setting, the sync provider doesn’t ping the settings storage location before synchronizing settings packages. -If you do not configure this policy, any defined values will be deleted. +This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn't attempt the synchronization. +- If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. +- If you disable this policy setting, the sync provider doesn't ping the settings storage location before synchronizing settings packages. +- If you do not configure this policy, any defined values will be deleted. @@ -7554,7 +7554,7 @@ If you do not configure this policy, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7596,7 +7596,7 @@ This policy setting defines the default settings sync behavior of the User Exper By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. With this setting disabled, only the settings of the Windows apps set to synchronize in the Windows App List are synchronized. -If you do not configure this policy setting, any defined values are deleted. +- If you do not configure this policy setting, any defined values are deleted. @@ -7614,7 +7614,7 @@ If you do not configure this policy setting, any defined values are deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7658,9 +7658,9 @@ If you do not configure this policy setting, any defined values are deleted. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. -If you enable this policy setting, Travel user settings continue to sync. -If you disable this policy setting, Travel user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Travel user settings continue to sync. +- If you disable this policy setting, Travel user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7678,7 +7678,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7718,7 +7718,7 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. -If you do not configure this policy setting, any defined values are deleted. +- If you do not configure this policy setting, any defined values are deleted. @@ -7736,7 +7736,7 @@ If you do not configure this policy setting, any defined values are deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7780,9 +7780,9 @@ If you do not configure this policy setting, any defined values are deleted. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. -If you enable this policy setting, Video user settings continue to sync. -If you disable this policy setting, Video user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Video user settings continue to sync. +- If you disable this policy setting, Video user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7800,7 +7800,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7844,9 +7844,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. -If you enable this policy setting, Weather user settings continue to sync. -If you disable this policy setting, Weather user settings are excluded from synchronization. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, Weather user settings continue to sync. +- If you disable this policy setting, Weather user settings are excluded from synchronization. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7864,7 +7864,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -7908,9 +7908,9 @@ If you do not configure this policy setting, any defined values will be deleted. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. -If you enable this policy setting, the WordPad user settings continue to synchronize. -If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. -If you do not configure this policy setting, any defined values will be deleted. +- If you enable this policy setting, the WordPad user settings continue to synchronize. +- If you disable this policy setting, WordPad user settings are excluded from the synchronization settings. +- If you do not configure this policy setting, any defined values will be deleted. @@ -7928,7 +7928,7 @@ If you do not configure this policy setting, any defined values will be deleted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 76aa3acf58..1f26fcf32f 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -1,10 +1,10 @@ --- title: ADMX_UserProfiles Policy CSP -description: Learn more about the ADMX_UserProfiles Area in Policy CSP +description: Learn more about the ADMX_UserProfiles Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,9 +47,9 @@ This policy setting allows an administrator to automatically delete user profile > [!NOTE] > One day is interpreted as 24 hours after a specific user profile was accessed. -If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. +- If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. -If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. +- If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. @@ -109,9 +109,9 @@ This policy setting controls whether Windows forcefully unloads the user's regis > [!NOTE] > This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. -If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. +- If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. -If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. +- If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. @@ -171,9 +171,9 @@ This policy setting determines whether the system retains a roaming user's Windo By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. -If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. +- If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. -If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. +- If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. > [!NOTE] > If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. @@ -234,9 +234,9 @@ If you disable or do not configure this policy setting, Windows will delete the This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. -If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. +- If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. -If you enable this policy setting, you can: +- If you enable this policy setting, you can: - Set a maximum permitted user profile size. - Determine whether the registry files are included in the calculation of the profile size. @@ -305,9 +305,9 @@ This policy setting will automatically log off a user when Windows cannot load t If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from loggin on the user with a temporary profile. -If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. +- If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. -If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. +- If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. Also, see the "Delete cached copies of roaming profiles" policy setting. @@ -371,9 +371,9 @@ To determine the network performance characteristics, a connection is made to th This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load. -If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. +- If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. -If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections +- If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections > [!IMPORTANT] > If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. @@ -433,7 +433,7 @@ If you disable or do not configure this policy setting, Windows considers the ne This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. -If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. +- If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. To use this policy setting, in the Location list, choose the location for the home folder. If you choose "On the network," enter the path to a file share in the Path box (for example, \\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose "On the local computer," enter a local path (for example, C:\HomeFolder) in the Path box. @@ -442,7 +442,7 @@ Do not specify environment variables or ellipses in the path. Also, do not speci > [!NOTE] > The Drive letter box is ignored if you choose "On the local computer" from the Location list. If you choose "On the local computer" and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. -If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. +- If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the "Set user home folder" policy setting has no effect. @@ -501,7 +501,7 @@ If the "Set Remote Desktop Services User Home Directory" policy setting is enabl This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. -If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: +- If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index edcaa8f353..48ea1bbd7f 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -1,10 +1,10 @@ --- title: ADMX_W32Time Policy CSP -description: Learn more about the ADMX_W32Time Area in Policy CSP +description: Learn more about the ADMX_W32Time Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/22/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_W32Time > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. -If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. +- If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. For more details on individual parameters, combinations of parameter values as well as definitions of flags, see . @@ -142,7 +140,7 @@ This parameter controls the frequency at which an event that indicates the numbe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -181,12 +179,12 @@ This parameter controls the frequency at which an event that indicates the numbe This policy setting specifies a set of parameters for controlling the Windows NTP Client. -If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. +- If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. -If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. +- If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. NtpServer -The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where "flags" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is "time.windows.com,0x09". Type This value controls the authentication that W32time uses. The default value is NT5DS. @@ -222,7 +220,7 @@ This value is a bitmask that controls events that may be logged to the System lo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -263,9 +261,9 @@ This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. -If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. +- If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. -If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. +- If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. @@ -283,7 +281,7 @@ If you disable or do not configure this policy setting, the local computer clock > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -323,10 +321,9 @@ If you disable or do not configure this policy setting, the local computer clock This policy setting allows you to specify whether the Windows NTP Server is enabled. -If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. +- If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. - -If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. +- If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. @@ -344,7 +341,7 @@ If you disable or do not configure this policy setting, your computer cannot ser > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index e8d98b99a4..f572e7a8d8 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -1,10 +1,10 @@ --- title: ADMX_WCM Policy CSP -description: Learn more about the ADMX_WCM Area in Policy CSP +description: Learn more about the ADMX_WCM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/22/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WCM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting specifies that power management is disabled when the machine enters connected standby mode. -If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. +- If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. -If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. +- If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. @@ -66,7 +64,7 @@ If this policy setting is not configured or is disabled, power management is ena > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,9 +104,9 @@ If this policy setting is not configured or is disabled, power management is ena This policy setting determines whether Windows will soft-disconnect a computer from a network. -If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. +- If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. -If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. +- If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. When soft disconnect is enabled: - When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. @@ -133,7 +131,7 @@ This policy setting depends on other group policy settings. For example, if 'Min > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -173,13 +171,13 @@ This policy setting depends on other group policy settings. For example, if 'Min This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. -If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. +- If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. -If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8. +- If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8. -If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). +- If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). -If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. +- If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting. @@ -199,7 +197,7 @@ This policy setting is related to the "Enable Windows to soft-disconnect a compu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index 2bcd87284a..7091d18390 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -1,10 +1,10 @@ --- title: ADMX_WDI Policy CSP -description: Learn more about the ADMX_WDI Area in Policy CSP +description: Learn more about the ADMX_WDI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/22/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WDI > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. -If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. +- If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached. -If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. +- If you disable or do not configure this policy setting, the DPS deletes scenario data once it exceeds 128 megabytes in size. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. @@ -70,7 +68,7 @@ This policy setting will only take effect when the Diagnostic Policy Service is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,11 +108,11 @@ This policy setting will only take effect when the Diagnostic Policy Service is This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios. -If you enable this policy setting, you must select an execution level from the drop-down menu. If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. +- If you enable this policy setting, you must select an execution level from the drop-down menu. If you select problem detection and troubleshooting only, the DPS will detect problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will attempt to automatically fix problems it detects or indicate to the user that assisted resolution is available. -If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. +- If you disable this policy setting, Windows cannot detect, troubleshoot, or resolve any problems that are handled by the DPS. -If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. +- If you do not configure this policy setting, the DPS enables all scenarios for resolution by default, unless you configure separate scenario-specific policy settings. This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured. @@ -136,7 +134,7 @@ No reboots or service restarts are required for this policy setting to take effe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index da49521c40..874461182f 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -1,10 +1,10 @@ --- title: ADMX_WinCal Policy CSP -description: Learn more about the ADMX_WinCal Area in Policy CSP +description: Learn more about the ADMX_WinCal Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/22/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WinCal > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,68 +25,6 @@ ms.topic: reference - -## TurnOffWinCal_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WinCal/TurnOffWinCal_2 -``` - - - - -Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. - -If you enable this setting, Windows Calendar will be turned off. - -If you disable or do not configure this setting, Windows Calendar will be turned on. - -The default is for Windows Calendar to be turned on. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | TurnOffWinCal | -| Friendly Name | Turn off Windows Calendar | -| Location | Computer Configuration | -| Path | Windows Components > Windows Calendar | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Windows | -| Registry Value Name | TurnOffWinCal | -| ADMX File Name | WinCal.admx | - - - - - - - - ## TurnOffWinCal_1 @@ -108,9 +44,9 @@ The default is for Windows Calendar to be turned on. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. -If you enable this setting, Windows Calendar will be turned off. +- If you enable this setting, Windows Calendar will be turned off. -If you disable or do not configure this setting, Windows Calendar will be turned on. +- If you disable or do not configure this setting, Windows Calendar will be turned on. The default is for Windows Calendar to be turned on. @@ -130,13 +66,13 @@ The default is for Windows Calendar to be turned on. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TurnOffWinCal | +| Name | TurnOffWinCal_1 | | Friendly Name | Turn off Windows Calendar | | Location | User Configuration | | Path | Windows Components > Windows Calendar | @@ -151,6 +87,68 @@ The default is for Windows Calendar to be turned on. + +## TurnOffWinCal_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WinCal/TurnOffWinCal_2 +``` + + + + +Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. + +- If you enable this setting, Windows Calendar will be turned off. + +- If you disable or do not configure this setting, Windows Calendar will be turned on. + +The default is for Windows Calendar to be turned on. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | TurnOffWinCal_2 | +| Friendly Name | Turn off Windows Calendar | +| Location | Computer Configuration | +| Path | Windows Components > Windows Calendar | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Windows | +| Registry Value Name | TurnOffWinCal | +| ADMX File Name | WinCal.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 302b351101..ddc84d4371 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -1,6 +1,6 @@ --- title: ADMX_WindowsColorSystem Policy CSP -description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP +description: Learn more about the ADMX_WindowsColorSystem Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 46f5bb92e5..5cacedd443 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -1,10 +1,10 @@ --- title: ADMX_WindowsConnectNow Policy CSP -description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP +description: Learn more about the ADMX_WindowsConnectNow Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/22/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WindowsConnectNow > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,6 +25,66 @@ ms.topic: reference + +## WCN_DisableWcnUi_1 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 +``` + + + + +This policy setting prohibits access to Windows Connect Now (WCN) wizards. + +- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. + +- If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WCN_DisableWcnUi_1 | +| Friendly Name | Prohibit access of the Windows Connect Now wizards | +| Location | User Configuration | +| Path | Network > Windows Connect Now | +| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\UI | +| Registry Value Name | DisableWcnUi | +| ADMX File Name | WindowsConnectNow.admx | + + + + + + + + ## WCN_DisableWcnUi_2 @@ -46,9 +104,9 @@ ms.topic: reference This policy setting prohibits access to Windows Connect Now (WCN) wizards. -If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. +- If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. -If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. +- If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. @@ -66,13 +124,13 @@ If you disable or do not configure this policy setting, users can access the wiz > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WCN_DisableWcnUi | +| Name | WCN_DisableWcnUi_2 | | Friendly Name | Prohibit access of the Windows Connect Now wizards | | Location | Computer Configuration | | Path | Network > Windows Connect Now | @@ -108,11 +166,11 @@ This policy setting allows the configuration of wireless settings using Windows Additional options are available to allow discovery and configuration over a specific medium. -If you enable this policy setting, additional choices are available to turn off the operations over a specific medium. +- If you enable this policy setting, additional choices are available to turn off the operations over a specific medium. -If you disable this policy setting, operations are disabled over all media. +- If you disable this policy setting, operations are disabled over all media. -If you do not configure this policy setting, operations are enabled over all media. +- If you do not configure this policy setting, operations are enabled over all media. The default for this policy setting allows operations over all media. @@ -132,7 +190,7 @@ The default for this policy setting allows operations over all media. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -153,66 +211,6 @@ The default for this policy setting allows operations over all media. - -## WCN_DisableWcnUi_1 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsConnectNow/WCN_DisableWcnUi_1 -``` - - - - -This policy setting prohibits access to Windows Connect Now (WCN) wizards. - -If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. - -If you disable or do not configure this policy setting, users can access the wizard tasks, including "Set up a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WCN_DisableWcnUi | -| Friendly Name | Prohibit access of the Windows Connect Now wizards | -| Location | User Configuration | -| Path | Network > Windows Connect Now | -| Registry Key Name | Software\Policies\Microsoft\Windows\WCN\UI | -| Registry Value Name | DisableWcnUi | -| ADMX File Name | WindowsConnectNow.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 9c89d2fe84..f0fcb85ef2 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -1,10 +1,10 @@ --- title: ADMX_WindowsExplorer Policy CSP -description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP +description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WindowsExplorer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. -If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. +- If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. -If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. +- If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. -Note: If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. +> [!NOTE] +> If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. @@ -68,13 +67,13 @@ Note: If the paths point to different network shares, this policy setting is not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CheckSameSourceAndTargetForFRAndDFS_DisplayName | +| Name | CheckSameSourceAndTargetForFRAndDFS | | Friendly Name | Verify old and new Folder Redirection targets point to the same share before redirecting | | Location | Computer Configuration | | Path | WindowsComponents > File Explorer | @@ -89,6 +88,132 @@ Note: If the paths point to different network shares, this policy setting is not + +## ClassicShell + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ClassicShell +``` + + + + +This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. + +- If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. + +- If you disable or not configure this policy, the default File Explorer behavior is applied to the user. + +> [!NOTE] +> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. + +Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ClassicShell | +| Friendly Name | Turn on Classic Shell | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ClassicShell | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ConfirmFileDelete + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ConfirmFileDelete +``` + + + + +Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. + +- If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. + +- If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfirmFileDelete | +| Friendly Name | Display confirmation dialog when deleting files | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | ConfirmFileDelete | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## DefaultLibrariesLocation @@ -112,9 +237,9 @@ Note: If the paths point to different network shares, this policy setting is not This policy setting allows you to specify a location where all default Library definition files for users/machines reside. -If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. +- If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. -If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. +- If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. @@ -132,7 +257,7 @@ If you disable or do not configure this policy setting, no changes are made to t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -193,13 +318,13 @@ This disables access to user-defined properties, and properties stored in NTFS s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableBindDirectlyToPropertySetStorage_DisplayName | +| Name | DisableBindDirectlyToPropertySetStorage | | Friendly Name | Disable binding directly to IPropertySetStorage without intermediate layers. | | Location | Computer and User Configuration | | Path | WindowsComponents > File Explorer | @@ -214,6 +339,195 @@ This disables access to user-defined properties, and properties stored in NTFS s + +## DisableIndexedLibraryExperience + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableIndexedLibraryExperience +``` + + + + +This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. +- If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. +Setting this policy will: +* Disable all Arrangement views except for "By Folder" +* Disable all Search filter suggestions other than "Date Modified" and "Size" +* Disable view of file content snippets in Content mode when search results are returned +* Disable ability to stack in the Context menu and Column headers +* Exclude Libraries from the scope of Start search +This policy will not enable users to add unsupported locations to Libraries. + +- If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. +- If you disable or do not configure this policy, all default Windows Libraries features will be enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableIndexedLibraryExperience | +| Friendly Name | Turn off Windows Libraries features that rely on indexed file data | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableIndexedLibraryExperience | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## DisableKnownFolders + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableKnownFolders +``` + + + + +This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. + +You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. + +> [!NOTE] +> Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableKnownFolders | +| Friendly Name | Disable Known Folders | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableKnownFolders | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## DisableSearchBoxSuggestions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableSearchBoxSuggestions +``` + + + + +Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. + +File Explorer shows suggestion pop-ups as users type into the Search Box. These suggestions are based on their past entries into the Search Box. + +> [!NOTE] +> If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSearchBoxSuggestions | +| Friendly Name | Turn off display of recent search entries in the File Explorer search box | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableSearchBoxSuggestions | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## EnableShellShortcutIconRemotePath @@ -233,11 +547,12 @@ This disables access to user-defined properties, and properties stored in NTFS s This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. -If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. +- If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. -If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. +- If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. -Note: Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. +> [!NOTE] +> Allowing the use of remote paths in file shortcut icons can expose users' computers to security risks. @@ -255,13 +570,13 @@ Note: Allowing the use of remote paths in file shortcut icons can expose users > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | EnableShellShortcutIconRemotePath_DisplayName | +| Name | EnableShellShortcutIconRemotePath | | Friendly Name | Allow the use of remote paths in file shortcut icons | | Location | Computer Configuration | | Path | WindowsComponents > File Explorer | @@ -297,25 +612,24 @@ This policy allows you to turn Windows Defender SmartScreen on or off. SmartScre Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. -If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: +- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: -• Warn and prevent bypass -• Warn +- Warn and prevent bypass +- Warn -If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. +- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. -If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. +- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. -If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. +- If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. -If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. +- If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. For more information, see [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview). - @@ -329,7 +643,7 @@ For more information, see [Microsoft Defender SmartScreen](/windows/security/thr > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -350,6 +664,69 @@ For more information, see [Microsoft Defender SmartScreen](/windows/security/thr + +## EnforceShellExtensionSecurity + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnforceShellExtensionSecurity +``` + + + + +This setting is designed to ensure that shell extensions can operate on a per-user basis. +- If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. + +A shell extension only runs if there is an entry in at least one of the following locations in registry. + +For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + +For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | EnforceShellExtensionSecurity | +| Friendly Name | Allow only per user or approved shell extensions | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | EnforceShellExtensionSecurity | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## ExplorerRibbonStartsMinimized @@ -371,7 +748,9 @@ For more information, see [Microsoft Defender SmartScreen](/windows/security/thr -This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. +This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. +- If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. +- If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. @@ -389,13 +768,13 @@ This policy setting allows you to specify whether the ribbon appears minimized o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ExplorerRibbonStartsMinimized_DisplayName | +| Name | ExplorerRibbonStartsMinimized | | Friendly Name | Start File Explorer with ribbon minimized | | Location | Computer and User Configuration | | Path | WindowsComponents > File Explorer | @@ -410,6 +789,66 @@ This policy setting allows you to specify whether the ribbon appears minimized o + +## HideContentViewModeSnippets + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/HideContentViewModeSnippets +``` + + + + +This policy setting allows you to turn off the display of snippets in Content view mode. + +- If you enable this policy setting, File Explorer will not display snippets in Content view mode. + +- If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | HideContentViewModeSnippets | +| Friendly Name | Turn off the display of snippets in Content view mode | +| Location | User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HideContentViewModeSnippets | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## IZ_Policy_OpenSearchPreview_Internet @@ -433,11 +872,11 @@ This policy setting allows you to specify whether the ribbon appears minimized o This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -457,13 +896,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_Internet | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Internet Zone | @@ -501,11 +940,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -525,13 +964,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_InternetLockdown | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Internet Zone | @@ -569,11 +1008,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -593,13 +1032,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_Intranet | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Intranet Zone | @@ -637,11 +1076,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -661,13 +1100,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_IntranetLockdown | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Intranet Zone | @@ -705,11 +1144,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -729,13 +1168,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_LocalMachine | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Local Machine Zone | @@ -773,11 +1212,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -797,13 +1236,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_LocalMachineLockdown | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Local Machine Zone | @@ -841,11 +1280,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -865,13 +1304,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_Restricted | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Restricted Sites Zone | @@ -909,11 +1348,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -933,13 +1372,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_RestrictedLockdown | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Restricted Sites Zone | @@ -977,11 +1416,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -1001,13 +1440,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_Trusted | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Trusted Sites Zone | @@ -1045,11 +1484,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. -If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. -If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. +- If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. Changes to this setting may not be applied until the user logs off from Windows. @@ -1069,13 +1508,13 @@ Changes to this setting may not be applied until the user logs off from Windows. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchPreview | +| Name | IZ_Policy_OpenSearchPreview_TrustedLockdown | | Friendly Name | Allow previewing and custom thumbnails of OpenSearch query results in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Trusted Sites Zone | @@ -1113,11 +1552,11 @@ Changes to this setting may not be applied until the user logs off from Windows. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1135,13 +1574,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_Internet | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Internet Zone | @@ -1179,11 +1618,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1201,13 +1640,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_InternetLockdown | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Internet Zone | @@ -1245,11 +1684,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1267,13 +1706,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_Intranet | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Intranet Zone | @@ -1311,11 +1750,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1333,13 +1772,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_IntranetLockdown | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Intranet Zone | @@ -1377,11 +1816,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1399,13 +1838,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_LocalMachine | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Local Machine Zone | @@ -1443,11 +1882,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1465,13 +1904,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_LocalMachineLockdown | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Local Machine Zone | @@ -1509,11 +1948,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. @@ -1531,13 +1970,13 @@ If you do not configure this policy setting, users cannot perform OpenSearch que > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_Restricted | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Restricted Sites Zone | @@ -1575,11 +2014,11 @@ If you do not configure this policy setting, users cannot perform OpenSearch que This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. @@ -1597,13 +2036,13 @@ If you do not configure this policy setting, users cannot perform OpenSearch que > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_RestrictedLockdown | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Restricted Sites Zone | @@ -1641,11 +2080,11 @@ If you do not configure this policy setting, users cannot perform OpenSearch que This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1663,13 +2102,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_Trusted | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Trusted Sites Zone | @@ -1707,11 +2146,11 @@ If you do not configure this policy setting, users can perform OpenSearch querie This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. -If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. -If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. +- If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. -If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. +- If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. @@ -1729,13 +2168,13 @@ If you do not configure this policy setting, users can perform OpenSearch querie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | IZ_OpenSearchQuery | +| Name | IZ_Policy_OpenSearchQuery_TrustedLockdown | | Friendly Name | Allow OpenSearch queries in File Explorer | | Location | Computer and User Configuration | | Path | IZ_SecurityPage > Locked-Down Trusted Sites Zone | @@ -1750,745 +2189,6 @@ If you do not configure this policy setting, users can perform OpenSearch querie - -## NoNewAppAlert - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoNewAppAlert -``` - - - - -This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) - -If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoNewAppAlert | -| Friendly Name | Do not show the 'new application installed' notification | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | NoNewAppAlert | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## NoStrCmpLogical - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical -``` - - - - -This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. -If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). -If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoStrCmpLogical_DisplayName | -| Friendly Name | Turn off numerical sorting in File Explorer | -| Location | Computer and User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | NoStrCmpLogical | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## ShellProtocolProtectedModeTitle_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 -``` - - - - -This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. - -If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. - -If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. - -If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShellProtocolProtectedModeTitle | -| Friendly Name | Turn off shell protocol protected mode | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | PreXPSP2ShellProtocolBehavior | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## ShowHibernateOption - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowHibernateOption -``` - - - - -Shows or hides hibernate from the power options menu. - -If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). - -If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. - -If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShowHibernateOption | -| Friendly Name | Show hibernate in the power options menu | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | ShowHibernateOption | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## ShowSleepOption - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowSleepOption -``` - - - - -Shows or hides sleep from the power options menu. - -If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). - -If you disable this policy setting, the sleep option will never be shown in the Power Options menu. - -If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ShowSleepOption | -| Friendly Name | Show sleep in the power options menu | -| Location | Computer Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | ShowSleepOption | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## ClassicShell - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ClassicShell -``` - - - - -This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. - -If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. -Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. - -If you disable or not configure this policy, the default File Explorer behavior is applied to the user. - -Note: In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. - -Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ClassicShell | -| Friendly Name | Turn on Classic Shell | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | ClassicShell | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## ConfirmFileDelete - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ConfirmFileDelete -``` - - - - -Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. - -If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. - -If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfirmFileDelete | -| Friendly Name | Display confirmation dialog when deleting files | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | ConfirmFileDelete | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## DisableIndexedLibraryExperience - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableIndexedLibraryExperience -``` - - - - -This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. -Setting this policy will: -* Disable all Arrangement views except for "By Folder" -* Disable all Search filter suggestions other than "Date Modified" and "Size" -* Disable view of file content snippets in Content mode when search results are returned -* Disable ability to stack in the Context menu and Column headers -* Exclude Libraries from the scope of Start search -This policy will not enable users to add unsupported locations to Libraries. - -If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. -If you disable or do not configure this policy, all default Windows Libraries features will be enabled. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableIndexedLibraryExperience_DisplayName | -| Friendly Name | Turn off Windows Libraries features that rely on indexed file data | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | DisableIndexedLibraryExperience | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## DisableKnownFolders - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableKnownFolders -``` - - - - -This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. - -You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. - -Note: Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableKnownFolders_DisplayName | -| Friendly Name | Disable Known Folders | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | DisableKnownFolders | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## DisableSearchBoxSuggestions - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/DisableSearchBoxSuggestions -``` - - - - -Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. - -File Explorer shows suggestion pop-ups as users type into the Search Box. These suggestions are based on their past entries into the Search Box. - -Note: If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableSearchBoxSuggestions_DisplayName | -| Friendly Name | Turn off display of recent search entries in the File Explorer search box | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | DisableSearchBoxSuggestions | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## EnforceShellExtensionSecurity - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/EnforceShellExtensionSecurity -``` - - - - -This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. - -A shell extension only runs if there is an entry in at least one of the following locations in registry. - -For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. - -For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | EnforceShellExtensionSecurity | -| Friendly Name | Allow only per user or approved shell extensions | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| Registry Value Name | EnforceShellExtensionSecurity | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - - -## HideContentViewModeSnippets - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/HideContentViewModeSnippets -``` - - - - -This policy setting allows you to turn off the display of snippets in Content view mode. - -If you enable this policy setting, File Explorer will not display snippets in Content view mode. - -If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | HideContentViewModeSnippets_DisplayName | -| Friendly Name | Turn off the display of snippets in Content view mode | -| Location | User Configuration | -| Path | WindowsComponents > File Explorer | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | HideContentViewModeSnippets | -| ADMX File Name | WindowsExplorer.admx | - - - - - - - - ## LinkResolveIgnoreLinkInfo @@ -2510,9 +2210,9 @@ This policy setting determines whether Windows traces shortcuts back to their so Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server. -If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. +- If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. -If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. +- If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. @@ -2530,7 +2230,7 @@ If you disable or do not configure this policy setting, Windows searches for the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2572,9 +2272,9 @@ If you disable or do not configure this policy setting, Windows searches for the The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. -If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. +- If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. -If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents." +- If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents." @@ -2592,7 +2292,7 @@ If you disable or do not configure this policy setting, by default, the system d > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2633,13 +2333,14 @@ Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. -If you enable this policy setting, the Back button is removed from the standard Open dialog box. +- If you enable this policy setting, the Back button is removed from the standard Open dialog box. -If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. +- If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. -Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. @@ -2657,7 +2358,7 @@ Note: In Windows Vista, this policy setting applies only to applications that ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2697,11 +2398,12 @@ Note: In Windows Vista, this policy setting applies only to applications that ar This policy setting allows you to turn off caching of thumbnail pictures. -If you enable this policy setting, thumbnail views are not cached. +- If you enable this policy setting, thumbnail views are not cached. -If you disable or do not configure this policy setting, thumbnail views are cached. +- If you disable or do not configure this policy setting, thumbnail views are cached. -Note: For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. +> [!NOTE] +> For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. @@ -2719,7 +2421,7 @@ Note: For shared corporate workstations or computers where security is a top con > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2759,11 +2461,12 @@ Note: For shared corporate workstations or computers where security is a top con This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. -If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. +- If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. -If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. +- If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. -Note: This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. +> [!NOTE] +> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. @@ -2781,7 +2484,7 @@ Note: This policy setting does not prevent users from using third-party applicat > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2821,11 +2524,11 @@ Note: This policy setting does not prevent users from using third-party applicat This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. -If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. +- If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users. -If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. +- If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. @@ -2843,7 +2546,7 @@ If you disable or do not configure this policy setting, users are allowed to tur > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2903,7 +2606,7 @@ Effects, such as transitory underlines, are designed to enhance the user's exper > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -2943,11 +2646,11 @@ Effects, such as transitory underlines, are designed to enhance the user's exper This policy setting allows you to remove the DFS tab from File Explorer. -If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. +- If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS. -If you disable or do not configure this policy setting, the DFS tab is available. +- If you disable or do not configure this policy setting, the DFS tab is available. @@ -2965,7 +2668,7 @@ If you disable or do not configure this policy setting, the DFS tab is available > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3007,13 +2710,14 @@ This policy setting allows you to hide these specified drives in My Computer. This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. -If you enable this policy setting, select a drive or combination of drives in the drop-down list. +- If you enable this policy setting, select a drive or combination of drives in the drop-down list. -Note: This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. +> [!NOTE] +> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. -If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. +- If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting. @@ -3033,7 +2737,7 @@ Also, see the "Prevent access to drives from My Computer" policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3072,13 +2776,14 @@ Also, see the "Prevent access to drives from My Computer" policy setting. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. -If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. +- If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box. To remove computers in the user's workgroup or domain from lists of network resources, use the "No Computers Near Me in Network Locations" setting. -Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +> [!NOTE] +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -3096,7 +2801,7 @@ Note: It is a requirement for third-party applications with Windows 2000 or late > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3154,7 +2859,7 @@ This setting does not prevent users from using other methods to perform tasks av > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3194,13 +2899,15 @@ This setting does not prevent users from using other methods to perform tasks av Removes the list of most recently used files from the Open dialog box. -If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. +- If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. +- If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. -Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -3218,7 +2925,7 @@ Note: In Windows Vista, this policy setting applies only to applications that ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3260,9 +2967,9 @@ This policy setting allows you to prevent users from accessing Folder Options th Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings. -If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. +- If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. -If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. +- If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. @@ -3280,7 +2987,7 @@ If you disable or do not configure this policy setting, users can open Folder Op > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3338,7 +3045,7 @@ This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3382,7 +3089,8 @@ The Manage item opens Computer Management (Compmgmt.msc), a console tool that in This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management. -Tip: To hide all context menus, use the "Remove File Explorer's default context menu" setting. +> [!TIP] +> To hide all context menus, use the "Remove File Explorer's default context menu" setting. @@ -3400,7 +3108,7 @@ Tip: To hide all context menus, use the "Remove File Explorer's default context > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3442,11 +3150,12 @@ This policy setting allows you to remove the Shared Documents folder from My Com When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. -If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. +- If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. -If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. +- If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. -Note: The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. +> [!NOTE] +> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. @@ -3464,7 +3173,7 @@ Note: The ability to remove the Shared Documents folder via Group Policy is only > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3504,15 +3213,17 @@ Note: The ability to remove the Shared Documents folder via Group Policy is only Prevents users from using File Explorer or Network Locations to map or disconnect network drives. -If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. +- If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. -Note: +> [!NOTE] +> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. -Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +> [!NOTE] +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -3530,7 +3241,7 @@ Note: It is a requirement for third-party applications with Windows 2000 or late > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3551,6 +3262,64 @@ Note: It is a requirement for third-party applications with Windows 2000 or late + +## NoNewAppAlert + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoNewAppAlert +``` + + + + +This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) + +If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoNewAppAlert | +| Friendly Name | Do not show the 'new application installed' notification | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoNewAppAlert | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## NoPlacesBar @@ -3574,7 +3343,8 @@ This setting, and others in this folder, lets you remove new features added in W To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. -Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -3592,7 +3362,7 @@ Note: In Windows Vista, this policy setting applies only to applications that ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3632,9 +3402,9 @@ Note: In Windows Vista, this policy setting applies only to applications that ar When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. -If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. +- If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. -If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. +- If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. @@ -3652,7 +3422,7 @@ If you disable or do not configure this setting, files and folders deleted using > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3694,9 +3464,10 @@ Prevents users from submitting alternate logon credentials to install a program. This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. -Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. +Many programs can be installed only by an administrator. +- If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. -If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. +- If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. @@ -3716,7 +3487,7 @@ By default, users are not prompted for alternate logon credentials when installi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3754,11 +3525,11 @@ By default, users are not prompted for alternate logon credentials when installi -If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. +- If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. -If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. +- If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. -If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. +- If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. @@ -3776,7 +3547,7 @@ If you do not configure this policy (default), there will be an "Internet" link > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3816,9 +3587,9 @@ If you do not configure this policy (default), there will be an "Internet" link Removes the Security tab from File Explorer. -If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. +- If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. -If you disable or do not configure this setting, users will be able to access the security tab. +- If you disable or do not configure this setting, users will be able to access the security tab. @@ -3836,7 +3607,7 @@ If you disable or do not configure this setting, users will be able to access th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3876,11 +3647,11 @@ If you disable or do not configure this setting, users will be able to access th This policy setting allows you to remove the Search button from the File Explorer toolbar. -If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. +- If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. -If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. +- If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting. @@ -3900,7 +3671,7 @@ This policy setting does not affect the Search items on the File Explorer contex > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3921,6 +3692,68 @@ This policy setting does not affect the Search items on the File Explorer contex + +## NoStrCmpLogical + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/NoStrCmpLogical +``` + + + + +This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. +- If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). +- If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoStrCmpLogical | +| Friendly Name | Turn off numerical sorting in File Explorer | +| Location | Computer and User Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | NoStrCmpLogical | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## NoViewContextMenu @@ -3940,7 +3773,7 @@ This policy setting does not affect the Search items on the File Explorer contex Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. -If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. +- If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. @@ -3958,7 +3791,7 @@ If you enable this setting, menus do not appear when you right-click the desktop > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -3998,11 +3831,12 @@ If you enable this setting, menus do not appear when you right-click the desktop Prevents users from using My Computer to gain access to the content of selected drives. -If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. +- If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. -Note: The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. +> [!NOTE] +> The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. @@ -4024,7 +3858,7 @@ Also, see the "Hide these specified drives in My Computer" setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4065,9 +3899,9 @@ Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. By using this setting, you can disable these Windows Key hotkeys. -If you enable this setting, the Windows Key hotkeys are unavailable. +- If you enable this setting, the Windows Key hotkeys are unavailable. -If you disable or do not configure this setting, the Windows Key hotkeys are available. +- If you disable or do not configure this setting, the Windows Key hotkeys are available. @@ -4085,7 +3919,7 @@ If you disable or do not configure this setting, the Windows Key hotkeys are ava > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4125,9 +3959,9 @@ If you disable or do not configure this setting, the Windows Key hotkeys are ava This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. -If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. +- If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. -If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations. +- If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations. This policy setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box. @@ -4149,7 +3983,7 @@ To remove network computers from lists of network resources, use the "No Entire > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4205,9 +4039,10 @@ The list of Common Shell Folders that may be specified: Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches. -If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. +- If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. -Note: In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. @@ -4225,7 +4060,7 @@ Note: In Windows Vista, this policy setting applies only to applications that ar > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4266,13 +4101,14 @@ Prompts users for alternate logon credentials during network-based installations This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. -If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. +- If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. -Note: If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. +> [!NOTE] +> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. @@ -4290,7 +4126,7 @@ Note: If it is enabled, the "Do not request alternate credentials" setting takes > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4330,11 +4166,12 @@ Note: If it is enabled, the "Do not request alternate credentials" setting takes Limits the percentage of a volume's disk space that can be used to store deleted files. -If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. +- If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. -If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. +- If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. -Note: This setting is applied to all volumes. +> [!NOTE] +> This setting is applied to all volumes. @@ -4352,7 +4189,7 @@ Note: This setting is applied to all volumes. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4391,11 +4228,11 @@ Note: This setting is applied to all volumes. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. -If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. +- If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. -If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. +- If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. -If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. +- If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. @@ -4413,13 +4250,13 @@ If you do not configure this policy setting the protocol is in the protected mod > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ShellProtocolProtectedModeTitle | +| Name | ShellProtocolProtectedModeTitle_1 | | Friendly Name | Turn off shell protocol protected mode | | Location | User Configuration | | Path | WindowsComponents > File Explorer | @@ -4434,6 +4271,192 @@ If you do not configure this policy setting the protocol is in the protected mod + +## ShellProtocolProtectedModeTitle_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +``` + + + + +This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + +- If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. + +- If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + +- If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShellProtocolProtectedModeTitle_2 | +| Friendly Name | Turn off shell protocol protected mode | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| Registry Value Name | PreXPSP2ShellProtocolBehavior | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ShowHibernateOption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowHibernateOption +``` + + + + +Shows or hides hibernate from the power options menu. + +- If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +- If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. + +- If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowHibernateOption | +| Friendly Name | Show hibernate in the power options menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowHibernateOption | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + + +## ShowSleepOption + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsExplorer/ShowSleepOption +``` + + + + +Shows or hides sleep from the power options menu. + +- If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +- If you disable this policy setting, the sleep option will never be shown in the Power Options menu. + +- If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ShowSleepOption | +| Friendly Name | Show sleep in the power options menu | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | ShowSleepOption | +| ADMX File Name | WindowsExplorer.admx | + + + + + + + + ## TryHarderPinnedLibrary @@ -4451,15 +4474,15 @@ If you do not configure this policy setting the protocol is in the protected mod -This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. +This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file. You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. -If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. +- If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. -If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. +- If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. @@ -4477,7 +4500,7 @@ If you disable or do not configure this policy setting, no Libraries or Search C > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -4521,9 +4544,9 @@ You can add up to five additional links to the "Search again" links at the botto The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. -If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. +- If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. -If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. +- If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. @@ -4541,7 +4564,7 @@ If you disable or do not configure this policy setting, no custom Internet searc > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 2f726a8d3a..66dc23c872 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -1,10 +1,10 @@ --- title: ADMX_WindowsMediaDRM Policy CSP -description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP +description: Learn more about the ADMX_WindowsMediaDRM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WindowsMediaDRM > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -68,7 +66,7 @@ When this policy is either disabled or not configured, Windows Media DRM functio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 6f8ecd7843..7644cbac0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -1,10 +1,10 @@ --- title: ADMX_WindowsMediaPlayer Policy CSP -description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP +description: Learn more about the ADMX_WindowsMediaPlayer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WindowsMediaPlayer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,374 +25,6 @@ ms.topic: reference - -## DisableAutoUpdate - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableAutoUpdate -``` - - - - -This policy setting allows you to turn off do not show first use dialog boxes. - -If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. - -This policy setting prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. - -If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableAutoUpdate | -| Friendly Name | Prevent Automatic Updates | -| Location | Computer Configuration | -| Path | Windows Components > Windows Media Player | -| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | -| Registry Value Name | DisableAutoUpdate | -| ADMX File Name | windowsmediaplayer.admx | - - - - - - - - - -## DisableSetupFirstUseConfiguration - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration -``` - - - - -This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. - -If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. - -If you disable or do not configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. - -If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableSetupFirstUseConfiguration | -| Friendly Name | Do Not Show First Use Dialog Boxes | -| Location | Computer Configuration | -| Path | Windows Components > Windows Media Player | -| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | -| Registry Value Name | GroupPrivacyAcceptance | -| ADMX File Name | windowsmediaplayer.admx | - - - - - - - - - -## DontUseFrameInterpolation - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DontUseFrameInterpolation -``` - - - - -This policy setting allows you to prevent video smoothing from occurring. - -If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. - -If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and is not available. - -If you do not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. - -Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DontUseFrameInterpolation | -| Friendly Name | Prevent Video Smoothing | -| Location | Computer Configuration | -| Path | Windows Components > Windows Media Player | -| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | -| Registry Value Name | DontUseFrameInterpolation | -| ADMX File Name | windowsmediaplayer.admx | - - - - - - - - - -## PreventLibrarySharing - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventLibrarySharing -``` - - - - -This policy setting allows you to prevent media sharing from Windows Media Player. - -If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. - -If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventLibrarySharing | -| Friendly Name | Prevent Media Sharing | -| Location | Computer Configuration | -| Path | Windows Components > Windows Media Player | -| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | -| Registry Value Name | PreventLibrarySharing | -| ADMX File Name | windowsmediaplayer.admx | - - - - - - - - - -## PreventQuickLaunchShortcut - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut -``` - - - - -This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. - -If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. - -If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventQuickLaunchShortcut | -| Friendly Name | Prevent Quick Launch Toolbar Shortcut Creation | -| Location | Computer Configuration | -| Path | Windows Components > Windows Media Player | -| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | -| Registry Value Name | QuickLaunchShortcut | -| ADMX File Name | windowsmediaplayer.admx | - - - - - - - - - -## PreventWMPDeskTopShortcut - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut -``` - - - - -This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. - -If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. - -If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | PreventWMPDeskTopShortcut | -| Friendly Name | Prevent Desktop Shortcut Creation | -| Location | Computer Configuration | -| Path | Windows Components > Windows Media Player | -| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | -| Registry Value Name | DesktopShortcut | -| ADMX File Name | windowsmediaplayer.admx | - - - - - - - - ## ConfigureHTTPProxySettings @@ -414,7 +44,7 @@ If you disable or do not configure this policy setting, users can choose whether This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. -If you enable this policy setting, select one of the following proxy types: +- If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. @@ -426,9 +56,9 @@ The Configure button on the Network tab in the Player is not available for the H This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected. -If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy. +- If you disable this policy setting, the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy. -If you do not configure this policy setting, users can configure the HTTP proxy settings. +- If you do not configure this policy setting, users can configure the HTTP proxy settings. @@ -446,7 +76,7 @@ If you do not configure this policy setting, users can configure the HTTP proxy > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -486,7 +116,7 @@ If you do not configure this policy setting, users can configure the HTTP proxy This policy setting allows you to specify the MMS proxy settings for Windows Media Player. -If you enable this policy setting, select one of the following proxy types: +- If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. @@ -497,9 +127,9 @@ The Configure button on the Network tab in the Player is not available and the p This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected. -If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy settings. +- If you disable this policy setting, the MMS proxy server cannot be used and users cannot configure the MMS proxy settings. -If you do not configure this policy setting, users can configure the MMS proxy settings. +- If you do not configure this policy setting, users can configure the MMS proxy settings. @@ -517,7 +147,7 @@ If you do not configure this policy setting, users can configure the MMS proxy s > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -557,7 +187,7 @@ If you do not configure this policy setting, users can configure the MMS proxy s This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. -If you enable this policy setting, select one of the following proxy types: +- If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. @@ -566,9 +196,9 @@ If the Custom proxy type is selected, the rest of the options on the Setting tab The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If the "Hide network tab" policy setting is also enabled, the entire Network tab is hidden. -If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings. +- If you disable this policy setting, the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings. -If you do not configure this policy setting, users can configure the RTSP proxy settings. +- If you do not configure this policy setting, users can configure the RTSP proxy settings. @@ -586,7 +216,7 @@ If you do not configure this policy setting, users can configure the RTSP proxy > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -607,6 +237,68 @@ If you do not configure this policy setting, users can configure the RTSP proxy + +## DisableAutoUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableAutoUpdate +``` + + + + +This policy setting allows you to turn off do not show first use dialog boxes. + +- If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. + +This policy setting prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. + +- If you disable or do not configure this policy setting, the dialog boxes are displayed when the user starts the Player for the first time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAutoUpdate | +| Friendly Name | Prevent Automatic Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DisableAutoUpdate | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + ## DisableNetworkSettings @@ -626,9 +318,9 @@ If you do not configure this policy setting, users can configure the RTSP proxy This policy setting allows you to hide the Network tab. -If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. +- If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. -If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings. +- If you disable or do not configure this policy setting, the Network tab appears and users can use it to configure network settings. @@ -646,7 +338,7 @@ If you disable or do not configure this policy setting, the Network tab appears > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -667,6 +359,68 @@ If you disable or do not configure this policy setting, the Network tab appears + +## DisableSetupFirstUseConfiguration + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration +``` + + + + +This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. + +- If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. + +- If you disable or do not configure this policy setting, users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the Player. + +- If you do not configure this policy setting, and the "Set and lock skin" policy setting is enabled, some options in the anchor window are not available. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableSetupFirstUseConfiguration | +| Friendly Name | Do Not Show First Use Dialog Boxes | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | GroupPrivacyAcceptance | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + ## DoNotShowAnchor @@ -708,7 +462,7 @@ When this policy is not configured and the Set and Lock Skin policy is enabled, > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -729,6 +483,70 @@ When this policy is not configured and the Set and Lock Skin policy is enabled, + +## DontUseFrameInterpolation + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/DontUseFrameInterpolation +``` + + + + +This policy setting allows you to prevent video smoothing from occurring. + +- If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. + +- If you disable this policy setting, video smoothing occurs if necessary, and the Use Video Smoothing check box is selected and is not available. + +- If you do not configure this policy setting, video smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box. + +Video smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DontUseFrameInterpolation | +| Friendly Name | Prevent Video Smoothing | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DontUseFrameInterpolation | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + ## EnableScreenSaver @@ -748,11 +566,11 @@ When this policy is not configured and the Set and Lock Skin policy is enabled, This policy setting allows a screen saver to interrupt playback. -If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. +- If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. -If you disable this policy setting, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available. +- If you disable this policy setting, a screen saver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is not available. -If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box. +- If you do not configure this policy setting, users can change the setting for the Allow screen saver during playback check box. @@ -770,7 +588,7 @@ If you do not configure this policy setting, users can change the setting for th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -810,11 +628,11 @@ If you do not configure this policy setting, users can change the setting for th This policy setting allows you to hide the Privacy tab in Windows Media Player. -If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. +- If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. The default privacy settings are used for the options on the Privacy tab unless the user changed the settings previously. -If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices. +- If you disable or do not configure this policy setting, the Privacy tab is not hidden, and users can configure any privacy settings not configured by other polices. @@ -832,7 +650,7 @@ If you disable or do not configure this policy setting, the Privacy tab is not h > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -872,9 +690,9 @@ If you disable or do not configure this policy setting, the Privacy tab is not h This policy setting allows you to hide the Security tab in Windows Media Player. -If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. +- If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. -If you disable or do not configure this policy setting, users can configure the security settings on the Security tab. +- If you disable or do not configure this policy setting, users can configure the security settings on the Security tab. @@ -892,7 +710,7 @@ If you disable or do not configure this policy setting, users can configure the > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -932,14 +750,14 @@ If you disable or do not configure this policy setting, users can configure the This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. -If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. +- If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. - Custom: the number of seconds, up to 60, that streaming media is buffered. - Default: default network buffering is used and the number of seconds that is specified is ignored. The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available. -If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab. +- If you disable or do not configure this policy setting, users can change the buffering options on the Performance tab. @@ -957,7 +775,7 @@ If you disable or do not configure this policy setting, users can change the buf > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -997,11 +815,11 @@ If you disable or do not configure this policy setting, users can change the buf This policy setting allows you to prevent Windows Media Player from downloading codecs. -If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. +- If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. -If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available. +- If you disable this policy setting, codecs are automatically downloaded and the Download codecs automatically check box is not available. -If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box. +- If you do not configure this policy setting, users can change the setting for the Download codecs automatically check box. @@ -1019,7 +837,7 @@ If you do not configure this policy setting, users can change the setting for th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1059,9 +877,9 @@ If you do not configure this policy setting, users can change the setting for th This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. +- If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. -If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. +- If you disable or do not configure this policy setting, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box. @@ -1079,7 +897,7 @@ If you disable or do not configure this policy setting, users can change the set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1100,6 +918,66 @@ If you disable or do not configure this policy setting, users can change the set + +## PreventLibrarySharing + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventLibrarySharing +``` + + + + +This policy setting allows you to prevent media sharing from Windows Media Player. + +- If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. + +- If you disable or do not configure this policy setting, anyone using Windows Media Player can turn media sharing on or off. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventLibrarySharing | +| Friendly Name | Prevent Media Sharing | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | PreventLibrarySharing | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + ## PreventMusicFileMetadataRetrieval @@ -1119,9 +997,9 @@ If you disable or do not configure this policy setting, users can change the set This policy setting allows you to prevent media information for music files from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. +- If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. -If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. +- If you disable or do not configure this policy setting, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box. @@ -1139,7 +1017,7 @@ If you disable or do not configure this policy setting, users can change the set > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1160,6 +1038,66 @@ If you disable or do not configure this policy setting, users can change the set + +## PreventQuickLaunchShortcut + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut +``` + + + + +This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. + +- If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. + +- If you disable or do not configure this policy setting, the user can choose whether to add the shortcut for the Player to the Quick Launch bar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventQuickLaunchShortcut | +| Friendly Name | Prevent Quick Launch Toolbar Shortcut Creation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | QuickLaunchShortcut | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + ## PreventRadioPresetsRetrieval @@ -1179,9 +1117,9 @@ If you disable or do not configure this policy setting, users can change the set This policy setting allows you to prevent radio station presets from being retrieved from the Internet. -If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. +- If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. -If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet. +- If you disable or do not configure this policy setting, the Player automatically retrieves radio station presets from the Internet. @@ -1199,7 +1137,7 @@ If you disable or do not configure this policy setting, the Player automatically > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1220,6 +1158,66 @@ If you disable or do not configure this policy setting, the Player automatically + +## PreventWMPDeskTopShortcut + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut +``` + + + + +This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. + +- If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. + +- If you disable or do not configure this policy setting, users can choose whether to add the Player shortcut icon to their desktops. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | PreventWMPDeskTopShortcut | +| Friendly Name | Prevent Desktop Shortcut Creation | +| Location | Computer Configuration | +| Path | Windows Components > Windows Media Player | +| Registry Key Name | Software\Policies\Microsoft\WindowsMediaPlayer | +| Registry Value Name | DesktopShortcut | +| ADMX File Name | windowsmediaplayer.admx | + + + + + + + + ## SkinLockDown @@ -1239,13 +1237,13 @@ If you disable or do not configure this policy setting, the Player automatically This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. -If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. +- If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. You must use the complete file name for the skin (for example, skin_name.wmz), and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on a user's computer, or if the Skin box is blank, the Player opens by using the Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank. A user has access only to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different skin. -If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. +- If you disable or do not configure this policy setting, users can display the Player in full or skin mode and have access to all available features of the Player. @@ -1263,7 +1261,7 @@ If you disable or do not configure this policy setting, users can display the Pl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1303,13 +1301,13 @@ If you disable or do not configure this policy setting, users can display the Pl This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. -If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. +- If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. -If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. +- If you enable this policy setting, the administrator must also specify the protocols that are available to users on the Network tab. If the administrator does not specify any protocols, the Player cannot access an MMS or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled, the entire Network tab is hidden. -If you do not configure this policy setting, users can select the protocols to use on the Network tab. +- If you do not configure this policy setting, users can select the protocols to use on the Network tab. -If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server. +- If you disable this policy setting, the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server. @@ -1327,7 +1325,7 @@ If you disable this policy setting, the Protocols for MMS URLs and Multicast str > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 04fc71aad2..92e853efe1 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -1,10 +1,10 @@ --- title: ADMX_WindowsRemoteManagement Policy CSP -description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP +description: Learn more about the ADMX_WindowsRemoteManagement Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WindowsRemoteManagement > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. -If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. +- If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. -If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client. @@ -66,13 +64,13 @@ If you disable or do not configure this policy setting, the WinRM service accept > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisallowKerberos | +| Name | DisallowKerberos_1 | | Friendly Name | Disallow Kerberos authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | @@ -106,9 +104,9 @@ If you disable or do not configure this policy setting, the WinRM service accept This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly. -If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. +- If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected. -If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. +- If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly. @@ -126,13 +124,13 @@ If you disable or do not configure this policy setting, the WinRM client uses th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisallowKerberos | +| Name | DisallowKerberos_2 | | Friendly Name | Disallow Kerberos authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 92abc45d19..2187c471b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -1,10 +1,10 @@ --- title: ADMX_WindowsStore Policy CSP -description: Learn more about the ADMX_WindowsStore Area in Policy CSP +description: Learn more about the ADMX_WindowsStore Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WindowsStore > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference Enables or disables the automatic download of app updates on PCs running Windows 8. -If you enable this setting, the automatic download of app updates is turned off. +- If you enable this setting, the automatic download of app updates is turned off. -If you disable this setting, the automatic download of app updates is turned on. +- If you disable this setting, the automatic download of app updates is turned on. -If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Microsoft Store. +- If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Microsoft Store. @@ -68,7 +66,7 @@ If you don't configure this setting, the automatic download of app updates is de > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -89,126 +87,6 @@ If you don't configure this setting, the automatic download of app updates is de - -## DisableOSUpgrade_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableOSUpgrade_2 -``` - - - - -Enables or disables the Store offer to update to the latest version of Windows. - -If you enable this setting, the Store application will not offer updates to the latest version of Windows. - -If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableOSUpgradeOption | -| Friendly Name | Turn off the offer to update to the latest version of Windows | -| Location | Computer Configuration | -| Path | Windows Components > Store | -| Registry Key Name | Software\Policies\Microsoft\WindowsStore | -| Registry Value Name | DisableOSUpgrade | -| ADMX File Name | WindowsStore.admx | - - - - - - - - - -## RemoveWindowsStore_2 - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2 -``` - - - - -Denies or allows access to the Store application. - -If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. - -If you disable or don't configure this setting, access to the Store application is allowed. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | RemoveWindowsStore | -| Friendly Name | Turn off the Store application | -| Location | Computer Configuration | -| Path | Windows Components > Store | -| Registry Key Name | Software\Policies\Microsoft\WindowsStore | -| Registry Value Name | RemoveWindowsStore | -| ADMX File Name | WindowsStore.admx | - - - - - - - - ## DisableOSUpgrade_1 @@ -228,9 +106,9 @@ If you disable or don't configure this setting, access to the Store application Enables or disables the Store offer to update to the latest version of Windows. -If you enable this setting, the Store application will not offer updates to the latest version of Windows. +- If you enable this setting, the Store application will not offer updates to the latest version of Windows. -If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. +- If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. @@ -248,13 +126,13 @@ If you disable or do not configure this setting the Store application will offer > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisableOSUpgradeOption | +| Name | DisableOSUpgrade_1 | | Friendly Name | Turn off the offer to update to the latest version of Windows | | Location | User Configuration | | Path | Windows Components > Store | @@ -269,6 +147,66 @@ If you disable or do not configure this setting the Store application will offer + +## DisableOSUpgrade_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/DisableOSUpgrade_2 +``` + + + + +Enables or disables the Store offer to update to the latest version of Windows. + +- If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +- If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableOSUpgrade_2 | +| Friendly Name | Turn off the offer to update to the latest version of Windows | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | DisableOSUpgrade | +| ADMX File Name | WindowsStore.admx | + + + + + + + + ## RemoveWindowsStore_1 @@ -288,9 +226,9 @@ If you disable or do not configure this setting the Store application will offer Denies or allows access to the Store application. -If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. +- If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. -If you disable or don't configure this setting, access to the Store application is allowed. +- If you disable or don't configure this setting, access to the Store application is allowed. @@ -308,13 +246,13 @@ If you disable or don't configure this setting, access to the Store application > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | RemoveWindowsStore | +| Name | RemoveWindowsStore_1 | | Friendly Name | Turn off the Store application | | Location | User Configuration | | Path | Windows Components > Store | @@ -329,6 +267,66 @@ If you disable or don't configure this setting, access to the Store application + +## RemoveWindowsStore_2 + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WindowsStore/RemoveWindowsStore_2 +``` + + + + +Denies or allows access to the Store application. + +- If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +- If you disable or don't configure this setting, access to the Store application is allowed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | RemoveWindowsStore_2 | +| Friendly Name | Turn off the Store application | +| Location | Computer Configuration | +| Path | Windows Components > Store | +| Registry Key Name | Software\Policies\Microsoft\WindowsStore | +| Registry Value Name | RemoveWindowsStore | +| ADMX File Name | WindowsStore.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index 89b3dac4c2..0e91181420 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -1,10 +1,10 @@ --- title: ADMX_WinInit Policy CSP -description: Learn more about the ADMX_WinInit Area in Policy CSP +description: Learn more about the ADMX_WinInit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WinInit > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. -If you enable this policy setting, the system does not create the named pipe remote shutdown interface. +- If you enable this policy setting, the system does not create the named pipe remote shutdown interface. -If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface. +- If you disable or do not configure this policy setting, the system creates the named pipe remote shutdown interface. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, the system creates the n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,9 +104,9 @@ If you disable or do not configure this policy setting, the system creates the n This policy setting controls the use of fast startup. -If you enable this policy setting, the system requires hibernate to be enabled. +- If you enable this policy setting, the system requires hibernate to be enabled. -If you disable or do not configure this policy setting, the local setting is used. +- If you disable or do not configure this policy setting, the local setting is used. @@ -126,7 +124,7 @@ If you disable or do not configure this policy setting, the local setting is use > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -166,9 +164,9 @@ If you disable or do not configure this policy setting, the local setting is use This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. -If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. +- If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. -If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. +- If you disable or do not configure this policy setting, the default timeout value is 3 minutes for workstations and 15 minutes for servers. @@ -186,7 +184,7 @@ If you disable or do not configure this policy setting, the default timeout valu > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index 36ae26d939..97b2a94a4a 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -1,10 +1,10 @@ --- title: ADMX_WinLogon Policy CSP -description: Learn more about the ADMX_WinLogon Area in Policy CSP +description: Learn more about the ADMX_WinLogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WinLogon > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,6 +25,71 @@ ms.topic: reference + +## CustomShell + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/CustomShell +``` + + + + +Specifies an alternate user interface. + +The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. +- If you enable this setting, the system starts the interface you specify instead of Explorer.exe. + +To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. + +- If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. + +> [!TIP] +> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | CustomShell | +| Friendly Name | Custom User Interface | +| Location | User Configuration | +| Path | System | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + + + + + + + + ## DisplayLastLogonInfoDescription @@ -50,7 +113,7 @@ For local user accounts and domain user accounts in domains of at least a Window For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level. -If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. +- If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed. @@ -68,7 +131,7 @@ If you disable or do not configure this setting, messages about the previous log > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -89,6 +152,135 @@ If you disable or do not configure this setting, messages about the previous log + +## LogonHoursNotificationPolicyDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursNotificationPolicyDescription +``` + + + + +This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. + +- If you enable this setting, warnings are not displayed to the user before the logon hours expire. + +- If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the "Set action to take when logon hours expire" setting. If "Set action to take when logon hours expire" is disabled or not configured, the "Remove logon hours expiration warnings" setting will have no effect, and users receive no warnings about logon hour expiration + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LogonHoursNotificationPolicyDescription | +| Friendly Name | Remove logon hours expiration warnings | +| Location | User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| Registry Value Name | DontDisplayLogonHoursWarnings | +| ADMX File Name | WinLogon.admx | + + + + + + + + + +## LogonHoursPolicyDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursPolicyDescription +``` + + + + +This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. + +If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. + +If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. + +- If you enable this setting, the system will perform the action you specify when the user's logon hours expire. + +- If you disable or do not configure this setting, the system takes no action when the user's logon hours expire. The user can continue the existing session, but cannot log on to a new session. + +> [!NOTE] +> If you configure this setting, you might want to examine and appropriately configure the "Remove logon hours expiration warnings" setting + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | LogonHoursPolicyDescription | +| Friendly Name | Set action to take when logon hours expire | +| Location | User Configuration | +| Path | Windows Components > Windows Logon Options | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | +| ADMX File Name | WinLogon.admx | + + + + + + + + ## ReportCachedLogonPolicyDescription @@ -132,7 +324,7 @@ If disabled or not configured, no popup will be displayed to the user. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -172,14 +364,14 @@ If disabled or not configured, no popup will be displayed to the user. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). -If you enable this policy setting, you have one of four options: +- If you enable this policy setting, you have one of four options: If you set this policy setting to "None," user mode software cannot simulate the SAS. If you set this policy setting to "Services," services can simulate the SAS. If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS. If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS. -If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. +- If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS. @@ -197,13 +389,13 @@ If you disable or do not configure this setting, only Ease of Access application > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | SoftwareSASGenerationDescription | +| Name | SoftwareSASGeneration | | Friendly Name | Disable or enable software Secure Attention Sequence | | Location | Computer Configuration | | Path | Windows Components > Windows Logon Options | @@ -217,196 +409,6 @@ If you disable or do not configure this setting, only Ease of Access application - -## CustomShell - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/CustomShell -``` - - - - -Specifies an alternate user interface. - -The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the interface you specify instead of Explorer.exe. - -To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file. - -If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface. - -Tip: To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | CustomShellPolicyDescription | -| Friendly Name | Custom User Interface | -| Location | User Configuration | -| Path | System | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| ADMX File Name | WinLogon.admx | - - - - - - - - - -## LogonHoursNotificationPolicyDescription - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursNotificationPolicyDescription -``` - - - - -This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. - -If you enable this setting, warnings are not displayed to the user before the logon hours expire. - -If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire. - -Note: If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LogonHoursNotificationPolicyDescription | -| Friendly Name | Remove logon hours expiration warnings | -| Location | User Configuration | -| Path | Windows Components > Windows Logon Options | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| Registry Value Name | DontDisplayLogonHoursWarnings | -| ADMX File Name | WinLogon.admx | - - - - - - - - - -## LogonHoursPolicyDescription - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursPolicyDescription -``` - - - - -This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. - -If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours. - -If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. - -If you enable this setting, the system will perform the action you specify when the user’s logon hours expire. - -If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session. - -Note: If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | LogonHoursPolicyDescription | -| Friendly Name | Set action to take when logon hours expire | -| Location | User Configuration | -| Path | Windows Components > Windows Logon Options | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System | -| ADMX File Name | WinLogon.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 2d8626de35..e4b1d5df39 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -1,10 +1,10 @@ --- title: ADMX_Winsrv Policy CSP -description: Learn more about the ADMX_Winsrv Area in Policy CSP +description: Learn more about the ADMX_Winsrv Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_Winsrv > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely. -If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdown. +- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdown. -If you disable or do not configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly. +- If you disable or do not configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that Windows can shut down faster and more smoothly. @@ -56,7 +54,6 @@ If you disable or do not configure this setting, these applications will be auto > [!NOTE] > This policy setting applies to all sites in Trusted zones. - @@ -70,7 +67,7 @@ If you disable or do not configure this setting, these applications will be auto > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index bc73ff959e..5dcf6b4493 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -1,10 +1,10 @@ --- title: ADMX_wlansvc Policy CSP -description: Learn more about the ADMX_wlansvc Area in Policy CSP +description: Learn more about the ADMX_wlansvc Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_wlansvc > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: +- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. @@ -54,7 +52,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost - Variable: This connection is costed on a per byte basis. -If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. +- If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. @@ -72,7 +70,7 @@ If this policy setting is disabled or is not configured, the cost of Wireless LA > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -113,7 +111,7 @@ This policy applies to Wireless Display connections. This policy means that the Conversely it means that Push Button is NOT allowed. -If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). +- If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). @@ -131,13 +129,13 @@ If this policy setting is disabled or is not configured, by default Push Button > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Wireless_Display_PINEnforced | +| Name | SetPINEnforced | | Friendly Name | Require PIN pairing | | Location | Computer Configuration | | Path | Network > Wireless Display | @@ -173,7 +171,7 @@ This policy applies to Wireless Display connections. This policy changes the pre When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. -If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). +- If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). @@ -191,13 +189,13 @@ If this policy setting is disabled or is not configured, by default Push Button > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Wireless_Display_PINPreferred | +| Name | SetPINPreferred | | Friendly Name | Prefer PIN pairing | | Location | Computer Configuration | | Path | Network > Wireless Display | diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index a0f517b1cc..47c1744461 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -1,10 +1,10 @@ --- title: ADMX_WordWheel Policy CSP -description: Learn more about the ADMX_WordWheel Area in Policy CSP +description: Learn more about the ADMX_WordWheel Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WordWheel > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference Set up the menu name and URL for the custom Internet search provider. -If you enable this setting, the specified menu name and URL will be used for Internet searches. +- If you enable this setting, the specified menu name and URL will be used for Internet searches. -If you disable or not configure this setting, the default Internet search provider will be used. +- If you disable or not configure this setting, the default Internet search provider will be used. @@ -66,7 +64,7 @@ If you disable or not configure this setting, the default Internet search provid > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 5f53daeea8..1ba24c4abe 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -1,10 +1,10 @@ --- title: ADMX_WorkFoldersClient Policy CSP -description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP +description: Learn more about the ADMX_WorkFoldersClient Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WorkFoldersClient > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. -If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up. +- If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user, Work Folders is not automatically set up. -If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. +- If you disable or do not configure this policy setting, Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whether to automatically set up Work Folders for a given user. @@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, Work Folders uses the "F > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -122,7 +120,7 @@ This policy specifies whether Work Folders should use Token Broker for interacti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -162,18 +160,20 @@ This policy specifies whether Work Folders should use Token Broker for interacti This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. -If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. +- If you enable this policy setting, affected users receive Work Folders settings when they sign in to a domain-joined PC. +- If this policy setting is disabled or not configured, no Work Folders settings are specified for the affected users, though users can manually set up Work Folders by using the Work Folders Control Panel item. The "Work Folders URL" can specify either the URL used by the organization for Work Folders discovery, or the specific URL of the file server that stores the affected users' data. -The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables. +The "Work Folders Local Path" specifies the local folder used on the client machine to sync files. This path may contain environment variables -**Note**: In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. +> [!NOTE] +> In order for this configuration to take effect, a valid 'Work Folders URL' must also be specified. -The “On-demand file access preference” option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up any space on the PC, but the user must be connected to the Internet to access them. +The "On-demand file access preference" option controls whether to enable on-demand file access. When enabled, the user controls which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don't take up any space on the PC, but the user must be connected to the Internet to access them. -If you enable this policy setting, on-demand file access is enabled. -If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user’s files is required on each of their PCs. +- If you enable this policy setting, on-demand file access is enabled. +- If you disable this policy setting, on-demand file access is disabled, and enough storage space to store all the user's files is required on each of their PCs. If you specify User choice or do not configure this policy setting, the user decides whether to enable on-demand file access. However, if the Force automatic setup policy setting is enabled, Work Folders is set up automatically with on-demand file access enabled. The "Force automatic setup" option specifies that Work Folders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By default, Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified, users must use the Work Folders Control Panel item on their computers to set up Work Folders. @@ -194,7 +194,7 @@ The "Force automatic setup" option specifies that Work Folders should be set up > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 8fefa46f8c..e141fc1da3 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -1,10 +1,10 @@ --- title: ADMX_WPN Policy CSP -description: Learn more about the ADMX_WPN Area in Policy CSP +description: Learn more about the ADMX_WPN Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ADMX_WPN > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -27,76 +25,6 @@ ms.topic: reference - -## NoToastNotification - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification -``` - - - - -This policy setting turns off toast notifications for applications. - -If you enable this policy setting, applications will not be able to raise toast notifications. - -Note that this policy does not affect taskbar notification balloons. - -Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. - -If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. - -No reboots or service restarts are required for this policy setting to take effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | NoToastNotification | -| Friendly Name | Turn off toast notifications | -| Location | User Configuration | -| Path | Start Menu and Taskbar > Notifications | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | -| Registry Value Name | NoToastApplicationNotification | -| ADMX File Name | WPN.admx | - - - - - - - - ## NoCallsDuringQuietHours @@ -116,11 +44,11 @@ No reboots or service restarts are required for this policy setting to take effe This policy setting blocks voice and video calls during Quiet Hours. -If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. +- If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. -If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. +- If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. -If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Adminstrators and users will be able to modify this setting. +- If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Adminstrators and users will be able to modify this setting. @@ -138,7 +66,7 @@ If you do not configure this policy setting, voice and video calls will be allow > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -178,9 +106,9 @@ If you do not configure this policy setting, voice and video calls will be allow This policy setting turns off toast notifications on the lock screen. -If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. +- If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. -If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. +- If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. @@ -200,7 +128,7 @@ No reboots or service restarts are required for this policy setting to take effe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -240,11 +168,11 @@ No reboots or service restarts are required for this policy setting to take effe This policy setting turns off Quiet Hours functionality. -If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. +- If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. -If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. +- If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. -If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. +- If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. @@ -262,7 +190,7 @@ If you do not configure this policy setting, Quiet Hours are enabled by default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -283,6 +211,76 @@ If you do not configure this policy setting, Quiet Hours are enabled by default + +## NoToastNotification + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/ADMX_WPN/NoToastNotification +``` + + + + +This policy setting turns off toast notifications for applications. + +- If you enable this policy setting, applications will not be able to raise toast notifications. + +**Note** that this policy does not affect taskbar notification balloons. + +**Note** that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. + +- If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | NoToastNotification | +| Friendly Name | Turn off toast notifications | +| Location | User Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| Registry Value Name | NoToastApplicationNotification | +| ADMX File Name | WPN.admx | + + + + + + + + ## QuietHoursDailyBeginMinute @@ -302,11 +300,11 @@ If you do not configure this policy setting, Quiet Hours are enabled by default This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. -If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. +- If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. -If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. +- If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. -If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. +- If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. @@ -324,7 +322,7 @@ If you do not configure this policy setting, a default value will be used, which > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -363,11 +361,11 @@ If you do not configure this policy setting, a default value will be used, which This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. -If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. +- If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. -If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. +- If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. -If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. +- If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. @@ -385,7 +383,7 @@ If you do not configure this policy setting, a default value will be used, which > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 9bad1aa522..849c9609bc 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,10 +1,10 @@ --- title: ApplicationDefaults Policy CSP -description: Learn more about the ApplicationDefaults Area in Policy CSP +description: Learn more about the ApplicationDefaults Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -147,7 +147,7 @@ Enabling this policy setting enables web-to-app linking so that apps can be laun Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 804f8c66c6..8e2b18b64d 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,10 +1,10 @@ --- title: ApplicationManagement Policy CSP -description: Learn more about the ApplicationManagement Area in Policy CSP +description: Learn more about the ApplicationManagement Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,9 +39,9 @@ ms.topic: reference This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. -If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). +- If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer). -If you disable or do not configure this policy setting, you cannot install LOB or developer-signed Windows Store apps. +- If you disable or do not configure this policy setting, you cannot install LOB or developer-signed Windows Store apps. @@ -171,11 +171,11 @@ Specifies whether automatic update of apps from Microsoft Store are allowed. Mos This policy setting controls whether the system can archive infrequently used apps. -If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. +- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps. -If you disable this policy setting, then the system will not archive any apps. +- If you disable this policy setting, then the system will not archive any apps. -If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. +- If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves. @@ -241,9 +241,9 @@ If you do not configure this policy setting (default), then the system will foll Allows or denies development of Microsoft Store applications and installing them directly from an IDE. -If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Microsoft Store apps and install them directly from an IDE. +- If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Microsoft Store apps and install them directly from an IDE. -If you disable or do not configure this setting, you cannot develop Microsoft Store apps or install them directly from an IDE. +- If you disable or do not configure this setting, you cannot develop Microsoft Store apps or install them directly from an IDE. @@ -309,7 +309,8 @@ If you disable or do not configure this setting, you cannot develop Microsoft St Windows Game Recording and Broadcasting. -This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. +This setting enables or disables the Windows Game Recording and Broadcasting features. +- If you disable this setting, Windows Game Recording will not be allowed. If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be allowed. @@ -317,7 +318,6 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - @@ -378,9 +378,9 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st Manages a Windows app's ability to share data between users who have installed the app. -If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. +- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API. -If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder. +- If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder. @@ -539,9 +539,9 @@ This policy is deprecated Manages non-Administrator users' ability to install Windows app packages. -If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. +- If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. -If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. +- If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. @@ -722,9 +722,9 @@ For this policy to work, the Windows apps need to declare in their manifest that This policy setting permits users to change installation options that typically are available only to system administrators. -If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. +- If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. -If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. +- If you disable or do not configure this policy setting, the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. @@ -750,8 +750,8 @@ This policy setting is designed for less restrictive environments. It can be use | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -797,16 +797,15 @@ This policy setting is designed for less restrictive environments. It can be use This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. -If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. +- If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers. -If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. +- If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer. -**Note**: This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. +> [!NOTE] +> This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders. > [!CAUTION] -> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. - -**Note** that the User Configuration version of this policy setting is not guaranteed to be secure. +> Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restricted files and folders. **Note** that the User Configuration version of this policy setting is not guaranteed to be secure. @@ -828,8 +827,8 @@ If you disable or do not configure this policy setting, the system applies the c | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -875,9 +874,9 @@ If you disable or do not configure this policy setting, the system applies the c Denies access to the retail catalog in the Microsoft Store, but displays the private store. -If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. +- If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. -If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store. +- If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store. @@ -942,9 +941,9 @@ If you disable or don't configure this setting, users can access the retail cata Prevent users' app data from moving to another location when an app is moved or installed on another location. -If you enable this setting, all users' app data will stay on the system volume, regardless of where the app is installed. +- If you enable this setting, all users' app data will stay on the system volume, regardless of where the app is installed. -If you disable or do not configure this setting, then when an app is moved to a different volume, the users' app data will also move to this volume. +- If you disable or do not configure this setting, then when an app is moved to a different volume, the users' app data will also move to this volume. @@ -1009,9 +1008,9 @@ If you disable or do not configure this setting, then when an app is moved to a This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. -If you enable this setting, you can't move or install Windows apps on volumes that are not the system volume. +- If you enable this setting, you can't move or install Windows apps on volumes that are not the system volume. -If you disable or do not configure this setting, you can move or install Windows apps on other volumes. +- If you disable or do not configure this setting, you can move or install Windows apps on other volumes. diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 422008fc22..2f7dee3b3c 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,10 +1,10 @@ --- title: AppRuntime Policy CSP -description: Learn more about the AppRuntime Area in Policy CSP +description: Learn more about the AppRuntime Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,9 +44,9 @@ ms.topic: reference This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. -If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. +- If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. -If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. +- If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account. diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index a32944f9f2..f4f3975002 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,10 +1,10 @@ --- title: AppVirtualization Policy CSP -description: Learn more about the AppVirtualization Area in Policy CSP +description: Learn more about the AppVirtualization Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/12/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - AppVirtualization > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -62,7 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -118,7 +116,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -174,7 +172,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -230,7 +228,7 @@ Enables scripts defined in the package manifest of configuration files that shou > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -286,13 +284,13 @@ Enables a UX to display to the user when a publishing refresh is performed on th > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | Publishing_Enable_Refresh_UX | +| Name | Enable_Publishing_Refresh_UX | | Friendly Name | Enable Publishing Refresh UX | | Location | Computer Configuration | | Path | System > App-V > Publishing | @@ -326,7 +324,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th Reporting Server URL: Displays the URL of reporting server. -Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. +Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9. AM. Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. @@ -352,13 +350,13 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ReportingServer | +| Name | Reporting_Server_Policy | | Friendly Name | Reporting Server | | Location | Computer Configuration | | Path | System > App-V > Reporting | @@ -408,7 +406,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user' > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -463,7 +461,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -518,7 +516,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -573,7 +571,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -629,7 +627,7 @@ Specifies the location where symbolic links are created to the current version o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -684,7 +682,7 @@ Specifies the location where symbolic links are created to the current version o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -757,13 +755,13 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PublishingServer1 | +| Name | Publishing_Server1_Policy | | Friendly Name | Publishing Server 1 Settings | | Location | Computer Configuration | | Path | System > App-V > Publishing | @@ -830,13 +828,13 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PublishingServer2 | +| Name | Publishing_Server2_Policy | | Friendly Name | Publishing Server 2 Settings | | Location | Computer Configuration | | Path | System > App-V > Publishing | @@ -903,13 +901,13 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PublishingServer3 | +| Name | Publishing_Server3_Policy | | Friendly Name | Publishing Server 3 Settings | | Location | Computer Configuration | | Path | System > App-V > Publishing | @@ -976,13 +974,13 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PublishingServer4 | +| Name | Publishing_Server4_Policy | | Friendly Name | Publishing Server 4 Settings | | Location | Computer Configuration | | Path | System > App-V > Publishing | @@ -1049,13 +1047,13 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | PublishingServer5 | +| Name | Publishing_Server5_Policy | | Friendly Name | Publishing Server 5 Settings | | Location | Computer Configuration | | Path | System > App-V > Publishing | @@ -1104,7 +1102,7 @@ Specifies the path to a valid certificate in the certificate store. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1159,7 +1157,7 @@ This setting controls whether virtualized applications are launched on Windows 8 > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1215,7 +1213,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1270,7 +1268,7 @@ Specifies directory where all new applications and updates will be installed. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1325,7 +1323,7 @@ Overrides source location for downloading package content. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1380,7 +1378,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1435,7 +1433,7 @@ Specifies the number of times to retry a dropped session. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1490,7 +1488,7 @@ Specifies that streamed package contents will be not be saved to the local hard > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1546,7 +1544,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1602,7 +1600,7 @@ Verifies Server certificate revocation status before streaming using HTTPS. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -1658,7 +1656,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 60530e3d4e..c8e649f195 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,10 +1,10 @@ --- title: AttachmentManager Policy CSP -description: Learn more about the AttachmentManager Area in Policy CSP +description: Learn more about the AttachmentManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/13/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - AttachmentManager > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. -If you enable this policy setting, Windows does not mark file attachments with their zone information. +- If you enable this policy setting, Windows does not mark file attachments with their zone information. -If you disable this policy setting, Windows marks file attachments with their zone information. +- If you disable this policy setting, Windows marks file attachments with their zone information. -If you do not configure this policy setting, Windows marks file attachments with their zone information. +- If you do not configure this policy setting, Windows marks file attachments with their zone information. @@ -68,7 +66,7 @@ If you do not configure this policy setting, Windows marks file attachments with > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,11 +106,11 @@ If you do not configure this policy setting, Windows marks file attachments with This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. -If you enable this policy setting, Windows hides the check box and Unblock button. +- If you enable this policy setting, Windows hides the check box and Unblock button. -If you disable this policy setting, Windows shows the check box and Unblock button. +- If you disable this policy setting, Windows shows the check box and Unblock button. -If you do not configure this policy setting, Windows hides the check box and Unblock button. +- If you do not configure this policy setting, Windows hides the check box and Unblock button. @@ -130,7 +128,7 @@ If you do not configure this policy setting, Windows hides the check box and Unb > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -170,11 +168,11 @@ If you do not configure this policy setting, Windows hides the check box and Unb This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. -If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. +- If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. -If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. +- If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. -If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. +- If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. @@ -192,7 +190,7 @@ If you do not configure this policy setting, Windows does not call the registere > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index b2e381fcca..33a6b979ad 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,10 +1,10 @@ --- title: Audit Policy CSP -description: Learn more about the Audit Area in Policy CSP +description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/14/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -60,10 +60,10 @@ Volume: High on domain controllers. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -98,7 +98,8 @@ Volume: High on domain controllers. -This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. @@ -121,10 +122,10 @@ Volume: High on Kerberos Key Distribution Center servers. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -159,7 +160,8 @@ Volume: High on Kerberos Key Distribution Center servers. -This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. +This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. @@ -182,10 +184,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -242,10 +244,10 @@ This policy setting allows you to audit events generated by responses to credent | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -303,10 +305,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -364,10 +366,10 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -402,7 +404,8 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. @@ -425,10 +428,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -463,7 +466,8 @@ Volume: High. -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. @@ -486,10 +490,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -524,7 +528,8 @@ Volume: High. -This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. +This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. @@ -547,10 +552,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -585,7 +590,8 @@ Volume: High. -This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. If you do not configure this policy setting, no audit event is generated when a logon session is closed. +This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. +- If you do not configure this policy setting, no audit event is generated when a logon session is closed. @@ -608,10 +614,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -646,7 +652,7 @@ Volume: Low. -This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: Successful logon attempts. Failed logon attempts. Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. Security identifiers (SIDs) were filtered and not allowed to log on. +This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: Successful logon attempts. Failed logon attempts. Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. Security identifiers (SIDs) were filtered and not allowed to log on. @@ -669,10 +675,10 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -707,7 +713,8 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser -This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. If you do not configure this policy settings, IAS and NAP user access requests are not audited. +This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. +- If you do not configure this policy settings, IAS and NAP user access requests are not audited. @@ -730,10 +737,10 @@ Volume: Medium or High on NPS and IAS server. No volume on other computers. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 (Default) | Success+Failure | +| 0 | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 (Default) | Success+Failure. | @@ -768,7 +775,7 @@ Volume: Medium or High on NPS and IAS server. No volume on other computers. -This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. Access to a wireless network granted to a user or computer account. Access to a wired 802.1x network granted to a user or computer account. +This policy setting allows you to audit other logon/logoff-related events that are not covered in the "Logon/Logoff" policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. Access to a wireless network granted to a user or computer account. Access to a wired 802.1x network granted to a user or computer account. @@ -791,10 +798,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -852,10 +859,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -913,10 +920,10 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -951,7 +958,8 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser -This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an application group changes. +This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an application group changes. @@ -974,10 +982,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1012,7 +1020,8 @@ Volume: Low. -This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a computer account changes. +This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a computer account changes. @@ -1035,10 +1044,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1073,9 +1082,11 @@ Volume: Low. -This policy setting allows you to audit events generated by changes to distribution groups such as the following: Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a distribution group changes. +This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a distribution group changes -**Note**: Events in this subcategory are logged only on domain controllers. +> [!NOTE] +> Events in this subcategory are logged only on domain controllers. @@ -1098,10 +1109,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1159,10 +1170,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1197,7 +1208,8 @@ Volume: Low. -This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a security group changes. +This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a security group changes. @@ -1220,10 +1232,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1258,7 +1270,8 @@ Volume: Low. -This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account’s password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. +This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account's password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a user account changes. @@ -1281,10 +1294,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1319,7 +1332,8 @@ Volume: Low. -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see . If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see . If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -1342,10 +1356,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1380,7 +1394,8 @@ Volume: Low. -This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. +This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. +- If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. @@ -1403,10 +1418,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1441,7 +1456,8 @@ Volume: Low. -This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process is created. +This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a process is created. @@ -1464,10 +1480,10 @@ Volume: Depends on how the computer is used. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1502,7 +1518,8 @@ Volume: Depends on how the computer is used. -This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process ends. +This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a process ends. @@ -1525,10 +1542,10 @@ Volume: Depends on how the computer is used. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1563,7 +1580,8 @@ Volume: Depends on how the computer is used. -This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. +This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. @@ -1586,10 +1604,10 @@ Volume: High on RPC servers. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1647,10 +1665,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1708,10 +1726,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1769,10 +1787,10 @@ Volume: High on domain controllers. None on client computers. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1807,9 +1825,11 @@ Volume: High on domain controllers. None on client computers. -This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object’s properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged -**Note**: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. +> [!NOTE] +> Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. +- If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. @@ -1832,10 +1852,10 @@ Volume: High on domain controllers only. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1870,7 +1890,8 @@ Volume: High on domain controllers only. -This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. If you do not configure this policy setting, no audit event is generated during AD DS replication. +This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. +- If you do not configure this policy setting, no audit event is generated during AD DS replication. @@ -1893,10 +1914,10 @@ Volume: Medium on domain controllers. None on client computers. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -1954,10 +1975,10 @@ Volume: Depends on the applications that are generating them. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2015,10 +2036,10 @@ Volume: Potentially high on a file server when the proposed policy differs signi | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2076,10 +2097,10 @@ Volume: Medium or Low on computers running Active Directory Certificate Services | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2114,9 +2135,11 @@ Volume: Medium or Low on computers running Active Directory Certificate Services -This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures -**Note**: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. +> [!NOTE] +> There are no system access control lists (SACLs) for shared folders. +- If this policy setting is enabled, access to all shared files and folders on the system is audited. @@ -2139,10 +2162,10 @@ Volume: High on a file server or domain controller because of SYSVOL network acc | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2177,9 +2200,12 @@ Volume: High on a file server or domain controller because of SYSVOL network acc -This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. +This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. +- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures -**Note**: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. +> [!NOTE] +> There are no system access control lists (SACLs) for shared folders. +- If this policy setting is enabled, access to all shared folders on the system is audited. @@ -2202,10 +2228,10 @@ Volume: High on a file server or domain controller because of SYSVOL network acc | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2240,9 +2266,11 @@ Volume: High on a file server or domain controller because of SYSVOL network acc -This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. +This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL -**Note**: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. +> [!NOTE] +> You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. @@ -2265,10 +2293,10 @@ Volume: Depends on how the file system SACLs are configured. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2303,7 +2331,8 @@ Volume: Depends on how the file system SACLs are configured. -This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. +This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. +- If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. @@ -2326,10 +2355,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2387,10 +2416,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2425,9 +2454,11 @@ Volume: High. -This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a handle is manipulated. +This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a handle is manipulated -**Note**: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. +> [!NOTE] +> Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. @@ -2450,10 +2481,10 @@ Volume: Depends on how SACLs are configured. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2488,9 +2519,10 @@ Volume: Depends on how SACLs are configured. -This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. +This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events -**Note**: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. +> [!NOTE] +> The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects. @@ -2513,10 +2545,10 @@ Volume: High if auditing access of global system objects is enabled. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2574,10 +2606,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2612,9 +2644,11 @@ Volume: Low. -This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. +This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL -**Note**: You can set a SACL on a registry object using the Permissions dialog box. +> [!NOTE] +> You can set a SACL on a registry object using the Permissions dialog box. @@ -2637,10 +2671,10 @@ Volume: Depends on how registry SACLs are configured. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2675,7 +2709,8 @@ Volume: Depends on how registry SACLs are configured. -This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. +This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. @@ -2697,10 +2732,10 @@ This policy setting allows you to audit user attempts to access file system obje | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2735,9 +2770,11 @@ This policy setting allows you to audit user attempts to access file system obje -This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER – A user account. SAM_DOMAIN – A domain. SAM_SERVER – A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. +This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made -**Note**: Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (. +> [!NOTE] +> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (. @@ -2760,10 +2797,10 @@ Volume: High on domain controllers. For more information about reducing the numb | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2798,9 +2835,11 @@ Volume: High on domain controllers. For more information about reducing the numb -This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group: Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. +This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed -**Note**: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. +> [!NOTE] +> The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. @@ -2823,10 +2862,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2861,7 +2900,8 @@ Volume: Low. -This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when the authorization policy changes. +This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the "Authentication Policy Change" subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when the authorization policy changes. @@ -2884,10 +2924,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2922,7 +2962,8 @@ Volume: Low. -This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. +This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. @@ -2945,10 +2986,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -2983,7 +3024,8 @@ Volume: Low. -This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. +This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. @@ -3006,10 +3048,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3067,10 +3109,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3105,9 +3147,10 @@ Volume: Low. -This policy setting allows you to audit changes in the security audit policy settings such as the following: Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. +This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list -**Note**: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. +> [!NOTE] +> System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. @@ -3130,10 +3173,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3168,7 +3211,9 @@ Volume: Low. -This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. +This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. +Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. +- If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. @@ -3191,10 +3236,10 @@ Volume: Very High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3251,10 +3296,10 @@ Not used. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3289,7 +3334,8 @@ Not used. -This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. +This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. +- If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. @@ -3312,10 +3358,10 @@ Volume: High. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3350,7 +3396,8 @@ Volume: High. -This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. +This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. @@ -3373,10 +3420,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3434,10 +3481,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 (Default) | Success+Failure | +| 0 | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 (Default) | Success+Failure. | @@ -3495,10 +3542,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 (Default) | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 | Off/None. | +| 1 (Default) | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3533,7 +3580,8 @@ Volume: Low. -This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. +This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. +- If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. @@ -3556,10 +3604,10 @@ Volume: Low. Security system extension events are generated more often on a doma | Value | Description | |:--|:--| -| 0 (Default) | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 | Success+Failure | +| 0 (Default) | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 | Success+Failure. | @@ -3617,10 +3665,10 @@ Volume: Low. | Value | Description | |:--|:--| -| 0 | Off/None | -| 1 | Success | -| 2 | Failure | -| 3 (Default) | Success+Failure | +| 0 | Off/None. | +| 1 | Success. | +| 2 | Failure. | +| 3 (Default) | Success+Failure. | diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 5996134bbb..019ddd4885 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,10 +1,10 @@ --- title: Authentication Policy CSP -description: Learn more about the Authentication Area in Policy CSP +description: Learn more about the Authentication Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/22/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,7 +44,6 @@ Specifies whether password reset is enabled for AAD accounts. This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen. - @@ -72,6 +71,55 @@ This policy allows the Azure Active Directory (Azure AD) tenant administrator to + +## AllowEAPCertSSO + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO +``` + + + + +Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + ## AllowFastReconnect @@ -140,9 +188,9 @@ Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restrict This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello. -If you enable or do not configure this policy setting, users can authenticate to Windows Hello using a companion device. +- If you enable or do not configure this policy setting, users can authenticate to Windows Hello using a companion device. -If you disable this policy, users cannot use a companion device to authenticate with Windows Hello. +- If you disable this policy, users cannot use a companion device to authenticate with Windows Hello. @@ -213,7 +261,6 @@ Specifies a list of domains that are allowed to access the webcam in Web Sign-in > [!NOTE] > Web sign-in is only supported on Azure AD joined PCs. - @@ -234,7 +281,6 @@ Specifies a list of domains that are allowed to access the webcam in Web Sign-in Your organization federates to "Contoso IDP" and your web sign-in portal at `signinportal.contoso.com` requires webcam access. Then the value for this policy should be: `contoso.com` - @@ -269,7 +315,6 @@ This policy specifies the list of domains that users can access in certain authe > [!NOTE] > This policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). - @@ -290,7 +335,6 @@ This policy specifies the list of domains that users can access in certain authe Your organization's PIN reset or web sign-in authentication flow is expected to navigate to the following two domains: `accounts.contoso.com` and `signin.contoso.com`. Then the value for this policy should be: `accounts.contoso.com;signin.contoso.com` - @@ -322,7 +366,6 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex > [!IMPORTANT] > Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device. - @@ -341,8 +384,8 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex | Value | Description | |:--|:--| | 0 (Default) | The feature defaults to the existing SKU and device capabilities. | -| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts | -| 2 | Disabled. Do not auto-connect new non-admin Azure AD accounts to pre-configured local accounts | +| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. | +| 2 | Disabled. Do not auto-connect new non-admin Azure AD accounts to pre-configured local accounts. | @@ -381,7 +424,6 @@ Specifies whether web-based sign-in is allowed for signing in to Windows > [!NOTE] > Web sign-in is only supported on Azure AD joined PCs. - @@ -400,8 +442,8 @@ Specifies whether web-based sign-in is allowed for signing in to Windows | Value | Description | |:--|:--| | 0 (Default) | The feature defaults to the existing SKU and device capabilities. | -| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows | -| 2 | Disabled. Web Sign-in will not be enabled for signing in to Windows | +| 1 | Enabled. Web Sign-in will be enabled for signing in to Windows. | +| 2 | Disabled. Web Sign-in will not be enabled for signing in to Windows. | @@ -453,60 +495,10 @@ Your organization uses the `@contoso.com` tenant domain name. Then the value for `contoso.com` For the user `abby@constoso.com`, a sign-in is done using `abby` in the username field instead of `abby@contoso.com`. - - -## AllowEAPCertSSO - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO -``` - - - - -Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Not allowed. | -| 1 | Allowed. | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 662c33b3c1..2cd4bd68ad 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,10 +1,10 @@ --- title: Autoplay Policy CSP -description: Learn more about the Autoplay Area in Policy CSP +description: Learn more about the Autoplay Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/24/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Autoplay > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,9 +48,9 @@ ms.topic: reference This policy setting disallows AutoPlay for MTP devices like cameras or phones. -If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. +- If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. -If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. +- If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. @@ -70,7 +68,7 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -120,12 +118,12 @@ Prior to Windows Vista, when media containing an autorun command is inserted, th This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. -If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: +- If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. -If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. +- If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. @@ -143,7 +141,7 @@ If you disable or not configure this policy setting, Windows Vista or later will > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -192,13 +190,14 @@ Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, su Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. -If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. +- If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. -If you disable or do not configure this policy setting, AutoPlay is enabled. +- If you disable or do not configure this policy setting, AutoPlay is enabled. -Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. +> [!NOTE] +> This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. @@ -216,7 +215,7 @@ Note: This policy setting appears in both the Computer Configuration and User Co > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index f8268a6402..21bab7bc1e 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -1,10 +1,10 @@ --- title: Bitlocker Policy CSP -description: Learn more about the Bitlocker Area in Policy CSP +description: Learn more about the Bitlocker Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/24/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index d69ea99b66..332ce05cc6 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,10 +1,10 @@ --- title: BITS Policy CSP -description: Learn more about the BITS Area in Policy CSP +description: Learn more about the BITS Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,9 +37,11 @@ ms.topic: reference -This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. +This policy specifies the bandwidth throttling end time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 17 (5 PM). Supported value range 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth -**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -94,9 +96,11 @@ This policy specifies the bandwidth throttling end time that Background Intellig -This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range: 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. +This policy specifies the bandwidth throttling start time that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock. Value type is integer. Default value is 8 (8 am). Supported value range 0 - 23. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth -**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -151,9 +155,11 @@ This policy specifies the bandwidth throttling start time that Background Intell -This policy specifies the bandwidth throttling transfer rate in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. Value type is integer. Default value is 1000. Supported value range: 0 - 4294967200. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. If you disable or do not configure this policy setting, BITS uses all available unused bandwidth. +This policy specifies the bandwidth throttling transfer rate in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. Value type is integer. Default value is 1000. Supported value range 0 - 4294967200. You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 800 A. M. to 500 P. M. , and use all available unused bandwidth the rest of the day's hours. Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0. +- If you disable or do not configure this policy setting, BITS uses all available unused bandwidth -**Note**: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). +> [!NOTE] +> You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect peer caching transfers between peer computers (it does affect transfers from the origin server); the Limit the maximum network bandwidth used for Peercaching policy setting should be used for that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs). @@ -208,7 +214,8 @@ This policy specifies the bandwidth throttling transfer rate in kilobits per sec -This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of background transfers. If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained +This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of background transfers. +- If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained @@ -230,11 +237,11 @@ This policy setting defines the default behavior that the Background Intelligent | Value | Description | |:--|:--| -| 1 (Default) | Always transfer | -| 2 | Transfer unless roaming | -| 3 | Transfer unless surcharge applies (when not roaming or over cap) | -| 4 | Transfer unless nearing limit (when not roaming or nearing cap) | -| 5 | Transfer only if unconstrained | +| 1 (Default) | Always transfer. | +| 2 | Transfer unless roaming. | +| 3 | Transfer unless surcharge applies (when not roaming or over cap). | +| 4 | Transfer unless nearing limit (when not roaming or nearing cap). | +| 5 | Transfer only if unconstrained. | @@ -274,7 +281,8 @@ This policy setting defines the default behavior that the Background Intelligent -This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of foreground transfers. If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained +This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc. ). Download behavior policies further limit the network usage of foreground transfers. +- If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority. For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:1 - Always transfer2 - Transfer unless roaming3 - Transfer unless surcharge applies (when not roaming or overcap)4 - Transfer unless nearing limit (when not roaming or nearing cap)5 - Transfer only if unconstrained @@ -296,11 +304,11 @@ This policy setting defines the default behavior that the foreground Intelligent | Value | Description | |:--|:--| -| 1 (Default) | Always transfer | -| 2 | Transfer unless roaming | -| 3 | Transfer unless surcharge applies (when not roaming or over cap) | -| 4 | Transfer unless nearing limit (when not roaming or nearing cap) | -| 5 | Transfer only if unconstrained | +| 1 (Default) | Always transfer. | +| 2 | Transfer unless roaming. | +| 3 | Transfer unless surcharge applies (when not roaming or over cap). | +| 4 | Transfer unless nearing limit (when not roaming or nearing cap). | +| 5 | Transfer only if unconstrained. | @@ -340,9 +348,11 @@ This policy setting defines the default behavior that the foreground Intelligent -This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk. +This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk -**Note**: Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range: 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. +> [!NOTE] +> Any property changes to the job or any successful download action will reset this timeout. Value type is integer. Default is 90 days. Supported values range 0 - 999. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space. +- If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 9930397327..09c8018c48 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,10 +1,10 @@ --- title: Bluetooth Policy CSP -description: Learn more about the Bluetooth Area in Policy CSP +description: Learn more about the Bluetooth Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/24/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -206,8 +206,8 @@ This policy allows the IT admin to block users on these managed devices from usi | Value | Description | |:--|:--| -| 0 | Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios | -| 1 (Default) | Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios | +| 0 | Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios. | +| 1 (Default) | Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios. | @@ -272,7 +272,7 @@ Sets the local Bluetooth device name. If this is set, the value that it is set t -Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide +Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7. CAA-436. C-8. BF0-78. CD0FFBD4AF}. The default value is an empty string. For more information, see ServicesAllowedList usage guide diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 81ae975132..ff36317996 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,10 +1,10 @@ --- title: Browser Policy CSP -description: Learn more about the Browser Area in Policy CSP +description: Learn more about the Browser Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,11 +45,12 @@ ms.topic: reference This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. -**Note**: Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. +> [!NOTE] +> Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. -If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge. +- If you enable or don't configure this setting, employees can see the Address bar drop-down functionality in Microsoft Edge. -If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". +- If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". @@ -118,11 +119,11 @@ If you disable this setting, employees won't see the Address bar drop-down funct This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. -If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. +- If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. -If you disable this setting, employees can't use Autofill to automatically fill in forms while using Microsoft Edge. +- If you disable this setting, employees can't use Autofill to automatically fill in forms while using Microsoft Edge. -If you don't configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. +- If you don't configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. @@ -327,9 +328,9 @@ This setting lets you configure how your company deals with cookies. | Value | Description | |:--|:--| -| 0 | Block all cookies from all sites | -| 1 | Block only cookies from third party websites | -| 2 (Default) | Allow all cookies from all sites | +| 0 | Block all cookies from all sites. | +| 1 | Block only cookies from third party websites. | +| 2 (Default) | Allow all cookies from all sites. | @@ -382,9 +383,9 @@ To verify AllowCookies is set to 0 (not allowed): This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. -If you enable or don't configure this setting, the F12 Developer Tools are available in Microsoft Edge. +- If you enable or don't configure this setting, the F12 Developer Tools are available in Microsoft Edge. -If you disable this setting, the F12 Developer Tools aren't available in Microsoft Edge. +- If you disable this setting, the F12 Developer Tools aren't available in Microsoft Edge. @@ -453,11 +454,11 @@ If you disable this setting, the F12 Developer Tools aren't available in Microso This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren't sent, but employees can choose to turn on and send requests. -If you enable this setting, Do Not Tracker requests are always sent to websites asking for tracking info. +- If you enable this setting, Do Not Tracker requests are always sent to websites asking for tracking info. -If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. +- If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. -If you don't configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. +- If you don't configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. @@ -533,9 +534,9 @@ To verify AllowDoNotTrack is set to 0 (not allowed): This setting lets you decide whether employees can load extensions in Microsoft Edge. -If you enable or don't configure this setting, employees can use Microsoft Edge Extensions. +- If you enable or don't configure this setting, employees can use Microsoft Edge Extensions. -If you disable this setting, employees can't use Microsoft Edge Extensions. +- If you disable this setting, employees can't use Microsoft Edge Extensions. @@ -604,9 +605,9 @@ If you disable this setting, employees can't use Microsoft Edge Extensions. This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. -If you enable or don't configure this setting, employees can use Adobe Flash. +- If you enable or don't configure this setting, employees can use Adobe Flash. -If you disable this setting, employees can't use Adobe Flash. +- If you disable this setting, employees can't use Adobe Flash. @@ -673,7 +674,7 @@ If you disable this setting, employees can't use Adobe Flash. -If you enable or don’t configure the Adobe Flash Click-to-Run setting, Microsoft Edge will require a user to click the Click-to-Run button, to click the content, or for the site to appear on the auto-allowed list, before loading and running the content. +If you enable or don't configure the Adobe Flash Click-to-Run setting, Microsoft Edge will require a user to click the Click-to-Run button, to click the content, or for the site to appear on the auto-allowed list, before loading and running the content. Sites get onto the auto-allowed list based on user feedback, specifically by how often the content is allowed to load and run. @@ -815,9 +816,9 @@ If disabled, full-screen mode is unavailable for use in Microsoft Edge. This policy setting lets you decide whether employees can browse using InPrivate website browsing. -If you enable or don't configure this setting, employees can use InPrivate website browsing. +- If you enable or don't configure this setting, employees can use InPrivate website browsing. -If you disable this setting, employees can't use InPrivate website browsing. +- If you disable this setting, employees can't use InPrivate website browsing. @@ -886,9 +887,9 @@ If you disable this setting, employees can't use InPrivate website browsing. This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. -If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. +- If you enable or don't configure this setting, Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it's in whatever version of IE is necessary for it to appear properly. -If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation. +- If you disable this setting, the Microsoft Compatibility List isn't used during browser navigation. @@ -957,11 +958,11 @@ If you disable this setting, the Microsoft Compatibility List isn’t used durin This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. -If you enable this setting, employees can use Password Manager to save their passwords locally. +- If you enable this setting, employees can use Password Manager to save their passwords locally. -If you disable this setting, employees can't use Password Manager to save their passwords locally. +- If you disable this setting, employees can't use Password Manager to save their passwords locally. -If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally. +- If you don't configure this setting, employees can choose whether to use Password Manager to save their passwords locally. @@ -1035,11 +1036,11 @@ To verify AllowPasswordManager is set to 0 (not allowed): This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.. -If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. +- If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing. -If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. +- If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. -If you don't configure this setting, employees can choose whether to use Pop-up Blocker. +- If you don't configure this setting, employees can choose whether to use Pop-up Blocker. @@ -1113,9 +1114,9 @@ To verify AllowPopups is set to 0 (not allowed): This policy setting lets you decide whether Microsoft Edge can pre-launch during Windows sign in, when the system is idle, and each time Microsoft Edge is closed. By default this setting is to allow pre-launch. -If you allow pre-launch, disable, or don’t configure this policy setting, Microsoft Edge pre-launches during Windows sign in, when the system is idle, and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge. +If you allow pre-launch, disable, or don't configure this policy setting, Microsoft Edge pre-launches during Windows sign in, when the system is idle, and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge. -If you prevent pre-launch, Microsoft Edge won’t pre-launch during Windows sign in, when the system is idle, or each time Microsoft Edge is closed. +If you prevent pre-launch, Microsoft Edge won't pre-launch during Windows sign in, when the system is idle, or each time Microsoft Edge is closed. @@ -1323,14 +1324,15 @@ If disabled, the browsing history stops saving and is not visible in the History -This policy setting lets you decide whether users can change their search engine. If you disable this setting, users can't add new search engines or change the default used in the address bar. +This policy setting lets you decide whether users can change their search engine. +- If you disable this setting, users can't add new search engines or change the default used in the address bar. -**Important**: +**Important** This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). -If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. +- If you enable or don't configure this policy, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If you disable this setting, users can't add search engines or change the default used in the address bar. +- If you disable this setting, users can't add search engines or change the default used in the address bar. @@ -1399,11 +1401,11 @@ If you disable this setting, users can't add search engines or change the defaul This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. -If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. +- If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. -If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. +- If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. -If you don't configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. +- If you don't configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. @@ -1482,7 +1484,7 @@ Supported versions: Microsoft Edge on Windows 10, version 1809 Default setting: Disabled or not configured Related policies: - Allows development of Windows Store apps and installing them from an integrated development environment (IDE) -- Allow all trusted apps to install​ +- Allow all trusted apps to install @@ -1551,11 +1553,11 @@ Related policies: This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. -If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. +- If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. -If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. +- If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. -If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. +- If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen. @@ -1629,9 +1631,9 @@ To verify AllowSmartScreen is set to 0 (not allowed): This policy setting lets you decide whether Microsoft Edge can load the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed. By default this setting is to allow preloading. -If you allow preloading, disable, or don’t configure this policy setting, Microsoft Edge loads the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge and to start a new tab. +If you allow preloading, disable, or don't configure this policy setting, Microsoft Edge loads the Start and New Tab page during Windows sign in and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge and to start a new tab. -If you prevent preloading, Microsoft Edge won’t load the Start or New Tab page during Windows sign in and each time Microsoft Edge is closed. +If you prevent preloading, Microsoft Edge won't load the Start or New Tab page during Windows sign in and each time Microsoft Edge is closed. @@ -1699,11 +1701,11 @@ If you prevent preloading, Microsoft Edge won’t load the Start or New Tab page This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. +- If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. +- If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. -If you don't configure this setting, employees can choose how new tabs appears. +- If you don't configure this setting, employees can choose how new tabs appears. @@ -1772,9 +1774,9 @@ If you don't configure this setting, employees can choose how new tabs appears. This policy setting helps you to decide whether to make the Books tab visible, regardless of a device's country or region setting, as configured in the Country or region area of Windows settings. -If you enable this setting, Microsoft Edge shows the Books Library, regardless of the device's country or region. +- If you enable this setting, Microsoft Edge shows the Books Library, regardless of the device's country or region. -If you disable or don't configure this setting, Microsoft Edge shows the Books Library only in countries or regions where it's supported. +- If you disable or don't configure this setting, Microsoft Edge shows the Books Library only in countries or regions where it's supported. @@ -1843,9 +1845,9 @@ If you disable or don't configure this setting, Microsoft Edge shows the Books L This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. -If you enable this policy setting, clearing browsing history on exit is turned on. +- If you enable this policy setting, clearing browsing history on exit is turned on. -If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options under Settings. +- If you disable or don't configure this policy setting, it can be turned on and configured by the employee in the Clear browsing data options under Settings. @@ -1919,7 +1921,8 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s -Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. +Allows you to add up to 5 additional search engines for MDM-enrolled devices. If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. If this setting is not configured, the search engines are the ones specified in the App settings. +- If this setting is disabled, the search engines you had added will be deleted from your employee's machine. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -2071,10 +2074,10 @@ The Home button loads either the default Start page, the New tab page, or a URL | Value | Description | |:--|:--| -| 0 (Default) | Show home button and load the Start page | -| 1 | Show home button and load the New tab page | -| 2 | Show home button and load the custom URL defined in the Set Home Button URL policy | -| 3 | Hide home button | +| 0 (Default) | Show home button and load the Start page. | +| 1 | Show home button and load the New tab page. | +| 2 | Show home button and load the custom URL defined in the Set Home Button URL policy. | +| 3 | Hide home button. | @@ -2120,7 +2123,7 @@ The Home button loads either the default Start page, the New tab page, or a URL -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (. If enabled and set to 0 (Default or not configured): - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. +Configure how Microsoft Edge behaves when it's running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see "Configure kiosk and shared devices running Windows desktop editions" (. If enabled and set to 0 (Default or not configured): - If it's a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it's one of many apps, Microsoft Edge runs as normal. If enabled and set to 1: - If it's a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can't minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking "End session." You can configure Microsoft Edge to restart after a period of inactivity by using the "Configure kiosk reset after idle timeout" policy. - If it's one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can't customize Microsoft Edge. @@ -2142,8 +2145,8 @@ Configure how Microsoft Edge behaves when it’s running in kiosk mode with assi | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -2186,7 +2189,7 @@ Configure how Microsoft Edge behaves when it’s running in kiosk mode with assi -You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. +You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user's browsing data. If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. If you set this policy to 0, Microsoft Edge does not use an idle timer. If disabled or not configured, the default value is 5 minutes. If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. @@ -2267,10 +2270,10 @@ You can configure Microsoft Edge to lock down the Start page, preventing users f | Value | Description | |:--|:--| -| 0 | Load the Start page | -| 1 | Load the New tab page | -| 2 | Load the previous pages | -| 3 (Default) | Load a specific page or pages | +| 0 | Load the Start page. | +| 1 | Load the New tab page. | +| 2 | Load the previous pages. | +| 3 (Default) | Load a specific page or pages. | @@ -2341,10 +2344,10 @@ Configures what browsing data will be sent to Microsoft 365 Analytics for device | Value | Description | |:--|:--| -| 0 (Default) | No data collected or sent | -| 1 | Send intranet history only | -| 2 | Send Internet history only | -| 3 | Send both intranet and Internet history | +| 0 (Default) | No data collected or sent. | +| 1 | Send intranet history only. | +| 2 | Send Internet history only. | +| 3 | Send both intranet and Internet history. | @@ -2398,7 +2401,6 @@ You can configure Microsoft Edge to disable the lockdown of Start pages allowing > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy). - @@ -2462,9 +2464,9 @@ You can configure Microsoft Edge to disable the lockdown of Start pages allowing This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in Microsoft Edge. -If you enable this setting, Microsoft Edge sends additional telemetry data, on top of the basic telemetry data, from the Books tab. +- If you enable this setting, Microsoft Edge sends additional telemetry data, on top of the basic telemetry data, from the Books tab. -If you disable or don't configure this setting, Microsoft Edge only sends basic telemetry data, depending on your device configuration. +- If you disable or don't configure this setting, Microsoft Edge only sends basic telemetry data, depending on your device configuration. @@ -2588,7 +2590,7 @@ This setting lets you configure whether your company uses Enterprise Mode and th -**Important**: . Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead. +Important. Discontinued in Windows 10, version 1511. Use the Browser/EnterpriseModeSiteList policy instead. @@ -2675,7 +2677,7 @@ Configure first run URL. -When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages +When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: `` `` If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: If you do not want to send traffic to Microsoft, enable this policy and use the `` value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. Supported devices: Domain-joined or MDM-enrolled Related policy: - Configure Open Microsoft Edge With - Disable Lockdown of Start Pages @@ -2734,12 +2736,12 @@ When you enable the Configure Open Microsoft Edge With policy, you can configure This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. +- If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. -**Important**: +**Important** Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. +- If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. @@ -2808,9 +2810,9 @@ If you disable or don't configure this setting (default), employees can add, imp This policy settings lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. -If you enable this policy setting, employees can't access the about:flags page. +- If you enable this policy setting, employees can't access the about:flags page. -If you disable or don't configure this setting, employees can access the about:flags page. +- If you disable or don't configure this setting, employees can access the about:flags page. @@ -2950,9 +2952,9 @@ If disabled or not configured, overriding certificate errors are allowed. This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. -If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. +- If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. -If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time. +- If you disable or don't configure this setting, employees will see the First Run page when opening Microsoft Edge for the first time. @@ -3021,9 +3023,9 @@ If you disable or don't configure this setting, employees will see the First Run This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. -If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. +- If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. -If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. +- If you disable or don't configure this setting, Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. @@ -3092,9 +3094,9 @@ If you disable or don't configure this setting, Microsoft Edge gathers the Live This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. -If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from continuing to the site. +- If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from continuing to the site. -If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site. +- If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue to the site. @@ -3163,9 +3165,9 @@ If you disable or don't configure this setting, employees can ignore Windows Def This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. -If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. +- If you enable this setting, employees can't ignore Windows Defender SmartScreen warnings and they are blocked from downloading the unverified files. -If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. +- If you disable or don't configure this setting, employees can ignore Windows Defender SmartScreen warnings and continue the download process. @@ -3232,7 +3234,7 @@ If you disable or don't configure this setting, employees can ignore Windows Def -You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8. wekyb3. d8. bbwe;Microsoft.OfficeOnline_8. wekyb3. d8. bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune ( +You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft. OneNoteWebClipper_8wekyb3d8bbwe;Microsoft. OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user's computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune ( @@ -3292,9 +3294,9 @@ You can define a list of extensions in Microsoft Edge that users cannot turn off This policy setting lets you decide whether an employee's LocalHost IP address shows while making calls using the WebRTC protocol. -If you enable this setting, LocalHost IP addresses are hidden while making calls using the WebRTC protocol. +- If you enable this setting, LocalHost IP addresses are hidden while making calls using the WebRTC protocol. -If you disable or don't configure this setting, LocalHost IP addresses are shown while making calls using the WebRTC protocol. +- If you disable or don't configure this setting, LocalHost IP addresses are shown while making calls using the WebRTC protocol. @@ -3361,9 +3363,12 @@ If you disable or don't configure this setting, LocalHost IP addresses are shown -This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. +This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. +- If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites -**Important**: Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. +> [!IMPORTANT] +> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. +- If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. @@ -3386,7 +3391,7 @@ This policy setting allows you to configure a default set of favorites, which wi |:--|:--| | Name | ConfiguredFavorites | | Friendly Name | Provision Favorites | -| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.

    URL can be specified as
    1. HTTP location: https://localhost:8080/URLs.html
    2. Local network: \\network\shares\URLs.html
    3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html | +| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.

    URL can be specified as

    1. HTTP location: https://localhost:8080/URLs.html
    2. Local network: \\network\shares\URLs.html
    3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html | | Location | Computer and User Configuration | | Path | Windows Components > Microsoft Edge | | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites | @@ -3429,9 +3434,9 @@ To define a default list of favorites: This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. -If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. +- If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. -If you disable or don't configure this setting, all intranet sites are automatically opened using Microsoft Edge. +- If you disable or don't configure this setting, all intranet sites are automatically opened using Microsoft Edge. @@ -3498,7 +3503,8 @@ If you disable or don't configure this setting, all intranet sites are automatic -Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. +Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. +- If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. @@ -3748,9 +3754,9 @@ Related policies: This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge. -If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. +- If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. -If you disable or don't configure this setting, employees can’t sync their favorites between Internet Explorer and Microsoft Edge. +- If you disable or don't configure this setting, employees can't sync their favorites between Internet Explorer and Microsoft Edge. @@ -3903,9 +3909,9 @@ Related policy: This policy setting lets you decide whether Microsoft Edge stores books from the Books tab to a default, shared folder for Windows. -If you enable this setting, Microsoft Edge automatically downloads book files to a common, shared folder and prevents students and teachers from removing the book from the Books tab. For this to work properly, your students and teachers must be signed in using a school account. +- If you enable this setting, Microsoft Edge automatically downloads book files to a common, shared folder and prevents students and teachers from removing the book from the Books tab. For this to work properly, your students and teachers must be signed in using a school account. -If you disable or don't configure this setting, Microsoft Edge downloads book files to a per-user folder for each student or teacher. +- If you disable or don't configure this setting, Microsoft Edge downloads book files to a per-user folder for each student or teacher. diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 5f0caf30c8..6b88a97e01 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,10 +1,10 @@ --- title: Camera Policy CSP -description: Learn more about the Camera Area in Policy CSP +description: Learn more about the Camera Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,9 +39,9 @@ ms.topic: reference This policy setting allow the use of Camera devices on the machine. -If you enable or do not configure this policy setting, Camera devices will be enabled. +- If you enable or do not configure this policy setting, Camera devices will be enabled. -If you disable this property setting, Camera devices will be disabled. +- If you disable this property setting, Camera devices will be disabled. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index e6c9882a53..6931233c08 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,10 +1,10 @@ --- title: Cellular Policy CSP -description: Learn more about the Cellular Area in Policy CSP +description: Learn more about the Cellular Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Cellular > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -77,9 +75,9 @@ If an app is open when this Group Policy object is applied on a device, employee | Value | Description | |:--|:--| -| 0 (Default) | User is in control | -| 1 | Force Allow | -| 2 | Force Deny | +| 0 (Default) | User is in control. | +| 1 | Force Allow. | +| 2 | Force Deny. | @@ -280,8 +278,8 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. -If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. -If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. +- If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. +- If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default. @@ -299,7 +297,7 @@ If this policy setting is disabled or is not configured, the link to the per-app > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md index f8bcc48c1b..e614be7f73 100644 --- a/windows/client-management/mdm/policy-csp-clouddesktop.md +++ b/windows/client-management/mdm/policy-csp-clouddesktop.md @@ -1,10 +1,10 @@ --- title: CloudDesktop Policy CSP -description: Learn more about the CloudDesktop Area in Policy CSP +description: Learn more about the CloudDesktop Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,7 +42,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m This policy supports the below options: 1. Not Configured: Machine will not trigger the Cloud PC connection automatically. -2. Enable Boot to Cloud Desktop: The user will see that configured Cloud PC Provider application launches automatically. Once the sign-in operation finishes, the user is seamlessly connected to a provisioned Cloud PC. +2. Enable Boot to Cloud Desktop: Users who have a Cloud PC provisioned will get connected seamlessly to the Cloud PC as they finish sign-in operation. @@ -64,8 +64,8 @@ This policy supports the below options: | Value | Description | |:--|:--| -| 0 (Default) | Not Configured | -| 1 | Enable Boot to Cloud Desktop | +| 0 (Default) | Not Configured. | +| 1 | Enable Boot to Cloud Desktop. | diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 0b979ddd9f..ec53263eab 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,10 +1,10 @@ --- title: Connectivity Policy CSP -description: Learn more about the Connectivity Area in Policy CSP +description: Learn more about the Connectivity Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/04/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -42,9 +42,10 @@ ms.topic: reference -Allows the user to enable Bluetooth or restrict access. +Allows the user to enable Bluetooth or restrict access -**Note**: This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. +> [!NOTE] +> This value is not supported in Windows Phone 8. 1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. If this is not set or it is deleted, the default value of 2 (Allow) is used. Most restricted value is 0. @@ -146,9 +147,9 @@ Allows the cellular data channel on the device. Device reboot is not required to This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network. -If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers with the home provider network. +- If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers with the home provider network. -If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadband networks. +- If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadband networks. @@ -219,7 +220,8 @@ To validate, the enterprise can confirm by observing the roaming enable switch i -**Note**: This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. +> [!NOTE] +> This policy requires reboot to take effect. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. @@ -322,11 +324,11 @@ This policy is deprecated. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC. -If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. +- If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences. -If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. +- If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -394,7 +396,8 @@ Device that has previously opt-in to MMX will also stop showing on the device li -**Note**: Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. +> [!NOTE] +> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. Most restricted value is 0. @@ -545,11 +548,12 @@ This policy setting specifies whether to allow printing over HTTP from this clie Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. -**Note**: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. +> [!NOTE] +> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. -If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. +- If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. -If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. +- If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. @@ -611,11 +615,12 @@ This policy setting specifies whether to allow this client to download print dri To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. -**Note**: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. +> [!NOTE] +> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. -If you enable this policy setting, print drivers cannot be downloaded over HTTP. +- If you enable this policy setting, print drivers cannot be downloaded over HTTP. -If you disable or do not configure this policy setting, users can download print drivers over HTTP. +- If you disable or do not configure this policy setting, users can download print drivers over HTTP. @@ -675,9 +680,9 @@ This policy setting specifies whether Windows should download a list of provider These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. -If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. +- If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed. -If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. +- If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards. See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry. @@ -739,9 +744,9 @@ This policy setting turns off the active tests performed by the Windows Network As part of determining the connectivity level, NCSI performs one of two active tests: downloading a page from a dedicated Web server or making a DNS request for a dedicated address. -If you enable this policy setting, NCSI does not run either of the two active tests. This may reduce the ability of NCSI, and of other components that use NCSI, to determine Internet access. +- If you enable this policy setting, NCSI does not run either of the two active tests. This may reduce the ability of NCSI, and of other components that use NCSI, to determine Internet access. -If you disable or do not configure this policy setting, NCSI runs one of the two active tests. +- If you disable or do not configure this policy setting, NCSI runs one of the two active tests. @@ -763,8 +768,8 @@ If you disable or do not configure this policy setting, NCSI runs one of the two | Value | Description | |:--|:--| -| 1 | Allow | -| 0 (Default) | Block | +| 1 | Allow. | +| 0 (Default) | Block. | @@ -806,7 +811,7 @@ If you disable or do not configure this policy setting, NCSI runs one of the two This policy setting configures secure access to UNC paths. -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. +- If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. @@ -863,11 +868,12 @@ If you enable this policy, Windows only allows access to the specified UNC paths Determines whether a user can install and configure the Network Bridge. -**Important**: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. +> [!IMPORTANT] +> This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. The Network Bridge allows users to create a layer 2 MAC bridge, enabling them to connect two or more network segements together. This connection appears in the Network Connections folder. -If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. +- If you disable this setting or do not configure it, the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an existing Network Bridge from the user's computer. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 5a99e635e7..f955123b29 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,10 +1,10 @@ --- title: ControlPolicyConflict Policy CSP -description: Learn more about the ControlPolicyConflict Area in Policy CSP +description: Learn more about the ControlPolicyConflict Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -69,7 +69,6 @@ For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group ](./policies-in-policy-csp-supported-by-group-policy.md). The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. - @@ -87,7 +86,7 @@ The MDM Diagnostic report shows the applied configurations states of a device in | Value | Description | |:--|:--| -| 0 (Default) | | +| 0 (Default) | . | | 1 | The MDM policy is used and the GP policy is blocked. | diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index f9ca1be96f..395755ed2e 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,10 +1,10 @@ --- title: CredentialProviders Policy CSP -description: Learn more about the CredentialProviders Area in Policy CSP +description: Learn more about the CredentialProviders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - CredentialProviders > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,12 @@ ms.topic: reference This policy setting allows you to control whether a domain user can sign in using a convenience PIN. -If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. +- If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. -If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. +- If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. -Note: The user's domain password will be cached in the system vault when using this feature. +> [!NOTE] +> The user's domain password will be cached in the system vault when using this feature. To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. @@ -70,7 +69,7 @@ To configure Windows Hello for Business, use the Administrative Template policie > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -110,11 +109,11 @@ To configure Windows Hello for Business, use the Administrative Template policie This policy setting allows you to control whether a domain user can sign in using a picture password. -If you enable this policy setting, a domain user can't set up or sign in with a picture password. +- If you enable this policy setting, a domain user can't set up or sign in with a picture password. -If you disable or don't configure this policy setting, a domain user can set up and use a picture password. +- If you disable or don't configure this policy setting, a domain user can set up and use a picture password. -Note that the user's domain password will be cached in the system vault when using this feature. +**Note** that the user's domain password will be cached in the system vault when using this feature. @@ -132,7 +131,7 @@ Note that the user's domain password will be cached in the system vault when usi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 3322179607..36ad871eab 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,10 +1,10 @@ --- title: CredentialsDelegation Policy CSP -description: Learn more about the CredentialsDelegation Area in Policy CSP +description: Learn more about the CredentialsDelegation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - CredentialsDelegation > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,9 +46,9 @@ Remote host allows delegation of non-exportable credentials When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. -If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. +- If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. -If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. +- If you disable or do not configure this policy setting, Restricted Administration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host. @@ -68,7 +66,7 @@ If you disable or do not configure this policy setting, Restricted Administratio > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index ddb6b3206c..060389719e 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,10 +1,10 @@ --- title: CredentialsUI Policy CSP -description: Learn more about the CredentialsUI Area in Policy CSP +description: Learn more about the CredentialsUI Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - CredentialsUI > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,9 +48,9 @@ ms.topic: reference This policy setting allows you to configure the display of the password reveal button in password entry user experiences. -If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. +- If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. -If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. +- If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. @@ -74,7 +72,7 @@ The policy applies to all Windows components and applications that use the Windo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -114,9 +112,9 @@ The policy applies to all Windows components and applications that use the Windo This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. -If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. +- If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. -If you disable this policy setting, users will always be required to type a user name and password to elevate. +- If you disable this policy setting, users will always be required to type a user name and password to elevate. @@ -134,7 +132,7 @@ If you disable this policy setting, users will always be required to type a user > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 4fc053a985..53aabcf9bf 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,10 +1,10 @@ --- title: Cryptography Policy CSP -description: Learn more about the Cryptography Area in Policy CSP +description: Learn more about the Cryptography Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -59,8 +59,8 @@ Allows or disallows the Federal Information Processing Standard (FIPS) policy. | Value | Description | |:--|:--| -| 1 | Allow | -| 0 (Default) | Block | +| 1 | Allow. | +| 0 (Default) | Block. | diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index a6e7b49ac7..6c2609c4c7 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,10 +1,10 @@ --- title: DataProtection Policy CSP -description: Learn more about the DataProtection Area in Policy CSP +description: Learn more about the DataProtection Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -86,9 +86,10 @@ This policy setting allows you to block direct memory access (DMA) for all hot p -Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe. +Important. This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. Setting used by Windows 8. 1 Selective Wipe -**Note**: This policy is not recommended for use in Windows 10. +> [!NOTE] +> This policy is not recommended for use in Windows 10. diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 9443821da7..f01d83375c 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,10 +1,10 @@ --- title: DataUsage Policy CSP -description: Learn more about the DataUsage Area in Policy CSP +description: Learn more about the DataUsage Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - DataUsage > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting configures the cost of 3G connections on the local machine. -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: +- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. @@ -54,7 +52,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost - Variable: This connection is costed on a per byte basis. -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. +- If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. @@ -74,7 +72,7 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -113,7 +111,7 @@ If this policy setting is disabled or is not configured, the cost of 3G connecti This policy setting configures the cost of 4G connections on the local machine. -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: +- If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. @@ -121,7 +119,7 @@ If this policy setting is enabled, a drop-down list box presenting possible cost - Variable: This connection is costed on a per byte basis. -If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. +- If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. @@ -139,7 +137,7 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 665840ec64..eb25db2dad 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,10 +1,10 @@ --- title: Defender Policy CSP -description: Learn more about the Defender Area in Policy CSP +description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/27/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,11 +37,11 @@ ms.topic: reference -This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. +This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files. -If you enable or do not configure this setting, archive files will be scanned. +- If you enable or do not configure this setting, archive files will be scanned. -If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. +- If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans. @@ -106,9 +106,9 @@ If you disable this setting, archive files will not be scanned. However, archive This policy setting allows you to configure behavior monitoring. -If you enable or do not configure this setting, behavior monitoring will be enabled. +- If you enable or do not configure this setting, behavior monitoring will be enabled. -If you disable this setting, behavior monitoring will be disabled. +- If you disable this setting, behavior monitoring will be disabled. @@ -184,9 +184,9 @@ Basic membership will send basic information to Microsoft about software that ha Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. -If you enable this setting, you will join Microsoft MAPS with the membership specified. +- If you enable this setting, you will join Microsoft MAPS with the membership specified. -If you disable or do not configure this setting, you will not join Microsoft MAPS. +- If you disable or do not configure this setting, you will not join Microsoft MAPS. In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. @@ -253,9 +253,9 @@ In Windows 10, Basic membership is no longer available, so setting the value to This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients. -If you enable this setting, e-mail scanning will be enabled. +- If you enable this setting, e-mail scanning will be enabled. -If you disable or do not configure this setting, e-mail scanning will be disabled. +- If you disable or do not configure this setting, e-mail scanning will be disabled. @@ -320,9 +320,9 @@ If you disable or do not configure this setting, e-mail scanning will be disable This policy setting allows you to configure scanning mapped network drives. -If you enable this setting, mapped network drives will be scanned. +- If you enable this setting, mapped network drives will be scanned. -If you disable or do not configure this setting, mapped network drives will not be scanned. +- If you disable or do not configure this setting, mapped network drives will not be scanned. @@ -387,9 +387,9 @@ If you disable or do not configure this setting, mapped network drives will not This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. -If you enable this setting, removable drives will be scanned during any type of scan. +- If you enable this setting, removable drives will be scanned during any type of scan. -If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. +- If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. @@ -503,9 +503,9 @@ Allows or disallows Windows Defender Intrusion Prevention functionality. This policy setting allows you to configure scanning for all downloaded files and attachments. -If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. +- If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. -If you disable this setting, scanning for all downloaded files and attachments will be disabled. +- If you disable this setting, scanning for all downloaded files and attachments will be disabled. @@ -570,9 +570,9 @@ If you disable this setting, scanning for all downloaded files and attachments w This policy setting allows you to configure monitoring for file and program activity. -If you enable or do not configure this setting, monitoring for file and program activity will be enabled. +- If you enable or do not configure this setting, monitoring for file and program activity will be enabled. -If you disable this setting, monitoring for file and program activity will be disabled. +- If you disable this setting, monitoring for file and program activity will be disabled. @@ -700,9 +700,9 @@ Allows or disallows Windows Defender Realtime Monitoring functionality. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. -If you enable this setting, network files will be scanned. +- If you enable this setting, network files will be scanned. -If you disable or do not configure this setting, network files will not be scanned. +- If you disable or do not configure this setting, network files will not be scanned. @@ -815,7 +815,7 @@ Allows or disallows Windows Defender Script Scanning functionality. This policy setting allows you to configure whether or not to display AM UI to the users. -If you enable this setting AM UI won't be available to users. +- If you enable this setting AM UI won't be available to users. @@ -883,8 +883,8 @@ Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: -- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder -- Value column: Enter ""0"" for each item +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item Disabled: No exclusions will be applied to the ASR rules. @@ -970,11 +970,13 @@ The following status IDs are permitted under the value column: - 5 (Not Configured) - 6 (Warn) - Example: -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 -xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +2 Disabled: No ASR rules will be configured. @@ -982,7 +984,7 @@ No ASR rules will be configured. Not configured: Same as Disabled. -You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting. +You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. @@ -1037,9 +1039,9 @@ You can exclude folders or files in the ""Exclude files and paths from Attack Su This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. -If you enable this setting, CPU utilization will not exceed the percentage specified. +- If you enable this setting, CPU utilization will not exceed the percentage specified. -If you disable or do not configure this setting, CPU utilization will not exceed the default value. +- If you disable or do not configure this setting, CPU utilization will not exceed the default value. @@ -1098,9 +1100,9 @@ This policy setting allows you to manage whether a check for new virus and spywa This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan". -If you enable this setting, a check for new security intelligence will occur before running a scan. +- If you enable this setting, a check for new security intelligence will occur before running a scan. -If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence. +- If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence. @@ -1122,8 +1124,8 @@ If you disable this setting or do not configure this setting, the scan will star | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -1162,9 +1164,10 @@ If you disable this setting or do not configure this setting, the scan will star -This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site -**Note**: This feature requires the Join Microsoft MAPS setting enabled in order to function. +> [!NOTE] +> This feature requires the Join Microsoft MAPS setting enabled in order to function. @@ -1186,10 +1189,10 @@ This policy setting determines how aggressive Windows Defender Antivirus will be | Value | Description | |:--|:--| -| 0 (Default) | NotConfigured | -| 2 | High | -| 4 | HighPlus | -| 6 | ZeroTolerance | +| 0 (Default) | NotConfigured. | +| 2 | High. | +| 4 | HighPlus. | +| 6 | ZeroTolerance. | @@ -1229,9 +1232,10 @@ This policy setting determines how aggressive Windows Defender Antivirus will be -This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds -**Note**: This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. +> [!NOTE] +> This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. @@ -1431,9 +1435,9 @@ Microsoft Defender Antivirus automatically determines which applications can be This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. -If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. +- If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. -If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. +- If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. @@ -1490,9 +1494,9 @@ If you disable or do not configure this setting, items will be kept in the quara This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +- If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. +- If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. @@ -1514,8 +1518,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu | Value | Description | |:--|:--| -| 0 | Enabled | -| 1 (Default) | Disabled | +| 0 | Enabled. | +| 1 (Default) | Disabled. | @@ -1556,9 +1560,9 @@ If you disable or do not configure this setting, catch-up scans for scheduled fu This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +- If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. +- If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. @@ -1580,8 +1584,8 @@ If you disable or do not configure this setting, catch-up scans for scheduled qu | Value | Description | |:--|:--| -| 0 | Enabled | -| 1 (Default) | Disabled | +| 0 | Enabled. | +| 1 (Default) | Disabled. | @@ -1635,21 +1639,18 @@ The following will be blocked: - Attempts by untrusted apps to write to disk sectors The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. - Disabled: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors These attempts will not be recorded in the Windows event log. - Audit Mode: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. - Block disk modification only: The following will be blocked: - Attempts by untrusted apps to write to disk sectors @@ -1659,7 +1660,6 @@ The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders These attempts will not be recorded in the Windows event log. - Audit disk modification only: The following will not be blocked and will be allowed to run: - Attempts by untrusted apps to write to disk sectors @@ -1690,9 +1690,9 @@ Same as Disabled. | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | -| 2 | Audit Mode | +| 0 (Default) | Disabled. | +| 1 | Enabled. | +| 2 | Audit Mode. | @@ -1734,9 +1734,9 @@ Same as Disabled. This policy setting allows you to enable or disable low CPU priority for scheduled scans. -If you enable this setting, low CPU priority will be used during scheduled scans. +- If you enable this setting, low CPU priority will be used during scheduled scans. -If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. +- If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. @@ -1758,8 +1758,8 @@ If you disable or do not configure this setting, not changes will be made to CPU | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -1831,9 +1831,9 @@ Same as Disabled. | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled (block mode) | -| 2 | Enabled (audit mode) | +| 0 (Default) | Disabled. | +| 1 | Enabled (block mode). | +| 2 | Enabled (audit mode). | @@ -1980,9 +1980,10 @@ Allows an administrator to specify a list of directory paths to ignore during a -Allows an administrator to specify a list of files opened by processes to ignore during a scan. +Allows an administrator to specify a list of files opened by processes to ignore during a scan -**Important**: The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe. @@ -2112,18 +2113,18 @@ Same as Disabled. This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. -Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. +**Note** that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. -The options for this setting are mutually exclusive: +The options for this setting are mutually exclusive 0 = Scan incoming and outgoing files (default) 1 = Scan incoming files only 2 = Scan outgoing files only Any other value, or if the value does not exist, resolves to the default (0). -If you enable this setting, the specified type of monitoring will be enabled. +- If you enable this setting, the specified type of monitoring will be enabled. -If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. +- If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. @@ -2191,9 +2192,9 @@ This policy setting allows you to specify the scan type to use during a schedule 1 = Quick Scan (default) 2 = Full Scan -If you enable this setting, the scan type will be set to the specified value. +- If you enable this setting, the scan type will be set to the specified value. -If you disable or do not configure this setting, the default scan type will used. +- If you disable or do not configure this setting, the default scan type will used. @@ -2215,8 +2216,8 @@ If you disable or do not configure this setting, the default scan type will used | Value | Description | |:--|:--| -| 1 (Default) | Quick scan | -| 2 | Full scan | +| 1 (Default) | Quick scan. | +| 2 | Full scan. | @@ -2258,9 +2259,9 @@ If you disable or do not configure this setting, the default scan type will used This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. -If you enable this setting, a daily quick scan will run at the time of day specified. +- If you enable this setting, a daily quick scan will run at the time of day specified. -If you disable or do not configure this setting, daily quick scan controlled by this config will not be run. +- If you disable or do not configure this setting, daily quick scan controlled by this config will not be run. @@ -2328,9 +2329,9 @@ This setting can be configured with the following ordinal number values: (0x7) Saturday (0x8) Never (default) -If you enable this setting, a scheduled scan will run at the frequency specified. +- If you enable this setting, a scheduled scan will run at the frequency specified. -If you disable or do not configure this setting, a scheduled scan will run at a default frequency. +- If you disable or do not configure this setting, a scheduled scan will run at a default frequency. @@ -2352,15 +2353,15 @@ If you disable or do not configure this setting, a scheduled scan will run at a | Value | Description | |:--|:--| -| 0 (Default) | Every day | -| 1 | Sunday | -| 2 | Monday | -| 3 | Tuesday | -| 4 | Wednesday | -| 5 | Thursday | -| 6 | Friday | -| 7 | Saturday | -| 8 | No scheduled scan | +| 0 (Default) | Every day. | +| 1 | Sunday. | +| 2 | Monday. | +| 3 | Tuesday. | +| 4 | Wednesday. | +| 5 | Thursday. | +| 6 | Friday. | +| 7 | Saturday. | +| 8 | No scheduled scan. | @@ -2402,9 +2403,9 @@ If you disable or do not configure this setting, a scheduled scan will run at a This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. -If you enable this setting, a scheduled scan will run at the time of day specified. +- If you enable this setting, a scheduled scan will run at the time of day specified. -If you disable or do not configure this setting, a scheduled scan will run at a default time. +- If you disable or do not configure this setting, a scheduled scan will run at a default time. @@ -2461,7 +2462,7 @@ If you disable or do not configure this setting, a scheduled scan will run at a This policy setting allows you to define the security intelligence location for VDI-configured computers. -If you disable or do not configure this setting, security intelligence will be referred from the default local source. +- If you disable or do not configure this setting, security intelligence will be referred from the default local source. @@ -2514,13 +2515,13 @@ If you disable or do not configure this setting, security intelligence will be r -This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares” +This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares" For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } -If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. +- If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. -If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. +- If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. @@ -2576,9 +2577,9 @@ If you disable or do not configure this setting, security intelligence update so This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. -If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. +- If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. -If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. +- If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. @@ -2634,9 +2635,9 @@ If you disable or do not configure this setting, the list will remain empty by d This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). -If you enable this setting, checks for security intelligence updates will occur at the interval specified. +- If you enable this setting, checks for security intelligence updates will occur at the interval specified. -If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval. +- If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval. @@ -2762,7 +2763,7 @@ Possible options are: -Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution. +Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 - Low severity threats2 - Moderate severity threats4 - High severity threats5 - Severe threatsThe following list shows the supported values for possible actions:2 - Quarantine. Moves files to quarantine. 3 - Remove. Removes files from system. 6 - Allow. Allows file/does none of the above actions. 8 - User defined. Requires user to make a decision on which action to take. 10 - Block. Blocks file execution. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index bf672dd0df..2425d81cee 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,10 +1,10 @@ --- title: DeliveryOptimization Policy CSP -description: Learn more about the DeliveryOptimization Area in Policy CSP +description: Learn more about the DeliveryOptimization Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -348,9 +348,7 @@ The recommended value is 1 hour (3600). -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. - -**Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. +Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. **Note** that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. @@ -405,9 +403,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT -Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. - -**Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. +Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. **Note** that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first. @@ -545,8 +541,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec | Value | Description | |:--|:--| -| 0 (Default) | Allowed | -| 1 | Not allowed | +| 0 (Default) | Allowed. | +| 1 | Not allowed. | @@ -730,12 +726,12 @@ Set this policy to restrict peer selection to a specific source. Available optio | Value | Description | |:--|:--| -| 0 (Default) | Unset | -| 1 | AD site | -| 2 | Authenticated domain SID | -| 3 | DHCP user option | -| 4 | DNS suffix | -| 5 | AAD | +| 0 (Default) | Unset. | +| 1 | AD site. | +| 2 | Authenticated domain SID. | +| 3 | DHCP user option. | +| 4 | DNS suffix. | +| 5 | AAD. | @@ -1117,7 +1113,8 @@ Specifies the required minimum disk size (capacity in GB) for the device to use Recommended values: 64 GB to 256 GB. -Note: If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. +> [!NOTE] +> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index cea4653f7b..1cc683a423 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,10 +1,10 @@ --- title: Desktop Policy CSP -description: Learn more about the Desktop Area in Policy CSP +description: Learn more about the Desktop Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Desktop > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,7 +46,7 @@ Prevents users from changing the path to their profile folders. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. -If you enable this setting, users are unable to type a new location in the Target box. +- If you enable this setting, users are unable to type a new location in the Target box. @@ -66,7 +64,7 @@ If you enable this setting, users are unable to type a new location in the Targe > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md index c8b7f8f8f7..36f2988560 100644 --- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -1,10 +1,10 @@ --- title: DesktopAppInstaller Policy CSP -description: Learn more about the DesktopAppInstaller Area in Policy CSP +description: Learn more about the DesktopAppInstaller Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,11 +44,11 @@ ms.topic: reference This policy controls additional sources provided by the enterprise IT administrator. -If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/). +- If you do not configure this policy, no additional sources will be configured for the [Windows Package Manager](/windows/package-manager/). -If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. +- If you enable this policy, the additional sources will be added to the [Windows Package Manager](/windows/package-manager/) and cannot be removed. The representation for each additional source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. -If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). +- If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). @@ -106,11 +106,11 @@ If you disable this policy, no additional sources can be configured for the [Win This policy controls additional sources allowed by the enterprise IT administrator. -If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. +- If you do not configure this policy, users will be able to add or remove additional sources other than those configured by policy. -If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. +- If you enable this policy, only the sources specified can be added or removed from the [Windows Package Manager](/windows/package-manager/). The representation for each allowed source can be obtained from installed sources using '[winget source export](/windows/package-manager/winget)'. -If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). +- If you disable this policy, no additional sources can be configured for the [Windows Package Manager](/windows/package-manager/). @@ -168,9 +168,9 @@ If you disable this policy, no additional sources can be configured for the [Win This policy controls whether the [Windows Package Manager](/windows/package-manager/) can be used by users. -If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/). +- If you enable or do not configure this setting, users will be able to use the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/). +- If you disable this setting, users will not be able to use the [Windows Package Manager](/windows/package-manager/). @@ -229,11 +229,11 @@ Users will still be able to execute the *winget* command. The default help will This policy controls the default source included with the [Windows Package Manager](/windows/package-manager/). -If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed. +- If you do not configure this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and can be removed. -If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. +- If you enable this setting, the default source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. -If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available. +- If you disable this setting the default source for the [Windows Package Manager](/windows/package-manager/) will not be available. @@ -291,9 +291,9 @@ If you disable this setting the default source for the [Windows Package Manager] This policy controls whether users can enable experimental features in the [Windows Package Manager](/windows/package-manager/). -If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). +- If you enable or do not configure this setting, users will be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). +- If you disable this setting, users will not be able to enable experimental features for the [Windows Package Manager](/windows/package-manager/). @@ -352,9 +352,9 @@ Experimental features are used during Windows Package Manager development cycle This policy controls whether or not the [Windows Package Manager](/windows/package-manager/) can be configured to enable the ability override the SHA256 security validation in settings. -If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. +- If you enable or do not configure this policy, users will be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. -If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. +- If you disable this policy, users will not be able to enable the ability override the SHA256 security validation in the [Windows Package Manager](/windows/package-manager/) settings. @@ -412,9 +412,9 @@ If you disable this policy, users will not be able to enable the ability overrid This policy controls whether users can install packages with local manifest files. -If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). +- If you enable or do not configure this setting, users will be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). +- If you disable this setting, users will not be able to install packages with local manifests using the [Windows Package Manager](/windows/package-manager/). @@ -472,11 +472,11 @@ If you disable this setting, users will not be able to install packages with loc This policy controls the Microsoft Store source included with the [Windows Package Manager](/windows/package-manager/). -If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. +- If you do not configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. -If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. +- If you enable this setting, the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will be available and cannot be removed. -If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available. +- If you disable this setting the Microsoft Store source for the [Windows Package Manager](/windows/package-manager/) will not be available. @@ -534,9 +534,9 @@ If you disable this setting the Microsoft Store source for the [Windows Package This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol. -If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. +- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. -If you disable this setting, users will not be able to install packages from websites that use this protocol. +- If you disable this setting, users will not be able to install packages from websites that use this protocol. @@ -594,9 +594,9 @@ If you disable this setting, users will not be able to install packages from web This policy controls whether users can change their settings. -If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/). +- If you enable or do not configure this setting, users will be able to change settings for the [Windows Package Manager](/windows/package-manager/). -If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/). +- If you disable this setting, users will not be able to change settings for the [Windows Package Manager](/windows/package-manager/). @@ -655,9 +655,9 @@ The settings are stored inside of a .json file on the user’s system. It may be This policy controls the auto update interval for package-based sources. -If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/). +- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by the [Windows Package Manager](/windows/package-manager/). -If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/). +- If you enable this setting, the number of minutes specified will be used by the [Windows Package Manager](/windows/package-manager/). diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index d4a0eaf1df..cb8e92e349 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,10 +1,10 @@ --- title: DeviceGuard Policy CSP -description: Learn more about the DeviceGuard Area in Policy CSP +description: Learn more about the DeviceGuard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -60,9 +60,9 @@ For more information about System Guard, see [Introducing Windows Defender Syste | Value | Description | |:--|:--| -| 0 (Default) | Unmanaged Configurable by Administrative user | -| 1 | Unmanaged Enables Secure Launch if supported by hardware | -| 2 | Unmanaged Disables Secure Launch | +| 0 (Default) | Unmanaged Configurable by Administrative user. | +| 1 | Unmanaged Enables Secure Launch if supported by hardware. | +| 2 | Unmanaged Disables Secure Launch. | @@ -120,19 +120,20 @@ The "Not Configured" option leaves the policy setting undefined. Group Policy do The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. -Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. +> [!WARNING] +> All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Credential Guard This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. -For Windows 11 21H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured". +For Windows 11 21. H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured". The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511). -For Windows 11 21H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock. +For Windows 11 21. H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock. Secure Launch @@ -148,15 +149,13 @@ Kernel-mode Hardware-enforced Stack Protection This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered. -This security feature has the following prerequisites: +This security feature has the following prerequisites 1) The CPU hardware supports hardware-based shadow stacks. 2) Virtualization Based Protection of Code Integrity is enabled. -If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature. +If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature. **Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately. -**Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately. - -Devices that enable this security feature must be running at least Windows 11 (Version 22H2). +Devices that enable this security feature must be running at least Windows 11 (Version 22. H2). The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection. @@ -166,7 +165,8 @@ The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced S The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. -Warning: All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to . +> [!WARNING] +> All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to . @@ -188,8 +188,8 @@ Warning: All drivers on the system must be compatible with this security feature | Value | Description | |:--|:--| -| 0 (Default) | disable virtualization based security. | -| 1 | enable virtualization based security. | +| 0 (Default) | Disable virtualization based security. | +| 1 | Enable virtualization based security. | diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 5458f5fe86..e1d39bcbd8 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,10 +1,10 @@ --- title: DeviceHealthMonitoring Policy CSP -description: Learn more about the DeviceHealthMonitoring Area in Policy CSP +description: Learn more about the DeviceHealthMonitoring Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,7 @@ ms.topic: reference -Enable/disable 4Nines device health monitoring on devices. +Enable/disable 4. Nines device health monitoring on devices. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 7eb40161d8..0696c7e877 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -1,10 +1,10 @@ --- title: DeviceInstallation Policy CSP -description: Learn more about the DeviceInstallation Area in Policy CSP +description: Learn more about the DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/05/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -53,9 +53,9 @@ NOTE: The "Prevent installation of devices not described by other policy setting Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). -If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. @@ -153,9 +153,9 @@ NOTE: The "Prevent installation of devices not described by other policy setting Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). -If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. @@ -257,9 +257,9 @@ NOTE: The "Prevent installation of devices not described by other policy setting Alternatively, if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, the "Prevent installation of devices that match any of these device instance IDs" policy setting, or the "Prevent installation of removable devices" policy setting). -If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +- If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. @@ -380,7 +380,7 @@ Removable devices NOTE: This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored. -If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. +- If you disable or do not configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. @@ -473,9 +473,9 @@ You can also change the evaluation order of device installation policy settings This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. -If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). +- If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System > Advanced System Settings > Hardware tab). -If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. +- If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. @@ -535,9 +535,9 @@ This policy setting allows you to prevent the installation of devices that are n NOTE: This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting. -If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. +- If you enable this policy setting, Windows is prevented from installing or updating the driver package for any device that is not described by either the "Allow installation of devices that match any of these device IDs", the "Allow installation of devices for these device classes", or the "Allow installation of devices that match any of these device instance IDs" policy setting. -If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. +- If you disable or do not configure this policy setting, Windows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that match any of these device IDs", "Prevent installation of devices for these device classes" policy setting, "Prevent installation of devices that match any of these device instance IDs", or "Prevent installation of removable devices" policy setting. @@ -634,9 +634,10 @@ This policy setting allows you to specify a list of Plug and Play hardware IDs a NOTE: To enable the "Allow installation of devices that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. @@ -734,9 +735,10 @@ For example, this custom profile blocks installation and usage of USB devices wi This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. -If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. @@ -821,7 +823,6 @@ To prevent installation of devices with matching device instance IDs by using cu > Don't use spaces in the value. 1. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. - @@ -847,9 +848,10 @@ This policy setting allows you to specify a list of device setup class globally NOTE: To enable the "Allow installation of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicable devices, enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. -If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +- If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. +- If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. -If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +- If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index a4d1b7fa2a..9645d243cd 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -1,10 +1,10 @@ --- title: DeviceLock Policy CSP -description: Learn more about the DeviceLock Area in Policy CSP +description: Learn more about the DeviceLock Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -25,7 +25,6 @@ ms.topic: reference > [!IMPORTANT] > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). - @@ -122,8 +121,8 @@ Specifies whether to show a user-configurable setting to control the screen time | Value | Description | |:--|:--| -| 1 | Allow | -| 0 (Default) | Block | +| 1 | Allow. | +| 0 (Default) | Block. | @@ -349,7 +348,6 @@ Specifies whether device lock is enabled. > - DevicePasswordHistory > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock - @@ -367,8 +365,8 @@ Specifies whether device lock is enabled. | Value | Description | |:--|:--| -| 0 | Enabled | -| 1 (Default) | Disabled | +| 0 | Enabled. | +| 1 (Default) | Disabled. | @@ -442,7 +440,7 @@ For more information about this policy, see [Exchange ActiveSync Policy Engine O -Specifies how many passwords can be stored in the history that can’t be used. +Specifies how many passwords can be stored in the history that can't be used. @@ -569,9 +567,10 @@ Specifies the default lock screen and logon image shown when no user is signed i -The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality -**Note**: This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). +> [!NOTE] +> This policy must be wrapped in an Atomic command. This policy has different behaviors on the mobile device and desktop. On a mobile device, when the user reaches the value set by this policy, then the device is wiped. On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -613,7 +612,10 @@ The number of authentication failures allowed before the device will be wiped. A -This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. +This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days + +> [!NOTE] +> It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default 42. @@ -662,8 +664,7 @@ This security setting determines the period of time (in days) that a password ca - -The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + @@ -801,10 +802,10 @@ For more information about this policy, see [Exchange ActiveSync Policy Engine O | Value | Description | |:--|:--| -| 1 (Default) | Digits only | -| 2 | Digits and lowercase letters are required | -| 3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts | -| 4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop | +| 1 (Default) | Digits only. | +| 2 | Digits and lowercase letters are required. | +| 3 | Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. | +| 4 | Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop. | @@ -950,9 +951,7 @@ This security setting determines the period of time (in days) that a password mu - -Password must meet complexity requirements -This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. + @@ -1014,7 +1013,10 @@ Complexity requirements are enforced when passwords are changed or created. Minimum password length -This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. Note: By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. +This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required + +> [!NOTE] +> By default, member computers follow the configuration of their domain controllers. Default 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. @@ -1068,7 +1070,7 @@ Disables the lock screen camera toggle switch in PC Settings and prevents a came By default, users can enable invocation of an available camera on the lock screen. -If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen. +- If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings, and the camera cannot be invoked on the lock screen. @@ -1128,7 +1130,7 @@ Disables the lock screen slide show settings in PC Settings and prevents a slide By default, users can enable a slide show that will run after they lock the machine. -If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. +- If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index e692af7ae2..5c610c1946 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -1,10 +1,10 @@ --- title: Display Policy CSP -description: Learn more about the Display Area in Policy CSP +description: Learn more about the Display Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -272,7 +272,6 @@ To validate on Desktop, do the following tasks: 1. Configure the setting for an app, which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. - Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 0cf55a401e..8901e92cae 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -1,10 +1,10 @@ --- title: DmaGuard Policy CSP -description: Learn more about the DmaGuard Area in Policy CSP +description: Learn more about the DmaGuard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,9 +37,7 @@ ms.topic: reference -Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. - -**Note**: this policy does not apply to 1394, PCMCIA or ExpressCard devices. +Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. **Note** this policy does not apply to 1394, PCMCIA or ExpressCard devices. @@ -66,9 +64,9 @@ This policy only takes effect when Kernel DMA Protection is supported and enable | Value | Description | |:--|:--| -| 0 | Block all (Most restrictive) | -| 1 (Default) | Only after log in/screen unlock | -| 2 | Allow all (Least restrictive) | +| 0 | Block all (Most restrictive). | +| 1 (Default) | Only after log in/screen unlock. | +| 2 | Allow all (Least restrictive). | diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index b3b49b3cb2..e5b3933b3c 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -1,10 +1,10 @@ --- title: Eap Policy CSP -description: Learn more about the Eap Area in Policy CSP +description: Learn more about the Eap Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,7 @@ ms.topic: reference -Added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication. +Added in Windows 10, version 21. H1. Allow or disallow use of TLS 1.3 during EAP client authentication. diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 4a05b27018..c8c5aed332 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -1,10 +1,10 @@ --- title: Education Policy CSP -description: Learn more about the Education Area in Policy CSP +description: Learn more about the Education Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -20,104 +20,6 @@ ms.topic: reference - -## EnableEduThemes - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Education/EnableEduThemes -``` - - - - -This policy setting allows you to control whether EDU-specific theme packs are available in Settings > Personalization. If you disable or don't configure this policy setting, EDU-specific theme packs will not be included. If you enable this policy setting, users will be able to personalize their devices with EDU-specific themes. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - - - - - - - -## IsEducationEnvironment - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment -``` - - - - -This policy setting allows tenant to control whether to declare this OS as an education environment - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - - - - - - ## AllowGraphingCalculator @@ -135,7 +37,9 @@ This policy setting allows tenant to control whether to declare this OS as an ed -This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. +This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. +- If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. +- If you enable or don't configure this policy setting, users will be able to access graphing functionality. @@ -221,6 +125,106 @@ The policy value is expected to be the name (network host name) of an installed + +## EnableEduThemes + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Education/EnableEduThemes +``` + + + + +This policy setting allows you to control whether EDU-specific theme packs are available in Settings > Personalization. +- If you disable or don't configure this policy setting, EDU-specific theme packs will not be included. +- If you enable this policy setting, users will be able to personalize their devices with EDU-specific themes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + + +## IsEducationEnvironment + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment +``` + + + + +This policy setting allows tenant to control whether to declare this OS as an education environment + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + + + + + + ## PreventAddingNewPrinters @@ -240,7 +244,7 @@ The policy value is expected to be the name (network host name) of an installed Prevents users from using familiar methods to add local and network printers. -If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. +- If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. Also, users cannot add printers by dragging a printer icon into the Printers folder. If they try, a message appears explaining that the setting prevents the action. @@ -248,7 +252,8 @@ However, this setting does not prevent users from using the Add Hardware Wizard This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print. -Note: You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Properties, and then click the Security tab. +> [!NOTE] +> You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Properties, and then click the Security tab. If this policy is disabled, or not configured, users can add printers using the methods described above. diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index 25607f6862..b804039125 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -1,10 +1,10 @@ --- title: EnterpriseCloudPrint Policy CSP -description: Learn more about the EnterpriseCloudPrint Area in Policy CSP +description: Learn more about the EnterpriseCloudPrint Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index a524a6cd1c..2c1178445b 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -1,10 +1,10 @@ --- title: ErrorReporting Policy CSP -description: Learn more about the ErrorReporting Area in Policy CSP +description: Learn more about the ErrorReporting Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ErrorReporting > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting determines the consent behavior of Windows Error Reporting for specific event types. -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. +- If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. @@ -58,7 +56,7 @@ If you enable this policy setting, you can add specific event types to a list by - 4 (Send all data): Any data requested by Microsoft is sent automatically. -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. +- If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. @@ -76,13 +74,13 @@ If you disable or do not configure this policy setting, then the default consent > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerConsentCustomize | +| Name | WerConsentCustomize_2 | | Friendly Name | Customize consent settings | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting > Consent | @@ -115,9 +113,9 @@ If you disable or do not configure this policy setting, then the default consent This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. +- If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. +- If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. @@ -135,13 +133,13 @@ If you disable or do not configure this policy setting, the Turn off Windows Err > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerDisable | +| Name | WerDisable_2 | | Friendly Name | Disable Windows Error Reporting | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting | @@ -175,11 +173,11 @@ If you disable or do not configure this policy setting, the Turn off Windows Err This policy setting controls whether users are shown an error dialog box that lets them report an error. -If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. +- If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. -If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. +- If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. -If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. +- If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. See also the Configure Error Reporting policy setting. @@ -199,7 +197,7 @@ See also the Configure Error Reporting policy setting. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -239,9 +237,9 @@ See also the Configure Error Reporting policy setting. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. +- If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. +- If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. @@ -259,13 +257,13 @@ If you disable or do not configure this policy setting, then consent policy sett > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WerNoSecondLevelData | +| Name | WerNoSecondLevelData_2 | | Friendly Name | Do not send additional data | | Location | Computer Configuration | | Path | Windows Components > Windows Error Reporting | @@ -299,9 +297,9 @@ If you disable or do not configure this policy setting, then consent policy sett This policy setting prevents the display of the user interface for critical errors. -If you enable or do not configure this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. +- If you enable or do not configure this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. -If you disable this policy setting, Windows Error Reporting displays the GUI-based error messages or dialog boxes for critical errors. +- If you disable this policy setting, Windows Error Reporting displays the GUI-based error messages or dialog boxes for critical errors. @@ -319,7 +317,7 @@ If you disable this policy setting, Windows Error Reporting displays the GUI-bas > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 44c3dc7d33..dd4e120109 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -1,10 +1,10 @@ --- title: EventLogService Policy CSP -description: Learn more about the EventLogService Area in Policy CSP +description: Learn more about the EventLogService Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,11 +44,12 @@ ms.topic: reference This policy setting controls Event Log behavior when the log file reaches its maximum size. -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. +- If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. +- If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -**Note**: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -106,9 +107,9 @@ If you disable or do not configure this policy setting and a log file reaches it This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. @@ -165,9 +166,9 @@ If you disable or do not configure this policy setting, the maximum size of the This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. @@ -224,9 +225,9 @@ If you disable or do not configure this policy setting, the maximum size of the This policy setting specifies the maximum size of the log file in kilobytes. -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. +- If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. +- If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index beec4bf3cb..d4bee876d5 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1,10 +1,10 @@ --- title: Experience Policy CSP -description: Learn more about the Experience Area in Policy CSP +description: Learn more about the Experience Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -38,8 +38,8 @@ ms.topic: reference This policy setting determines whether history of Clipboard contents can be stored in memory. -If you enable this policy setting, history of Clipboard contents are allowed to be stored. -If you disable this policy setting, history of Clipboard contents are not allowed to be stored. +- If you enable this policy setting, history of Clipboard contents are allowed to be stored. +- If you disable this policy setting, history of Clipboard contents are not allowed to be stored. Policy change takes effect immediately. @@ -164,7 +164,8 @@ This policy is deprecated. This policy setting specifies whether Cortana is allowed on the device. -If you enable or don't configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off. +- If you enable or don't configure this setting, Cortana will be allowed on the device. +- If you disable this setting, Cortana will be turned off. When Cortana is off, users will still be able to use search to find things on the device. @@ -345,9 +346,10 @@ When Find My Device is off, the device and its location are not registered and t -Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect. +Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect -**Note**: The MDM server can always remotely delete the account. Most restricted value is 0. +> [!NOTE] +> The MDM server can always remotely delete the account. Most restricted value is 0. @@ -595,7 +597,9 @@ Allow SIM error dialog prompts when no SIM is inserted. -Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. If you disable this policy setting, Spotlight collection will not show as an option in Personalization Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop. +Specifies whether Spotlight collection is allowed as a Personalization->Background Setting. +- If you enable this policy setting, Spotlight collection will show as an option in the user's Personalization Settings, and the user will be able to get daily images from Microsoft displayed on their desktop. +- If you disable this policy setting, Spotlight collection will not show as an option in Personalization Settings, and the user will not have the choice of getting Microsoft daily images shown on their desktop. @@ -703,9 +707,12 @@ Allows or disallows all Windows sync settings on the device. For information abo -This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value. +This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. +- If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. +- If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. Diagnostic data can include browser, app and feature usage, depending on the Diagnostic and usage data setting value -**Note**: This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. +> [!NOTE] +> This setting does not control Cortana cutomized experiences because there are separate policies to configure it. Most restricted value is 0. @@ -1001,7 +1008,9 @@ Prior to Windows 10, version 1803, this policy had User scope. This policy allow -Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. +Specifies whether to turn off all Windows spotlight features at once. +- If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. +- If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. @@ -1064,7 +1073,9 @@ Specifies whether to turn off all Windows spotlight features at once. If you ena -This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. +This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. +- If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. +- If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. Most restricted value is 0. @@ -1191,7 +1202,9 @@ This policy allows IT admins to turn off Suggestions in Settings app. These sugg -This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. +This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. +- If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. +- If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. @@ -1343,10 +1356,10 @@ Configures the Chat icon on the taskbar | Value | Description | |:--|:--| -| 0 (Default) | Not Configured | -| 1 | Show | -| 2 | Hide | -| 3 | Disabled | +| 0 (Default) | Not Configured. | +| 1 | Show. | +| 2 | Hide. | +| 3 | Disabled. | @@ -1388,13 +1401,13 @@ Configures the Chat icon on the taskbar This policy setting lets you configure Windows spotlight on the lock screen. -If you enable this policy setting, "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotlight" will display daily images from Microsoft on the lock screen. +- If you enable this policy setting, "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotlight" will display daily images from Microsoft on the lock screen. Additionally, if you check the "Include content from Enterprise spotlight" checkbox and your organization has setup an Enterprise spotlight content service in Azure, the lock screen will display internal messages and communications configured in that service, when available. If your organization does not have an Enterprise spotlight content service, the checkbox will have no effect. -If you disable this policy setting, Windows spotlight will be turned off and users will no longer be able to select it as their lock screen. Users will see the default lock screen image and will be able to select another image, unless you have enabled the "Prevent changing lock screen image" policy. +- If you disable this policy setting, Windows spotlight will be turned off and users will no longer be able to select it as their lock screen. Users will see the default lock screen image and will be able to select another image, unless you have enabled the "Prevent changing lock screen image" policy. -If you do not configure this policy, Windows spotlight will be available on the lock screen and will be selected by default, unless you have configured another default lock screen image using the "Force a specific default lock screen and logon image" policy. +- If you do not configure this policy, Windows spotlight will be available on the lock screen and will be selected by default, unless you have configured another default lock screen image using the "Force a specific default lock screen and logon image" policy. > [!NOTE] > This policy is only available for Enterprise SKUs @@ -1422,8 +1435,8 @@ If you do not configure this policy, Windows spotlight will be available on the |:--|:--| | 0 | Windows spotlight disabled. | | 1 (Default) | Windows spotlight enabled. | -| 2 | Windows spotlight is always enabled, the user cannot disable it | -| 3 | Windows spotlight is always enabled, the user cannot disable it. For special configurations only | +| 2 | Windows spotlight is always enabled, the user cannot disable it. | +| 3 | Windows spotlight is always enabled, the user cannot disable it. For special configurations only. | @@ -1465,9 +1478,9 @@ If you do not configure this policy, Windows spotlight will be available on the This policy setting lets you turn off cloud optimized content in all Windows experiences. -If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. +- If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. -If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content. +- If you disable or do not configure this policy, Windows experiences will be able to use cloud optimized content. @@ -1532,9 +1545,9 @@ If you disable or do not configure this policy, Windows experiences will be able This policy setting lets you turn off cloud consumer account state content in all Windows experiences. -If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. +- If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. -If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content. +- If you disable or do not configure this policy, Windows experiences will be able to use cloud consumer account state content. @@ -1599,9 +1612,9 @@ If you disable or do not configure this policy, Windows experiences will be able This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. -If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. +- If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. -If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. +- If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. > [!NOTE] > If you disable or do not configure this policy setting, users can control how often they receive feedback questions. @@ -1669,7 +1682,7 @@ If you disable or do not configure this policy setting, users may see notificati Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites. -If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced. +- If you enable this policy setting, the "browser" group, including info like history and favorites, will not be synced. Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled. @@ -1696,8 +1709,8 @@ Related policy: [PreventUsersFromTurningOnBrowserSyncing](#preventusersfromturni | Value | Description | |:--|:--| -| 2 | Disable Syncing | -| 0 (Default) | Allow syncing | +| 2 | Disable Syncing. | +| 0 (Default) | Allow syncing. | @@ -1754,7 +1767,8 @@ _**Turn syncing off by default but don’t disable**_ -Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager. By default, this policy is disabled. If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences. +Organizational messages allow Administrators to deliver messages to their end users on selected Windows 11 experiences. Organizational messages are available to Administrators via services like Microsoft Endpoint Manager. By default, this policy is disabled. +- If you enable this policy, these experiences will show content booked by Administrators. Enabling this policy will have no impact on existing MDM policy settings governing delivery of content from Microsoft on Windows experiences. @@ -1802,10 +1816,7 @@ Organizational messages allow Administrators to deliver messages to their end us - -You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. -Related policy: DoNotSyncBrowserSettings -1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing + @@ -1890,11 +1901,11 @@ _**Prevent syncing of browser settings and let users turn on syncing**_ Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. +- If you enable this policy setting, the lock option will be shown in the User Tile menu. -If you disable this policy setting, the lock option will never be shown in the User Tile menu. +- If you disable this policy setting, the lock option will never be shown in the User Tile menu. -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. +- If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 1f4ded5adf..e1291d1cb0 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,10 +1,10 @@ --- title: ExploitGuard Policy CSP -description: Learn more about the ExploitGuard Area in Policy CSP +description: Learn more about the ExploitGuard Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md index 61935e9c1c..41e2f19ab9 100644 --- a/windows/client-management/mdm/policy-csp-federatedauthentication.md +++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md @@ -1,10 +1,10 @@ --- title: FederatedAuthentication Policy CSP -description: Learn more about the FederatedAuthentication Area in Policy CSP +description: Learn more about the FederatedAuthentication Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/30/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 31e6019835..cb839593b8 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,10 +1,10 @@ --- title: FileExplorer Policy CSP -description: Learn more about the FileExplorer Area in Policy CSP +description: Learn more about the FileExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/30/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - FileExplorer > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -240,11 +238,11 @@ A value that can represent one or more folder locations in File Explorer. If not | Value | Description | |:--|:--| | 0 (Default) | Access to all folder locations. | -| 13 | Documents, Pictures, Downloads | -| 15 | Desktop, Documents, Pictures, Downloads | -| 31 | Desktop, Documents, Pictures, Downloads, Network | -| 47 | This PC, Desktop, Documents, Pictures, Downloads | -| 63 | This PC, Desktop, Documents, Pictures, Downloads, Network | +| 13 | Documents, Pictures, Downloads. | +| 15 | Desktop, Documents, Pictures, Downloads. | +| 31 | Desktop, Documents, Pictures, Downloads, Network. | +| 47 | This PC, Desktop, Documents, Pictures, Downloads. | +| 63 | This PC, Desktop, Documents, Pictures, Downloads, Network. | @@ -297,13 +295,13 @@ A value that can represent one or more storage locations in File Explorer. If no | Value | Description | |:--|:--| | 0 (Default) | Access to all storage locations. | -| 1 | Removable Drives | -| 2 | Sync roots | -| 3 | Removable Drives, Sync roots | -| 4 | Local Drives | -| 5 | Removable Drives, Local Drives | -| 6 | Sync Roots, Local Drives | -| 7 | Removable Drives, Sync Roots, Local Drives | +| 1 | Removable Drives. | +| 2 | Sync roots. | +| 3 | Removable Drives, Sync roots. | +| 4 | Local Drives. | +| 5 | Removable Drives, Local Drives. | +| 6 | Sync Roots, Local Drives. | +| 7 | Removable Drives, Sync Roots, Local Drives. | @@ -347,7 +345,7 @@ Disabling data execution prevention can allow certain legacy plug-in application > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -403,7 +401,7 @@ Disabling heap termination on corruption can allow certain legacy plug-in applic > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index 43b22b00f0..e27040ab3b 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -1,10 +1,10 @@ --- title: Games Policy CSP -description: Learn more about the Games Area in Policy CSP +description: Learn more about the Games Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/02/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 24fdb6341a..92691739f8 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -1,10 +1,10 @@ --- title: Handwriting Policy CSP -description: Learn more about the Handwriting Area in Policy CSP +description: Learn more about the Handwriting Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/02/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 20aa6d7f52..2a1b573428 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -1,10 +1,10 @@ --- -potitle: HumanPresence Policy CSP -description: Learn more about the HumanPresence Area in Policy CSP +title: HumanPresence Policy CSP +description: Learn more about the HumanPresence Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/02/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -251,7 +251,7 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will | Value | Description | |:--|:--| -| 120 | TwoMinutes | +| 120 | TwoMinutes. | | 30 | ThirtySeconds. | | 10 | TenSeconds. | | 0 (Default) | DefaultToUserChoice. | diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 4c142d85e4..b60ae5ce2c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1,10 +1,10 @@ --- title: InternetExplorer Policy CSP -description: Learn more about the InternetExplorer Area in Policy CSP +description: Learn more about the InternetExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -48,11 +48,12 @@ ms.topic: reference This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). +- If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]) -**Note**: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. +> [!NOTE] +> This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. -If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. +- If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. @@ -114,9 +115,9 @@ If you disable or do not configure this policy setting, the user can configure t This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. -If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. +- If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. -If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. +- If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. @@ -180,13 +181,13 @@ This policy setting allows you to manage a list of add-ons to be allowed or deni This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. -If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: +- If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: -Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. +Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, '{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. +- If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. @@ -244,11 +245,11 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u This AutoComplete feature can remember and suggest User names and passwords on Forms. -If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". +- If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". -If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. +- If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. -If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. +- If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. @@ -310,9 +311,9 @@ If you do not configure this setting, the user has the freedom of turning on Aut This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. -If you enable this policy setting, the certificate address mismatch warning always appears. +- If you enable this policy setting, the certificate address mismatch warning always appears. -If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). +- If you disable or do not configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel). @@ -374,11 +375,11 @@ If you disable or do not configure this policy setting, the user can choose whet This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted. -If you enable this policy setting, deleting browsing history on exit is turned on. +- If you enable this policy setting, deleting browsing history on exit is turned on. -If you disable this policy setting, deleting browsing history on exit is turned off. +- If you disable this policy setting, deleting browsing history on exit is turned off. -If you do not configure this policy setting, it can be configured on the General tab in Internet Options. +- If you do not configure this policy setting, it can be configured on the General tab in Internet Options. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect. @@ -442,11 +443,11 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. -If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. +- If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. -If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. +- If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. -If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. +- If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. @@ -508,11 +509,11 @@ If you do not configure this policy, users will be able to turn on or turn off E This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. -If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. +- If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. -If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. +- If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm. -If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm. +- If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm. @@ -576,7 +577,7 @@ This policy setting lets you decide whether users can turn on Enterprise Mode fo If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. -If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. +- If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. @@ -637,9 +638,9 @@ If you disable or don't configure this policy setting, the menu option won't app This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. -If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. +- If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. -If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. +- If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. @@ -700,7 +701,7 @@ We recommend that you do not allow insecure fallback in order to prevent a man-i This policy does not affect which security protocols are enabled. -If you disable this policy, system defaults will be used. +- If you disable this policy, system defaults will be used. @@ -761,9 +762,9 @@ If you disable this policy, system defaults will be used. This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. -If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. +- If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. -If you disable or do not configure this policy setting, the user can add and remove sites from the list. +- If you disable or do not configure this policy setting, the user can add and remove sites from the list. @@ -824,11 +825,11 @@ If you disable or do not configure this policy setting, the user can add and rem This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. -If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. +- If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. -If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. +- If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. -If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. +- If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. @@ -890,11 +891,11 @@ If you do not configure this policy setting, Internet Explorer uses an Internet This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -960,11 +961,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1030,11 +1031,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1100,11 +1101,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1170,11 +1171,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1240,11 +1241,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1310,11 +1311,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1380,9 +1381,9 @@ Note. It is recommended to configure template policy settings in one Group Polic This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. -If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. +- If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. -If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. +- If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. @@ -1444,9 +1445,9 @@ If you disable or do not configure this policy setting, Internet Explorer does n This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode. -If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. +- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. -If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. +- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. For more information, see @@ -1526,13 +1527,13 @@ This policy setting allows you to manage a list of sites that you want to associ Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: +- If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: -Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. +Valuename - A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. -If you disable or do not configure this policy, users may choose their own site-to-zone assignments. +- If you disable or do not configure this policy, users may choose their own site-to-zone assignments. @@ -1622,11 +1623,11 @@ Value and index pairs in the SyncML example: This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1692,11 +1693,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. -If you enable this policy setting, users will be prompted to install or run files with an invalid signature. +- If you enable this policy setting, users will be prompted to install or run files with an invalid signature. -If you disable this policy setting, users cannot run or install files with an invalid signature. +- If you disable this policy setting, users cannot run or install files with an invalid signature. -If you do not configure this policy, users can choose to run or install files with an invalid signature. +- If you do not configure this policy, users can choose to run or install files with an invalid signature. @@ -1758,11 +1759,11 @@ If you do not configure this policy, users can choose to run or install files wi This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1826,13 +1827,13 @@ Note. It is recommended to configure template policy settings in one Group Polic -This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit. +This policy setting controls the Suggested Sites feature, which recommends websites based on the user's browsing activity. Suggested Sites reports a user's browsing history to Microsoft to suggest sites that the user might want to visit. -If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions. +- If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user's browsing history is sent to Microsoft to produce suggestions. -If you disable this policy setting, the entry points and functionality associated with this feature are turned off. +- If you disable this policy setting, the entry points and functionality associated with this feature are turned off. -If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. +- If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. @@ -1894,11 +1895,11 @@ If you do not configure this policy setting, the user can turn on and turn off t This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. +- If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. -If you disable this template policy setting, no security level is configured. +- If you disable this template policy setting, no security level is configured. -If you do not configure this template policy setting, no security level is configured. +- If you do not configure this template policy setting, no security level is configured. Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. @@ -1964,11 +1965,11 @@ Note. It is recommended to configure template policy settings in one Group Polic This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. -If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. +- If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. -If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. +- If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. -If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. +- If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. @@ -2030,11 +2031,11 @@ If you do not configure this policy setting, Internet Explorer will not check se This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. -If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. +- If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. -If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. +- If you disable this policy setting, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. -If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. +- If you do not configure this policy, Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them to user computers. @@ -2383,11 +2384,11 @@ Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to dete This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. -If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. +- If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. -If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. +- If you disable this policy setting, Internet Explorer will not require consistent MIME data for all received files. -If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. +- If you do not configure this policy setting, Internet Explorer requires consistent MIME data for all received files. @@ -2442,11 +2443,11 @@ If you do not configure this policy setting, Internet Explorer requires consiste -This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. +This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. -If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. +- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. -If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML. +- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML. For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library. @@ -2510,9 +2511,9 @@ For more information, see "Out-of-date ActiveX control blocking" in the Internet This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. -If you enable this policy setting, SmartScreen Filter warnings block the user. +- If you enable this policy setting, SmartScreen Filter warnings block the user. -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. +- If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. @@ -2574,9 +2575,9 @@ If you disable or do not configure this policy setting, the user can bypass Smar This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. -If you enable this policy setting, SmartScreen Filter warnings block the user. +- If you enable this policy setting, SmartScreen Filter warnings block the user. -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. +- If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. @@ -2638,9 +2639,9 @@ If you disable or do not configure this policy setting, the user can bypass Smar This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she may encounter while browsing. -If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. +- If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. -If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. +- If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. @@ -2702,9 +2703,9 @@ If you disable or do not configure this policy setting, the user can use the Com This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history. -If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. +- If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. -If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. +- If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history. @@ -2766,9 +2767,9 @@ If you disable or do not configure this policy setting, a user can set the numbe This policy setting allows you to manage the crash detection feature of add-on Management. -If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. +- If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. -If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. +- If you disable or do not configure this policy setting, the crash detection feature for add-on management will be functional. @@ -2830,11 +2831,11 @@ If you disable or do not configure this policy setting, the crash detection feat This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). -If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. +- If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. -If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. +- If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. -If you do not configure this policy setting, the user can choose to participate in the CEIP. +- If you do not configure this policy setting, the user can choose to participate in the CEIP. @@ -2896,11 +2897,11 @@ If you do not configure this policy setting, the user can choose to participate This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box. -If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete. +- If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete. -If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete. +- If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete. -If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete. +- If you do not configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete. If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default. @@ -2964,9 +2965,9 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. -If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. +- If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. -If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. +- If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. @@ -3026,13 +3027,14 @@ If you disable or do not configure this policy setting, the user can set the Fee -This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. +This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other's list of supported protocols and versions, and they select the most preferred match. -If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. +- If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. -If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. +- If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. -**Note**: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. +> [!NOTE] +> SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. @@ -3093,9 +3095,9 @@ If you disable or do not configure this policy setting, the user can select whic This policy setting controls whether to have background synchronization for feeds and Web Slices. -If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. +- If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. -If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. +- If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. @@ -3157,13 +3159,13 @@ If you disable or do not configure this policy setting, the user can synchronize This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. -If you enable this policy setting, you must make one of the following choices: -• Skip the First Run wizard, and go directly to the user's home page. -• Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. +- If you enable this policy setting, you must make one of the following choices: +- Skip the First Run wizard, and go directly to the user's home page. +- Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. +- If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. @@ -3226,11 +3228,11 @@ This policy setting determines whether a user can swipe across a screen or click Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. -If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. +- If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. -If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. +- If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. -If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. +- If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. @@ -3292,11 +3294,11 @@ If you don't configure this setting, users can turn this behavior on or off, usi This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the user. -If you enable this policy setting, browser geolocation support is turned off. +- If you enable this policy setting, browser geolocation support is turned off. -If you disable this policy setting, browser geolocation support is turned on. +- If you disable this policy setting, browser geolocation support is turned on. -If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. +- If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. @@ -3354,9 +3356,9 @@ If you do not configure this policy setting, browser geolocation support can be The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. +- If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. +- If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. @@ -3418,9 +3420,9 @@ If you disable or do not configure this policy setting, the Home page box is ena This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed. -If you enable this policy setting, running the HTML Application (HTA file) will be blocked. +- If you enable this policy setting, running the HTML Application (HTA file) will be blocked. -If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed. +- If you disable or do not configure this policy setting, running the HTML Application (HTA file) is allowed. @@ -3482,9 +3484,9 @@ If you disable or do not configure this policy setting, running the HTML Applica This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. -If you enable this policy setting, the user cannot continue browsing. +- If you enable this policy setting, the user cannot continue browsing. -If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. +- If you disable or do not configure this policy setting, the user can choose to ignore certificate errors and continue browsing. @@ -3548,11 +3550,11 @@ This policy setting allows you to turn off the InPrivate Browsing feature. InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data. -If you enable this policy setting, InPrivate Browsing is turned off. +- If you enable this policy setting, InPrivate Browsing is turned off. -If you disable this policy setting, InPrivate Browsing is available for use. +- If you disable this policy setting, InPrivate Browsing is available for use. -If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. +- If you do not configure this policy setting, InPrivate Browsing can be turned on or off through the registry. @@ -3614,15 +3616,16 @@ If you do not configure this policy setting, InPrivate Browsing can be turned on This policy lets you restrict launching of Internet Explorer as a standalone browser. -If you enable this policy, it: +- If you enable this policy, it - Prevents Internet Explorer 11 from launching as a standalone browser. - Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. - Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. - Overrides any other policies that redirect to Internet Explorer 11. -If you disable, or don’t configure this policy, all sites are opened using the current active browser settings. +If you disable, or don't configure this policy, all sites are opened using the current active browser settings -**Note**: Microsoft Edge Stable Channel must be installed for this policy to take effect. +> [!NOTE] +> Microsoft Edge Stable Channel must be installed for this policy to take effect. @@ -3706,13 +3709,14 @@ If you disable, or don’t configure this policy, all sites are opened using the This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. -**Important**: Some ActiveX controls and toolbars may not be available when 64-bit processes are used. +> [!IMPORTANT] +> Some ActiveX controls and toolbars may not be available when 64-bit processes are used. -If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. +- If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. -If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. +- If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. -If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. +- If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. @@ -3774,9 +3778,9 @@ If you don't configure this policy setting, users can turn this feature on or of This policy setting specifies if a user can change proxy settings. -If you enable this policy setting, the user will not be able to configure proxy settings. +- If you enable this policy setting, the user will not be able to configure proxy settings. -If you disable or do not configure this policy setting, the user can configure proxy settings. +- If you disable or do not configure this policy setting, the user can configure proxy settings. @@ -3838,9 +3842,9 @@ If you disable or do not configure this policy setting, the user can configure p This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. -If you enable this policy setting, the user cannot change the default search provider. +- If you enable this policy setting, the user cannot change the default search provider. -If you disable or do not configure this policy setting, the user can change the default search provider. +- If you disable or do not configure this policy setting, the user can change the default search provider. @@ -3902,11 +3906,12 @@ If you disable or do not configure this policy setting, the user can change the Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. -If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. +- If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. -If you disable or do not configure this policy setting, the user can add secondary home pages. +- If you disable or do not configure this policy setting, the user can add secondary home pages. -**Note**: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. +> [!NOTE] +> If the "Disable Changing Home Page Settings" policy is enabled, the user cannot add secondary home pages. @@ -3967,9 +3972,9 @@ If you disable or do not configure this policy setting, the user can add seconda This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. -If you enable this policy setting, the feature is turned off. +- If you enable this policy setting, the feature is turned off. -If you disable or do not configure this policy setting, the feature is turned on. +- If you disable or do not configure this policy setting, the feature is turned on. @@ -4027,9 +4032,9 @@ If you disable or do not configure this policy setting, the feature is turned on Prevents Internet Explorer from checking whether a new version of the browser is available. -If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. +- If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. -If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. +- If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. @@ -4093,11 +4098,11 @@ This policy is intended to help the administrator maintain version control for I This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar. -If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. +- If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. -If you disable this policy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. +- If you disable this policy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. -If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off. +- If you do not configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off. @@ -4163,9 +4168,9 @@ Enhanced Protected Mode provides additional protection against malicious website When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website. -If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. +- If you enable this policy setting, Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode. -If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. +- If you disable or do not configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior. @@ -4223,13 +4228,14 @@ If you disable or do not configure this policy setting, Internet Explorer notifi Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. -If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) +- If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) -If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. +- If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. This policy prevents users from changing site management settings for security zones established by the administrator. -**Note**: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. +> [!NOTE] +> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. @@ -4289,13 +4295,14 @@ Also, see the "Security zones: Use only machine settings" policy. Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. -If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. +- If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. -If you disable this policy or do not configure it, users can change the settings for security zones. +- If you disable this policy or do not configure it, users can change the settings for security zones. This policy prevents users from changing security zone settings established by the administrator. -**Note**: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. +> [!NOTE] +> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. @@ -4359,9 +4366,9 @@ Also, see the "Security zones: Use only machine settings" policy. This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. -If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. +- If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. -If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. +- If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. @@ -4425,14 +4432,14 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. -If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: +- If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: 1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" 2. "hostname". For example, if you want to include https://example, use "example" 3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" -If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. +- If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. @@ -4496,7 +4503,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality. -If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer. +- If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer. If you disable, or don't configure this policy, extended hotkeys will not work in Internet Explorer mode. @@ -4563,9 +4570,9 @@ For more information, see This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. -If you enable this policy, Internet Explorer mode will use the global window list. +- If you enable this policy, Internet Explorer mode will use the global window list. -If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. +- If you disable or don't configure this policy, Internet Explorer mode will continue to maintain a separate window list. To learn more about Internet Explorer mode, see To learn more about disabling Internet Explorer 11 as a standalone browser, see @@ -4630,11 +4637,11 @@ To learn more about disabling Internet Explorer 11 as a standalone browser, see This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. -If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. +- If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). +- If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). -If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. +- If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. @@ -4696,11 +4703,11 @@ If you do not configure this policy setting, users choose whether to force local This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. -If you enable this policy setting, all network paths are mapped into the Intranet Zone. +- If you enable this policy setting, all network paths are mapped into the Intranet Zone. -If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). +- If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). -If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. +- If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. @@ -4762,11 +4769,11 @@ If you do not configure this policy setting, users choose whether network paths This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -4827,11 +4834,11 @@ If you do not configure this policy setting, users cannot load a page in the zon This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -4892,9 +4899,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -4955,13 +4962,13 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. -If you enable this policy setting, a script can perform a clipboard operation. +- If you enable this policy setting, a script can perform a clipboard operation. If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. -If you disable this policy setting, a script cannot perform a clipboard operation. +- If you disable this policy setting, a script cannot perform a clipboard operation. -If you do not configure this policy setting, a script can perform a clipboard operation. +- If you do not configure this policy setting, a script can perform a clipboard operation. @@ -5022,11 +5029,11 @@ If you do not configure this policy setting, a script can perform a clipboard op This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. -If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. +- If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. -If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. +- If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. -If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. +- If you do not configure this policy setting, users can drag files or copy and paste files from this zone automatically. @@ -5087,11 +5094,12 @@ If you do not configure this policy setting, users can drag files or copy and pa This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -5152,11 +5160,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. +- If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. @@ -5217,11 +5225,11 @@ If you do not configure this policy setting, Web sites from less privileged zone This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. -If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. +- If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. -If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. +- If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. -If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. +- If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. @@ -5282,11 +5290,11 @@ If you do not configure this policy setting, the user can decide whether to load This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. @@ -5347,9 +5355,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. -If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. +- If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. -If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. +- If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. @@ -5410,9 +5418,9 @@ If you disable this policy setting, the user does not see the per-site ActiveX p This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. -If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. +- If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. -If you disable this policy setting, the TDC Active X control will run from all sites in this zone. +- If you disable this policy setting, the TDC Active X control will run from all sites in this zone. @@ -5473,11 +5481,11 @@ If you disable this policy setting, the TDC Active X control will run from all s This policy setting determines whether a page can control embedded WebBrowser controls via script. -If you enable this policy setting, script access to the WebBrowser control is allowed. +- If you enable this policy setting, script access to the WebBrowser control is allowed. -If you disable this policy setting, script access to the WebBrowser control is not allowed. +- If you disable this policy setting, script access to the WebBrowser control is not allowed. -If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. +- If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. @@ -5538,11 +5546,11 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. -If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. +- If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. -If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +- If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +- If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. @@ -5603,11 +5611,11 @@ If you do not configure this policy setting, the possible harmful actions contai This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -5668,13 +5676,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -5735,9 +5744,9 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage whether script is allowed to update the status bar within the zone. -If you enable this policy setting, script is allowed to update the status bar. +- If you enable this policy setting, script is allowed to update the status bar. -If you disable or do not configure this policy setting, script is not allowed to update the status bar. +- If you disable or do not configure this policy setting, script is not allowed to update the status bar. @@ -5798,11 +5807,11 @@ If you disable or do not configure this policy setting, script is not allowed to This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -5930,11 +5939,11 @@ If you do not configure or disable this policy setting, VBScript is prevented fr This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -5995,11 +6004,11 @@ If you don't configure this policy setting, Internet Explorer always checks with This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. -If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. +- If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. -If you disable the policy setting, signed controls cannot be downloaded. +- If you disable the policy setting, signed controls cannot be downloaded. -If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. +- If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. @@ -6060,11 +6069,11 @@ If you do not configure this policy setting, users are queried whether to downlo This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. -If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. +- If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. -If you disable this policy setting, users cannot run unsigned controls. +- If you disable this policy setting, users cannot run unsigned controls. -If you do not configure this policy setting, users cannot run unsigned controls. +- If you do not configure this policy setting, users cannot run unsigned controls. @@ -6125,9 +6134,9 @@ If you do not configure this policy setting, users cannot run unsigned controls. This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. -If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. +- If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. -If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. +- If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. @@ -6188,9 +6197,9 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. @@ -6255,9 +6264,9 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. @@ -6322,11 +6331,11 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. -If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. +- If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. -If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. +- If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. +- If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. @@ -6387,11 +6396,11 @@ If you do not configure this policy setting, the MIME Sniffing Safety Feature wi This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. -If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. +- If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. -If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. +- If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. -If you do not configure this policy setting, the user can turn on or turn off Protected Mode. +- If you do not configure this policy setting, the user can turn on or turn off Protected Mode. @@ -6452,11 +6461,11 @@ If you do not configure this policy setting, the user can turn on or turn off Pr This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. -If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. +- If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. -If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. +- If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. -If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. +- If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. @@ -6517,13 +6526,13 @@ If you do not configure this policy setting, the user can choose whether path in This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -6584,7 +6593,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -6592,9 +6601,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to High Safety. +- If you do not configure this policy setting, the permission is set to High Safety. @@ -6655,11 +6664,11 @@ If you do not configure this policy setting, the permission is set to High Safet This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. -If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. +- If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. +- If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. -If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. +- If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. @@ -6720,7 +6729,7 @@ If you do not configure this policy setting, users are queried to choose whether This policy setting allows you to manage settings for logon options. -If you enable this policy setting, you can choose from the following logon options. +- If you enable this policy setting, you can choose from the following logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. @@ -6730,9 +6739,9 @@ Automatic logon only in Intranet zone to query users for user IDs and passwords Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. -If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. +- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. -If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. +- If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. @@ -6793,11 +6802,11 @@ If you do not configure this policy setting, logon is set to Automatic logon onl This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -6858,11 +6867,11 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. +- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. -If you disable this policy setting, Internet Explorer will not execute signed managed components. +- If you disable this policy setting, Internet Explorer will not execute signed managed components. -If you do not configure this policy setting, Internet Explorer will execute signed managed components. +- If you do not configure this policy setting, Internet Explorer will execute signed managed components. @@ -6923,11 +6932,11 @@ If you do not configure this policy setting, Internet Explorer will execute sign This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). -If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. +- If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. -If you disable this policy setting, these files do not open. +- If you disable this policy setting, these files do not open. -If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. +- If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. @@ -6988,11 +6997,11 @@ If you do not configure this policy setting, the user can configure how the comp This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. -If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. +- If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. -If you disable this policy setting, pop-up windows are not prevented from appearing. +- If you disable this policy setting, pop-up windows are not prevented from appearing. -If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. +- If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. @@ -7053,11 +7062,11 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -7118,11 +7127,11 @@ If you do not configure this policy setting, users are queried to choose whether This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -7183,9 +7192,9 @@ If you do not configure this policy setting, users will receive a prompt when a This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. +- If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. @@ -7246,11 +7255,12 @@ If you disable or do not configure this setting, users will receive a file downl This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -7311,11 +7321,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. +- If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. @@ -7376,11 +7386,11 @@ If you do not configure this policy setting, Web sites from less privileged zone This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. @@ -7441,11 +7451,11 @@ If you do not configure this policy setting, Internet Explorer will execute unsi This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -7506,13 +7516,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -7573,11 +7584,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -7638,11 +7649,11 @@ If you do not configure this policy setting, users can preserve information in t This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -7703,13 +7714,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -7770,7 +7781,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -7778,9 +7789,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to Medium Safety. +- If you do not configure this policy setting, the permission is set to Medium Safety. @@ -7841,11 +7852,11 @@ If you do not configure this policy setting, the permission is set to Medium Saf This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -7906,9 +7917,9 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations. -If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated. +- If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated. -If you disable this policy, then JScript will be utilized. +- If you disable this policy, then JScript will be utilized. If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript. @@ -7970,17 +7981,17 @@ If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSX -Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled, this policy has no effect. +Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge' ('RestrictIE') policy isn't enabled, this policy has no effect. -If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. +- If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. -If you disable or don’t configure this policy, all intranet sites are automatically opened in Microsoft Edge. +- If you disable or don't configure this policy, all intranet sites are automatically opened in Microsoft Edge. -We strongly recommend keeping this policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally, it’s best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. +We strongly recommend keeping this policy in sync with the 'Send all intranet sites to Internet Explorer' ('SendIntranetToInternetExplorer') policy. Additionally, it's best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. Related policies: -- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’) -- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’) +- Send all intranet sites to Internet Explorer ('SendIntranetToInternetExplorer') +- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ('RestrictIE') For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see . @@ -8067,11 +8078,11 @@ For more info about how to use this policy together with other related policies This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -8132,11 +8143,11 @@ If you do not configure this policy setting, users can load a page in the zone t This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -8197,9 +8208,9 @@ If you do not configure this policy setting, users will receive a prompt when a This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. +- If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. @@ -8260,11 +8271,12 @@ If you disable or do not configure this setting, users will receive a file downl This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -8325,11 +8337,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -8390,11 +8402,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -8455,11 +8467,11 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -8520,13 +8532,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -8587,11 +8600,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -8652,11 +8665,11 @@ If you do not configure this policy setting, users can preserve information in t This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -8717,13 +8730,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. @@ -8784,7 +8797,7 @@ If you do not configure this policy setting, users are queried whether to allow This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -8792,9 +8805,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to Medium Safety. +- If you do not configure this policy setting, the permission is set to Medium Safety. @@ -8855,11 +8868,11 @@ If you do not configure this policy setting, the permission is set to Medium Saf This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -8920,11 +8933,11 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -8985,11 +8998,11 @@ If you do not configure this policy setting, users cannot load a page in the zon This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -9050,9 +9063,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -9113,11 +9126,12 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -9178,11 +9192,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -9243,11 +9257,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -9308,11 +9322,11 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -9373,13 +9387,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -9440,11 +9455,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -9505,13 +9520,13 @@ If you do not configure this policy setting, users can preserve information in t This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -9572,7 +9587,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -9580,9 +9595,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. @@ -9643,11 +9658,11 @@ If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -9708,7 +9723,7 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -9716,9 +9731,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. @@ -9779,11 +9794,11 @@ If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -9844,11 +9859,11 @@ If you do not configure this policy setting, users are queried to choose whether This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -9909,9 +9924,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -9972,11 +9987,12 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -10037,11 +10053,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -10102,11 +10118,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -10167,11 +10183,11 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -10232,13 +10248,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -10299,11 +10316,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -10364,13 +10381,13 @@ If you do not configure this policy setting, users can preserve information in t This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -10431,11 +10448,11 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -10496,11 +10513,11 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -10561,11 +10578,11 @@ If you do not configure this policy setting, users can load a page in the zone t This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -10626,9 +10643,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -10689,11 +10706,12 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -10754,11 +10772,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -10819,11 +10837,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -10884,11 +10902,11 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -10949,13 +10967,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -11016,11 +11035,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -11081,13 +11100,13 @@ If you do not configure this policy setting, users can preserve information in t This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -11148,7 +11167,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -11156,9 +11175,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. @@ -11219,11 +11238,11 @@ If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -11284,11 +11303,11 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -11349,11 +11368,11 @@ If you do not configure this policy setting, users cannot load a page in the zon This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -11414,9 +11433,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -11477,11 +11496,12 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. +- If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. @@ -11542,11 +11562,11 @@ If you do not configure this policy setting, users are queried whether to allow This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -11607,11 +11627,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -11672,11 +11692,11 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -11737,13 +11757,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -11804,11 +11825,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -11869,13 +11890,13 @@ If you do not configure this policy setting, users cannot preserve information i This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -11936,7 +11957,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -11944,9 +11965,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. @@ -12007,11 +12028,11 @@ If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. +- If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. +- If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. +- If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. @@ -12072,11 +12093,11 @@ If you do not configure this policy setting, users cannot open other windows and This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -12137,11 +12158,11 @@ If you do not configure this policy setting, users can load a page in the zone t This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -12202,9 +12223,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -12265,11 +12286,12 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -12330,11 +12352,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -12395,11 +12417,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -12460,11 +12482,11 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -12525,13 +12547,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -12592,11 +12615,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -12657,13 +12680,13 @@ If you do not configure this policy setting, users can preserve information in t This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -12724,7 +12747,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -12732,9 +12755,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. @@ -12795,11 +12818,11 @@ If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. @@ -12860,11 +12883,11 @@ If you do not configure this policy setting, users can open windows and frames f This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. -If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. +- If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. -If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. +- If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type. -If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. +- If you do not configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. @@ -12925,11 +12948,11 @@ If you do not configure this policy setting, MIME sniffing will never promote a The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. -If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. +- If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. -If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. +- If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes. -If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. +- If you do not configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. @@ -12990,9 +13013,9 @@ If you do not configure this policy setting, the MK Protocol is prevented for Fi This policy setting allows you to specify what is displayed when the user opens a new tab. -If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. +- If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. -If you disable or do not configure this policy setting, the user can select his or her preference for this behavior. +- If you disable or do not configure this policy setting, the user can select his or her preference for this behavior. @@ -13053,11 +13076,11 @@ If you disable or do not configure this policy setting, the user can select his This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. -If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. +- If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. -If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes. +- If you disable this policy setting, the Notification bar will not be displayed for Internet Explorer processes. -If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. +- If you do not configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes. @@ -13118,9 +13141,9 @@ If you do not configure this policy setting, the Notification bar will be displa This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. -If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. +- If you enable this policy setting, the user is not prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user. -If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. +- If you disable or do not configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience. @@ -13181,9 +13204,9 @@ If you disable or do not configure this policy setting, the user is prompted to This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. -If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. +- If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. -If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. +- If you disable or do not configure this policy setting, ActiveX controls can be installed on a per-user basis. @@ -13245,11 +13268,11 @@ If you disable or do not configure this policy setting, ActiveX controls can be Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. -If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. +- If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. -If you disable this policy setting, no zone receives such protection for Internet Explorer processes. +- If you disable this policy setting, no zone receives such protection for Internet Explorer processes. -If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. +- If you do not configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. @@ -13310,9 +13333,9 @@ If you do not configure this policy setting, any zone can be protected from zone This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. -If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. +- If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. -If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. +- If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. @@ -13376,7 +13399,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. -If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. @@ -13442,11 +13465,11 @@ For more information, see This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. -If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. +- If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. -If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes. +- If you disable this policy setting, prompting for ActiveX control installations will not be blocked for Internet Explorer processes. -If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. +- If you do not configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes. @@ -13507,11 +13530,11 @@ If you do not configure this policy setting, the user's preference will be used This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -13572,11 +13595,11 @@ If you do not configure this policy setting, users cannot load a page in the zon This policy setting allows you to manage whether script code on pages in the zone is run. -If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. +- If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. -If you disable this policy setting, script code on pages in the zone is prevented from running. +- If you disable this policy setting, script code on pages in the zone is prevented from running. -If you do not configure this policy setting, script code on pages in the zone is prevented from running. +- If you do not configure this policy setting, script code on pages in the zone is prevented from running. @@ -13637,11 +13660,11 @@ If you do not configure this policy setting, script code on pages in the zone is This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. @@ -13702,9 +13725,9 @@ If you do not configure this policy setting, ActiveX control installations will This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. +- If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. @@ -13765,11 +13788,11 @@ If you disable or do not configure this setting, file downloads that are not use This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. -If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. +- If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available. -If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. +- If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. -If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. +- If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. @@ -13830,13 +13853,13 @@ If you do not configure this policy setting, binary and script behaviors are not This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. -If you enable this policy setting, a script can perform a clipboard operation. +- If you enable this policy setting, a script can perform a clipboard operation. If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. -If you disable this policy setting, a script cannot perform a clipboard operation. +- If you disable this policy setting, a script cannot perform a clipboard operation. -If you do not configure this policy setting, a script cannot perform a clipboard operation. +- If you do not configure this policy setting, a script cannot perform a clipboard operation. @@ -13897,11 +13920,11 @@ If you do not configure this policy setting, a script cannot perform a clipboard This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. -If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. +- If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. -If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. +- If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone. -If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. +- If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. @@ -13962,11 +13985,11 @@ If you do not configure this policy setting, users are queried to choose whether This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. -If you enable this policy setting, files can be downloaded from the zone. +- If you enable this policy setting, files can be downloaded from the zone. -If you disable this policy setting, files are prevented from being downloaded from the zone. +- If you disable this policy setting, files are prevented from being downloaded from the zone. -If you do not configure this policy setting, files are prevented from being downloaded from the zone. +- If you do not configure this policy setting, files are prevented from being downloaded from the zone. @@ -14027,11 +14050,12 @@ If you do not configure this policy setting, files are prevented from being down This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. +- If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. @@ -14092,11 +14116,11 @@ If you do not configure this policy setting, users are queried whether to allow This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. @@ -14157,11 +14181,11 @@ If you do not configure this policy setting, the possibly harmful navigations ar This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. -If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. +- If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files. -If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. +- If you disable this policy setting, XAML files are not loaded inside Internet Explorer. The user cannot change this behavior. -If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. +- If you do not configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer. @@ -14222,11 +14246,11 @@ If you do not configure this policy setting, the user can decide whether to load This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. -If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. +- If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. -If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. +- If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. -If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. +- If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. @@ -14287,11 +14311,11 @@ If you do not configure this policy setting, a user's browser that loads a page This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. @@ -14352,9 +14376,9 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. -If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. +- If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. -If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. +- If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. @@ -14415,9 +14439,9 @@ If you disable this policy setting, the user does not see the per-site ActiveX p This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. -If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. +- If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. -If you disable this policy setting, the TDC Active X control will run from all sites in this zone. +- If you disable this policy setting, the TDC Active X control will run from all sites in this zone. @@ -14478,11 +14502,11 @@ If you disable this policy setting, the TDC Active X control will run from all s This policy setting determines whether a page can control embedded WebBrowser controls via script. -If you enable this policy setting, script access to the WebBrowser control is allowed. +- If you enable this policy setting, script access to the WebBrowser control is allowed. -If you disable this policy setting, script access to the WebBrowser control is not allowed. +- If you disable this policy setting, script access to the WebBrowser control is not allowed. -If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. +- If you do not configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones. @@ -14543,11 +14567,11 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. -If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. +- If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. -If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +- If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +- If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. @@ -14608,11 +14632,11 @@ If you do not configure this policy setting, the possible harmful actions contai This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -14673,13 +14697,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -14740,9 +14765,9 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage whether script is allowed to update the status bar within the zone. -If you enable this policy setting, script is allowed to update the status bar. +- If you enable this policy setting, script is allowed to update the status bar. -If you disable or do not configure this policy setting, script is not allowed to update the status bar. +- If you disable or do not configure this policy setting, script is not allowed to update the status bar. @@ -14803,11 +14828,11 @@ If you disable or do not configure this policy setting, script is not allowed to This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -14935,11 +14960,11 @@ If you do not configure or disable this policy setting, VBScript is prevented fr This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -15000,11 +15025,11 @@ If you don't configure this policy setting, Internet Explorer always checks with This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. -If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. +- If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. -If you disable the policy setting, signed controls cannot be downloaded. +- If you disable the policy setting, signed controls cannot be downloaded. -If you do not configure this policy setting, signed controls cannot be downloaded. +- If you do not configure this policy setting, signed controls cannot be downloaded. @@ -15065,11 +15090,11 @@ If you do not configure this policy setting, signed controls cannot be downloade This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. -If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. +- If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. -If you disable this policy setting, users cannot run unsigned controls. +- If you disable this policy setting, users cannot run unsigned controls. -If you do not configure this policy setting, users cannot run unsigned controls. +- If you do not configure this policy setting, users cannot run unsigned controls. @@ -15130,9 +15155,9 @@ If you do not configure this policy setting, users cannot run unsigned controls. This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. -If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. +- If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. -If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. +- If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections. @@ -15193,9 +15218,9 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. @@ -15260,9 +15285,9 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. +- If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +- If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. @@ -15327,11 +15352,11 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. -If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. +- If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added layer of security provided by this feature. -If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. +- If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. -If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. +- If you do not configure this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. @@ -15392,11 +15417,11 @@ If you do not configure this policy setting, the actions that may be harmful can This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. -If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. +- If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. -If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. +- If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. -If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. +- If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. @@ -15457,13 +15482,13 @@ If you do not configure this policy setting, the user can choose whether path in This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. @@ -15524,7 +15549,7 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -15532,9 +15557,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, Java applets are disabled. +- If you do not configure this policy setting, Java applets are disabled. @@ -15595,11 +15620,11 @@ If you do not configure this policy setting, Java applets are disabled. This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. -If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. +- If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. -If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. +- If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. -If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. +- If you do not configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. @@ -15660,7 +15685,7 @@ If you do not configure this policy setting, users are prevented from running ap This policy setting allows you to manage settings for logon options. -If you enable this policy setting, you can choose from the following logon options. +- If you enable this policy setting, you can choose from the following logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. @@ -15670,9 +15695,9 @@ Automatic logon only in Intranet zone to query users for user IDs and passwords Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. -If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. +- If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. -If you do not configure this policy setting, logon is set to Prompt for username and password. +- If you do not configure this policy setting, logon is set to Prompt for username and password. @@ -15733,11 +15758,11 @@ If you do not configure this policy setting, logon is set to Prompt for username This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. +- If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. +- If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. +- If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. @@ -15798,13 +15823,13 @@ If you do not configure this policy setting, users cannot open other windows and This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. -If you enable this policy setting, controls and plug-ins can run without user intervention. +- If you enable this policy setting, controls and plug-ins can run without user intervention. If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run. -If you disable this policy setting, controls and plug-ins are prevented from running. +- If you disable this policy setting, controls and plug-ins are prevented from running. -If you do not configure this policy setting, controls and plug-ins are prevented from running. +- If you do not configure this policy setting, controls and plug-ins are prevented from running. @@ -15865,11 +15890,11 @@ If you do not configure this policy setting, controls and plug-ins are prevented This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. +- If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. -If you disable this policy setting, Internet Explorer will not execute signed managed components. +- If you disable this policy setting, Internet Explorer will not execute signed managed components. -If you do not configure this policy setting, Internet Explorer will not execute signed managed components. +- If you do not configure this policy setting, Internet Explorer will not execute signed managed components. @@ -15930,13 +15955,13 @@ If you do not configure this policy setting, Internet Explorer will not execute This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. -If you enable this policy setting, script interaction can occur automatically without user intervention. +- If you enable this policy setting, script interaction can occur automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction. -If you disable this policy setting, script interaction is prevented from occurring. +- If you disable this policy setting, script interaction is prevented from occurring. -If you do not configure this policy setting, script interaction is prevented from occurring. +- If you do not configure this policy setting, script interaction is prevented from occurring. @@ -15997,13 +16022,13 @@ If you do not configure this policy setting, script interaction is prevented fro This policy setting allows you to manage whether applets are exposed to scripts within the zone. -If you enable this policy setting, scripts can access applets automatically without user intervention. +- If you enable this policy setting, scripts can access applets automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets. -If you disable this policy setting, scripts are prevented from accessing applets. +- If you disable this policy setting, scripts are prevented from accessing applets. -If you do not configure this policy setting, scripts are prevented from accessing applets. +- If you do not configure this policy setting, scripts are prevented from accessing applets. @@ -16064,11 +16089,11 @@ If you do not configure this policy setting, scripts are prevented from accessin This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). -If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. +- If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. -If you disable this policy setting, these files do not open. +- If you disable this policy setting, these files do not open. -If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. +- If you do not configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones. @@ -16129,11 +16154,11 @@ If you do not configure this policy setting, the user can configure how the comp This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. -If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. +- If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. -If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. +- If you disable this policy setting, Protected Mode is turned off. The user cannot turn on Protected Mode. -If you do not configure this policy setting, the user can turn on or turn off Protected Mode. +- If you do not configure this policy setting, the user can turn on or turn off Protected Mode. @@ -16194,11 +16219,11 @@ If you do not configure this policy setting, the user can turn on or turn off Pr This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. -If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. +- If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. -If you disable this policy setting, pop-up windows are not prevented from appearing. +- If you disable this policy setting, pop-up windows are not prevented from appearing. -If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. +- If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. @@ -16259,11 +16284,11 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr This policy setting enables blocking of file download prompts that are not user initiated. -If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. +- If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. -If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. +- If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. -If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. +- If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. @@ -16324,11 +16349,11 @@ If you do not configure this policy setting, the user's preference determines wh Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. -If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. +- If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. -If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows. +- If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows. -If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. +- If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. @@ -16389,11 +16414,12 @@ If you do not configure this policy setting, popup windows and other restriction This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. +- If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers -**Note**: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. +> [!NOTE] +> This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. -If you disable or do not configure this policy setting, the user can configure his or her list of search providers. +- If you disable or do not configure this policy setting, the user can configure his or her list of search providers. @@ -16451,9 +16477,9 @@ If you disable or do not configure this policy setting, the user can configure h Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. -If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. +- If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. -If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings. +- If you disable this policy or do not configure it, users of the same computer can establish their own security zone settings. This policy is intended to ensure that security zone settings apply uniformly to the same computer and do not vary from user to user. @@ -16523,7 +16549,8 @@ Enabling this setting automatically opens all sites not included in the Enterpri Disabling, or not configuring this setting, opens all sites based on the currently active browser. -**Note**: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. +> [!NOTE] +> If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. @@ -16610,9 +16637,9 @@ Disabling, or not configuring this setting, opens all sites based on the current This policy setting allows you to specify how ActiveX controls are installed. -If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. +- If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. -If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. +- If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process. @@ -16674,11 +16701,11 @@ If you disable or do not configure this policy setting, ActiveX controls, includ This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. +- If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -16739,11 +16766,11 @@ If you do not configure this policy setting, users can load a page in the zone t This policy setting manages whether users will be automatically prompted for ActiveX control installations. -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. +- If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. +- If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -16804,9 +16831,9 @@ If you do not configure this policy setting, users will receive a prompt when a This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. -If you enable this setting, users will receive a file download dialog for automatic download attempts. +- If you enable this setting, users will receive a file download dialog for automatic download attempts. -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. +- If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. @@ -16867,11 +16894,12 @@ If you disable or do not configure this setting, users will receive a file downl This policy setting allows you to manage whether pages of the zone may download HTML fonts. -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. +- If you enable this policy setting, HTML fonts can be downloaded automatically. +- If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. -If you disable this policy setting, HTML fonts are prevented from downloading. +- If you disable this policy setting, HTML fonts are prevented from downloading. -If you do not configure this policy setting, HTML fonts can be downloaded automatically. +- If you do not configure this policy setting, HTML fonts can be downloaded automatically. @@ -16932,11 +16960,11 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +- If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +- If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. +- If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. @@ -16997,11 +17025,11 @@ If you do not configure this policy setting, a warning is issued to the user tha This policy setting allows you to manage whether . NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +- If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. +- If you disable this policy setting, Internet Explorer will not execute unsigned managed components. -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. +- If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. @@ -17062,11 +17090,11 @@ If you do not configure this policy setting, Internet Explorer will execute unsi This policy setting allows you to manage whether the user can run scriptlets. -If you enable this policy setting, the user can run scriptlets. +- If you enable this policy setting, the user can run scriptlets. -If you disable this policy setting, the user cannot run scriptlets. +- If you disable this policy setting, the user cannot run scriptlets. -If you do not configure this policy setting, the user can enable or disable scriptlets. +- If you do not configure this policy setting, the user can enable or disable scriptlets. @@ -17127,13 +17155,14 @@ If you do not configure this policy setting, the user can enable or disable scri This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. +- If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. +- If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. +- If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. -**Note**: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. @@ -17194,11 +17223,11 @@ If you do not configure this policy setting, the user can choose whether SmartSc This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. +- If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -17259,11 +17288,11 @@ If you do not configure this policy setting, users can preserve information in t This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +- If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +- If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -17324,13 +17353,13 @@ If you don't configure this policy setting, Internet Explorer won't check with y This policy setting allows you to manage ActiveX controls not marked as safe. -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. +- If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. +- If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. +- If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. @@ -17391,7 +17420,7 @@ If you do not configure this policy setting, users are queried whether to allow This policy setting allows you to manage permissions for Java applets. -If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. +- If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations. @@ -17399,9 +17428,9 @@ Medium Safety enables applets to run in their sandbox (an area in memory outside High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. -If you disable this policy setting, Java applets cannot run. +- If you disable this policy setting, Java applets cannot run. -If you do not configure this policy setting, the permission is set to Low Safety. +- If you do not configure this policy setting, the permission is set to Low Safety. @@ -17462,11 +17491,11 @@ If you do not configure this policy setting, the permission is set to Low Safety This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +- If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. +- If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. +- If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 00c57f2f58..68f64fc6e5 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,10 +1,10 @@ --- title: Kerberos Policy CSP -description: Learn more about the Kerberos Area in Policy CSP +description: Learn more about the Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,9 +44,9 @@ ms.topic: reference This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. +- If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. +- If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. @@ -104,9 +104,9 @@ If you disable or do not configure this policy setting, the Kerberos client does This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon. -If you disable or do not configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket is not retrieved during logon. +- If you disable or do not configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket is not retrieved during logon. -If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon. +- If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon. @@ -170,9 +170,9 @@ If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. +- If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. +- If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. @@ -230,17 +230,17 @@ If you disable or do not configure this policy setting, the client devices will This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication. -If you enable this policy, you will be able to configure one of four states for each algorithm: +- If you enable this policy, you will be able to configure one of four states for each algorithm: -- “Default” sets the algorithm to the recommended state. +- "Default" sets the algorithm to the recommended state. -- “Supported” enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. +- "Supported" enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. -- “Audited” enables usage of the algorithm and reports an event (ID 206) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled. +- "Audited" enables usage of the algorithm and reports an event (ID 206) every time it is used. This state is intended to verify that the algorithm is not being used and can be safely disabled. -- “Not Supported” disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +- "Not Supported" disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. -If you disable or do not configure this policy, each algorithm will assume the “Default” state. +- If you disable or do not configure this policy, each algorithm will assume the "Default" state. More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at . Events generated by this configuration: 205, 206, 207, 208. @@ -265,8 +265,8 @@ Events generated by this configuration: 205, 206, 207, 208. | Value | Description | |:--|:--| -| 0 (Default) | Disabled / Not Configured | -| 1 | Enabled | +| 0 (Default) | Disabled / Not Configured. | +| 1 | Enabled. | @@ -336,10 +336,10 @@ If you don't configure this policy, the SHA1 algorithm will assume the **Default | Value | Description | |:--|:--| -| 0 | Not Supported | -| 1 (Default) | Default | -| 2 | Audited | -| 3 | Supported | +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | @@ -404,10 +404,10 @@ If you don't configure this policy, the SHA256 algorithm will assume the **Defau | Value | Description | |:--|:--| -| 0 | Not Supported | -| 1 (Default) | Default | -| 2 | Audited | -| 3 | Supported | +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | @@ -472,10 +472,10 @@ If you don't configure this policy, the SHA384 algorithm will assume the **Defau | Value | Description | |:--|:--| -| 0 | Not Supported | -| 1 (Default) | Default | -| 2 | Audited | -| 3 | Supported | +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | @@ -540,10 +540,10 @@ If you don't configure this policy, the SHA512 algorithm will assume the **Defau | Value | Description | |:--|:--| -| 0 | Not Supported | -| 1 (Default) | Default | -| 2 | Audited | -| 3 | Supported | +| 0 | Not Supported. | +| 1 (Default) | Default. | +| 2 | Audited. | +| 3 | Supported. | @@ -583,12 +583,12 @@ This policy setting controls whether a computer requires that Kerberos message e > [!WARNING] > When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. +- If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. > [!NOTE] > The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. +- If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. @@ -646,9 +646,9 @@ If you disable or do not configure this policy setting, the client computers in This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. +- If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. +- If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. @@ -708,9 +708,9 @@ This policy setting allows you to set the value returned to applications which r The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. +- If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. +- If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. > [!NOTE] > This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 162f7c6bb1..cffc594e00 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -1,10 +1,10 @@ --- title: KioskBrowser Policy CSP -description: Learn more about the KioskBrowser Area in Policy CSP +description: Learn more about the KioskBrowser Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -201,8 +201,8 @@ When the policy is enabled, the Kiosk Browser app shows a button to reset the br | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -256,8 +256,8 @@ Enable/disable kiosk browser's home button. | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -311,8 +311,8 @@ Enable/disable kiosk browser's navigation buttons (forward/back). | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index 842f4da6b6..eeb195ac8a 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -1,10 +1,10 @@ --- title: LanmanWorkstation Policy CSP -description: Learn more about the LanmanWorkstation Area in Policy CSP +description: Learn more about the LanmanWorkstation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,9 +39,9 @@ ms.topic: reference This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. -If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. +- If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. -If you disable this policy setting, the SMB client will reject insecure guest logons. +- If you disable this policy setting, the SMB client will reject insecure guest logons. Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access." @@ -65,8 +65,8 @@ Insecure guest logons are used by file servers to allow unauthenticated access t | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 4510db53df..b425e49931 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -1,10 +1,10 @@ --- title: Licensing Policy CSP -description: Learn more about the Licensing Area in Policy CSP +description: Learn more about the Licensing Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -105,7 +105,7 @@ Policy Options: This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. -If you disable or do not configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates. +- If you disable or do not configure this policy setting, KMS client activation data will be sent to Microsoft services when this device activates. Policy Options: - Not Configured (default -- data will be automatically sent to Microsoft) - Disabled (data will be automatically sent to Microsoft) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 361f69d2b9..459b035faf 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,10 +1,10 @@ --- title: LocalPoliciesSecurityOptions Policy CSP -description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP +description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/06/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,7 +39,8 @@ ms.topic: reference -This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. +This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can't add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can't add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. +- If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. @@ -63,7 +64,7 @@ This policy setting prevents users from adding new Microsoft accounts on this co |:--|:--| | 0 (Default) | Disabled (users will be able to use Microsoft accounts with Windows). | | 1 | Enabled (users can't add Microsoft accounts). | -| 3 | Users can't add or log on with Microsoft accounts | +| 3 | Users can't add or log on with Microsoft accounts. | @@ -123,8 +124,8 @@ This security setting determines whether the local Administrator account is enab | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -184,8 +185,8 @@ This security setting determines if the Guest account is enabled or disabled. De | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -248,8 +249,8 @@ Accounts Limit local account use of blank passwords to console logon only This s | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled | +| 0 | Disabled. | +| 1 (Default) | Enabled. | @@ -456,8 +457,8 @@ Devices Allow undock without having to log on This security setting determines w | Value | Description | |:--|:--| -| 1 (Default) | Allow | -| 0 | Block | +| 1 (Default) | Allow. | +| 0 | Block. | @@ -492,7 +493,9 @@ Devices Allow undock without having to log on This security setting determines w -Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. +Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. +- If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. +- If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -514,8 +517,8 @@ Devices: Prevent users from installing printer drivers when connecting to shared | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -621,10 +624,10 @@ Interactive Logon:Display user information when the session is locked User displ | Value | Description | |:--|:--| -| 1 (Default) | User display name, domain and user names | -| 2 | User display name only | -| 3 | Do not display user information | -| 4 | Domain and user names only | +| 1 (Default) | User display name, domain and user names. | +| 2 | User display name only. | +| 3 | Do not display user information. | +| 4 | Domain and user names only. | @@ -681,8 +684,8 @@ Interactive logon: Don't display last signed-in This security setting determines | Value | Description | |:--|:--| -| 0 (Default) | Disabled (username will be shown) | -| 1 | Enabled (username will not be shown) | +| 0 (Default) | Disabled (username will be shown). | +| 1 | Enabled (username will not be shown). | @@ -739,8 +742,8 @@ Interactive logon: Don't display username at sign-in This security setting deter | Value | Description | |:--|:--| -| 0 | Disabled (username will be shown) | -| 1 (Default) | Enabled (username will not be shown) | +| 0 | Disabled (username will be shown). | +| 1 (Default) | Enabled (username will not be shown). | @@ -797,8 +800,8 @@ Interactive logon: Do not require CTRL+ALT+DEL This security setting determines | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled (a user is not required to press CTRL+ALT+DEL to log on) | +| 0 | Disabled. | +| 1 (Default) | Enabled (a user is not required to press CTRL+ALT+DEL to log on). | @@ -1008,10 +1011,10 @@ Interactive logon Smart card removal behavior This security setting determines w | Value | Description | |:--|:--| -| 0 (Default) | No Action | -| 1 | Lock Workstation | -| 2 | Force Logoff | -| 3 | Disconnect if a Remote Desktop Services session | +| 0 (Default) | No Action. | +| 1 | Lock Workstation. | +| 2 | Force Logoff. | +| 3 | Disconnect if a Remote Desktop Services session. | @@ -1046,7 +1049,8 @@ Interactive logon Smart card removal behavior This security setting determines w -Microsoft network client Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default Disabled +Microsoft network client Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. +- If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default Disabled > [!IMPORTANT] > For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client Digitally sign communications (if server agrees) @@ -1074,8 +1078,8 @@ Microsoft network client Digitally sign communications (always) This security se | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1110,7 +1114,8 @@ Microsoft network client Digitally sign communications (always) This security se -Microsoft network client Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled +Microsoft network client Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. +- If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled > [!NOTE] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference . @@ -1135,8 +1140,8 @@ Microsoft network client Digitally sign communications (if server agrees) This s | Value | Description | |:--|:--| -| 1 (Default) | Enable | -| 0 | Disable | +| 1 (Default) | Enable. | +| 0 | Disable. | @@ -1193,8 +1198,8 @@ Microsoft network client: Send unencrypted password to connect to third-party SM | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1229,7 +1234,9 @@ Microsoft network client: Send unencrypted password to connect to third-party SM -Microsoft network server Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default Disabled for member servers. Enabled for domain controllers +Microsoft network server Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. +- If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. +- If this setting is disabled, SMB packet signing is negotiated between the client and server. Default Disabled for member servers. Enabled for domain controllers > [!NOTE] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors @@ -1257,8 +1264,8 @@ Microsoft network server Digitally sign communications (always) This security se | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1293,7 +1300,8 @@ Microsoft network server Digitally sign communications (always) This security se -Microsoft network server Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled on domain controllers only +Microsoft network server Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. +- If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default Enabled on domain controllers only > [!IMPORTANT] > For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000 HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings Microsoft network client Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference . @@ -1318,8 +1326,8 @@ Microsoft network server Digitally sign communications (if client agrees) This s | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1354,7 +1362,8 @@ Microsoft network server Digitally sign communications (if client agrees) This s -Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled. +Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. +- If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled. @@ -1376,8 +1385,8 @@ Network access: Allow anonymous SID/name translation This policy setting determi | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1437,8 +1446,8 @@ Network access Do not allow anonymous enumeration of SAM accounts This security | Value | Description | |:--|:--| -| 1 (Default) | Enabled | -| 0 | Disabled | +| 1 (Default) | Enabled. | +| 0 | Disabled. | @@ -1495,8 +1504,8 @@ Network access: Do not allow anonymous enumeration of SAM accounts and shares Th | Value | Description | |:--|:--| -| 1 | Enabled | -| 0 (Default) | Disabled | +| 1 | Enabled. | +| 0 (Default) | Disabled. | @@ -1553,8 +1562,8 @@ Network access: Restrict anonymous access to Named Pipes and Shares When enabled | Value | Description | |:--|:--| -| 1 (Default) | Enable | -| 0 | Disable | +| 1 (Default) | Enable. | +| 0 | Disable. | @@ -1637,7 +1646,9 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy -Network security Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008 +Network security Allow Local System to use computer identity for NTLM This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. +- If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. +- If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008 > [!NOTE] > Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. @@ -1664,8 +1675,8 @@ Network security Allow Local System to use computer identity for NTLM This polic | Value | Description | |:--|:--| -| 1 (Default) | Allow | -| 0 | Block | +| 1 (Default) | Allow. | +| 0 | Block. | @@ -1722,8 +1733,8 @@ Network security: Allow PKU2U authentication requests to this computer to use on | Value | Description | |:--|:--| -| 0 | Block | -| 1 (Default) | Allow | +| 0 | Block. | +| 1 (Default) | Allow. | @@ -1786,8 +1797,8 @@ Network security Do not store LAN Manager hash value on next password change Thi | Value | Description | |:--|:--| -| 1 (Default) | Enable | -| 0 | Disable | +| 1 (Default) | Enable. | +| 0 | Disable. | @@ -1847,8 +1858,8 @@ Network security Force logoff when logon hours expire This security setting dete | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1908,12 +1919,12 @@ Network security LAN Manager authentication level This security setting determin | Value | Description | |:--|:--| -| 0 | Send LM and NTLM responses | -| 1 | Send LM and NTLM-use NTLMv2 session security if negotiated | -| 2 | Send LM and NTLM responses only | -| 3 (Default) | Send LM and NTLMv2 responses only | -| 4 | Send LM and NTLMv2 responses only. Refuse LM | -| 5 | Send LM and NTLMv2 responses only. Refuse LM and NTLM | +| 0 | Send LM and NTLM responses. | +| 1 | Send LM and NTLM-use NTLMv2 session security if negotiated. | +| 2 | Send LM and NTLM responses only. | +| 3 (Default) | Send LM and NTLMv2 responses only. | +| 4 | Send LM and NTLMv2 responses only. Refuse LM. | +| 5 | Send LM and NTLMv2 responses only. Refuse LM and NTLM. | @@ -1970,10 +1981,10 @@ Network security: Minimum session security for NTLM SSP based (including secure | Value | Description | |:--|:--| -| 0 | None | -| 524288 | Require NTLMv2 session security | -| 536870912 (Default) | Require 128-bit encryption | -| 537395200 | Require NTLM and 128-bit encryption | +| 0 | None. | +| 524288 | Require NTLMv2 session security. | +| 536870912 (Default) | Require 128-bit encryption. | +| 537395200 | Require NTLM and 128-bit encryption. | @@ -2030,10 +2041,10 @@ Network security: Minimum session security for NTLM SSP based (including secure | Value | Description | |:--|:--| -| 0 | None | -| 524288 | Require NTLMv2 session security | -| 536870912 (Default) | Require 128-bit encryption | -| 537395200 | Require NTLM and 128-bit encryption | +| 0 | None. | +| 524288 | Require NTLMv2 session security. | +| 536870912 (Default) | Require 128-bit encryption. | +| 537395200 | Require NTLM and 128-bit encryption. | @@ -2068,7 +2079,8 @@ Network security: Minimum session security for NTLM SSP based (including secure -Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. +Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. +- If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. @@ -2142,9 +2154,9 @@ Network security Restrict NTLM Audit Incoming NTLM Traffic This policy setting a | Value | Description | |:--|:--| -| 0 (Default) | Disable | -| 1 | Enable auditing for domain accounts | -| 2 | Enable auditing for all accounts | +| 0 (Default) | Disable. | +| 1 | Enable auditing for domain accounts. | +| 2 | Enable auditing for all accounts. | @@ -2204,9 +2216,9 @@ Network security Restrict NTLM Incoming NTLM traffic This policy setting allows | Value | Description | |:--|:--| -| 0 (Default) | Allow all | -| 1 | Deny all domain accounts | -| 2 | Deny all accounts | +| 0 (Default) | Allow all. | +| 1 | Deny all domain accounts. | +| 2 | Deny all accounts. | @@ -2266,9 +2278,9 @@ Network security Restrict NTLM Outgoing NTLM traffic to remote servers This poli | Value | Description | |:--|:--| -| 0 (Default) | Allow all | -| 1 | Deny all domain accounts | -| 2 | Deny all accounts | +| 0 (Default) | Allow all. | +| 1 | Deny all domain accounts. | +| 2 | Deny all accounts. | @@ -2325,8 +2337,8 @@ Shutdown: Allow system to be shut down without having to log on This security se | Value | Description | |:--|:--| -| 0 | disabled | -| 1 (Default) | enabled (allow system to be shut down without having to log on) | +| 0 | Disabled. | +| 1 (Default) | Enabled (allow system to be shut down without having to log on). | @@ -2361,7 +2373,8 @@ Shutdown: Allow system to be shut down without having to log on This security se -Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. +Shutdown: Clear virtual memory pagefile This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. +- If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. @@ -2383,8 +2396,8 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -2419,7 +2432,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether -User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. • Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. • Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. +User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. @@ -2441,8 +2454,8 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou | Value | Description | |:--|:--| -| 0 (Default) | disabled | -| 1 | enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) | +| 0 (Default) | Disabled. | +| 1 | Enabled (allow UIAccess applications to prompt for elevation without using the secure desktop). | @@ -2477,10 +2490,10 @@ User Account Control: Allow UIAccess applications to prompt for elevation withou -User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are • Elevate without prompting Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials +User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are - Elevate without prompting Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials > [!NOTE] -> Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. +> Use this option only in the most constrained environments. - Prompt for credentials on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - Prompt for credentials When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - Prompt for consent When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - Prompt for consent for non-Windows binaries (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. @@ -2502,12 +2515,12 @@ User Account Control Behavior of the elevation prompt for administrators in Admi | Value | Description | |:--|:--| -| 0 | Elevate without prompting | -| 1 | Prompt for credentials on the secure desktop | -| 2 | Prompt for consent on the secure desktop | -| 3 | Prompt for credentials | -| 4 | Prompt for consent | -| 5 (Default) | Prompt for consent for non-Windows binaries | +| 0 | Elevate without prompting. | +| 1 | Prompt for credentials on the secure desktop. | +| 2 | Prompt for consent on the secure desktop. | +| 3 | Prompt for credentials. | +| 4 | Prompt for consent. | +| 5 (Default) | Prompt for consent for non-Windows binaries. | @@ -2542,7 +2555,7 @@ User Account Control Behavior of the elevation prompt for administrators in Admi -User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: • Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. @@ -2564,9 +2577,9 @@ User Account Control: Behavior of the elevation prompt for standard users This p | Value | Description | |:--|:--| -| 0 | Automatically deny elevation requests | -| 1 | Prompt for credentials on the secure desktop | -| 3 (Default) | Prompt for credentials | +| 0 | Automatically deny elevation requests. | +| 1 | Prompt for credentials on the secure desktop. | +| 3 (Default) | Prompt for credentials. | @@ -2623,8 +2636,8 @@ User Account Control: Detect application installations and prompt for elevation | Value | Description | |:--|:--| -| 1 (Default) | Enable | -| 0 | Disable | +| 1 (Default) | Enable. | +| 0 | Disable. | @@ -2659,7 +2672,7 @@ User Account Control: Detect application installations and prompt for elevation -User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: • Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. • Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. +User Account Control: Only elevate executable files that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: - Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. @@ -2717,7 +2730,7 @@ User Account Control: Only elevate executable files that are signed and validate -User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: • Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. • Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. +User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ - ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. @@ -2775,7 +2788,7 @@ User Account Control: Only elevate UIAccess applications that are installed in s -User Account Control Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are • Enabled (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled Admin Approval Mode and all related UAC policy settings are disabled +User Account Control Turn on Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are - Enabled (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - Disabled Admin Approval Mode and all related UAC policy settings are disabled > [!NOTE] > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. @@ -2800,8 +2813,8 @@ User Account Control Turn on Admin Approval Mode This policy setting controls th | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled | +| 0 | Disabled. | +| 1 (Default) | Enabled. | @@ -2836,7 +2849,7 @@ User Account Control Turn on Admin Approval Mode This policy setting controls th -User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. • Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. +User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. @@ -2858,8 +2871,8 @@ User Account Control: Switch to the secure desktop when prompting for elevation | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled | +| 0 | Disabled. | +| 1 (Default) | Enabled. | @@ -2894,7 +2907,7 @@ User Account Control: Switch to the secure desktop when prompting for elevation -User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. +User Account Control: Use Admin Approval Mode for the built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. @@ -2916,8 +2929,8 @@ User Account Control: Use Admin Approval Mode for the built-in Administrator acc | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -2952,7 +2965,7 @@ User Account Control: Use Admin Approval Mode for the built-in Administrator acc -User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: • Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. • Disabled: Applications that write data to protected locations fail. +User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: - Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - Disabled: Applications that write data to protected locations fail. @@ -2974,8 +2987,8 @@ User Account Control: Virtualize file and registry write failures to per-user lo | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled | +| 0 | Disabled. | +| 1 (Default) | Enabled. | diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 3829efc9fb..930981e88b 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -1,10 +1,10 @@ --- title: LocalUsersAndGroups Policy CSP -description: Learn more about the LocalUsersAndGroups Area in Policy CSP +description: Learn more about the LocalUsersAndGroups Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,16 @@ ms.topic: reference -This Setting allows an administrator to manage local groups on a Device. Possible settings: 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that are not specified in the policy remain untouched. 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group members that are not specified in the policy are removed. +This Setting allows an administrator to manage local groups on a Device. +Possible settings + +1. Update Group Membership Update a group and add and/or remove members though the 'U' action. +When using Update, existing group members that are not specified in the policy remain untouched. + +2. Replace Group Membership Restrict a group by replacing group membership through the 'R' action. +When using Replace, existing group membership is replaced by the list of members specified in +the add member section. This option works in the same way as a Restricted Group and any group +members that are not specified in the policy are removed > [!CAUTION] > If the same group is configured with both Replace and Update, then Replace will win. diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 743e929abc..d622ee011f 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -1,10 +1,10 @@ --- title: LockDown Policy CSP -description: Learn more about the LockDown Area in Policy CSP +description: Learn more about the LockDown Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,9 +37,9 @@ ms.topic: reference -If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge. +- If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge. -If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen edges. +- If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen edges. diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md index 23573031f7..44b1d9a8ae 100644 --- a/windows/client-management/mdm/policy-csp-lsa.md +++ b/windows/client-management/mdm/policy-csp-lsa.md @@ -1,10 +1,10 @@ --- title: LocalSecurityAuthority Policy CSP -description: Learn more about the LocalSecurityAuthority Area in Policy CSP +description: Learn more about the LocalSecurityAuthority Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/03/2023 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - LocalSecurityAuthority > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy controls the configuration under which LSASS loads custom SSPs and APs. -If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. +- If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded. -If you disable this setting, LSA does not load custom SSPs and APs. +- If you disable this setting, LSA does not load custom SSPs and APs. @@ -66,7 +64,7 @@ If you disable this setting, LSA does not load custom SSPs and APs. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -106,13 +104,13 @@ If you disable this setting, LSA does not load custom SSPs and APs. This policy controls the configuration under which LSASS is run. -If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured. +- If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured. -If you configure and set this policy setting to "Disabled", LSA will not run as a protected process. +- If you configure and set this policy setting to "Disabled", LSA will not run as a protected process. -If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked. +- If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked. -If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked. +- If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked. diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 4cd8a3b490..60f394302c 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -1,10 +1,10 @@ --- title: Maps Policy CSP -description: Learn more about the Maps Area in Policy CSP +description: Learn more about the Maps Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index 2311cd2deb..26fdcc2171 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -1,10 +1,10 @@ --- title: MemoryDump Policy CSP -description: Learn more about the MemoryDump Area in Policy CSP +description: Learn more about the MemoryDump Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index 85a71cbbec..dc279d3c41 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,10 +1,10 @@ --- title: Messaging Policy CSP -description: Learn more about the Messaging Area in Policy CSP +description: Learn more about the Messaging Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -44,7 +44,6 @@ This policy setting allows backup and restore of cellular text messages to Micro Disable this feature to avoid information being stored on servers outside of your organization's control. - @@ -62,8 +61,8 @@ Disable this feature to avoid information being stored on servers outside of you | Value | Description | |:--|:--| -| 0 | message sync is not allowed and cannot be changed by the user. | -| 1 (Default) | message sync is allowed. The user can change this setting. | +| 0 | Message sync is not allowed and cannot be changed by the user. | +| 1 (Default) | Message sync is allowed. The user can change this setting. | @@ -125,8 +124,8 @@ This policy setting allows you to enable or disable the sending and receiving ce | Value | Description | |:--|:--| -| 1 (Default) | Allow | -| 0 | Block | +| 1 (Default) | Allow. | +| 0 | Block. | @@ -174,8 +173,8 @@ This policy setting allows you to enable or disable the sending and receiving of | Value | Description | |:--|:--| -| 1 (Default) | Allow | -| 0 | Block | +| 1 (Default) | Allow. | +| 0 | Block. | diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 2a2a81fbdc..6f83800c56 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -1,10 +1,10 @@ --- title: MixedReality Policy CSP -description: Learn more about the MixedReality Area in Policy CSP +description: Learn more about the MixedReality Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/21/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,17 +17,13 @@ ms.topic: reference # Policy CSP - MixedReality > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-hardware). They're not supported on HoloLens (first gen) Development Edition or HoloLens (first gen) Commercial Suite devices. - @@ -52,7 +48,6 @@ This policy controls for how many days, AAD group membership cache is allowed to - Steps to use this policy correctly: 1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices. @@ -66,7 +61,6 @@ Steps to use this policy correctly: > [!NOTE] > Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment. - @@ -108,9 +102,7 @@ This policy controls whether the device will display the captive portal flow on - This opt-in policy can help with the setup of new devices in new areas or new users. The captive portal allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. - @@ -155,16 +147,14 @@ This opt-in policy can help with the setup of new devices in new areas or new us -By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. +By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. - Enable this policy to allow for other apps to be launched within a single app kiosk. This behavior may be useful if you want to launch the Settings app to calibrate your device or change your Wi-Fi. For more information on the Launcher API, see [Launcher Class (Windows.System) - Windows UWP applications](/uwp/api/windows.system.launcher). - @@ -214,7 +204,6 @@ This policy controls whether a user will be automatically logged on. When the po - Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. In this case, you can pick up a device and immediately use remote assist. It also allows you to rapidly distribute HoloLens devices and have users speed up sign-in. The string value is the email address of the user to automatically sign in. @@ -225,7 +214,6 @@ On a device where you configure this policy, the user specified in the policy ne > > - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior. > - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users. - @@ -358,14 +346,12 @@ This policy setting controls if pressing the brightness button changes the brigh -This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it’s turned off / on or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. Please refer to HoloLens 2 Moving Platform Mode for background information. +This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it's turned off / on or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. Please refer to HoloLens 2 Moving Platform Mode for background information. - For more information, see [Moving platform mode on low dynamic motion moving platforms](/hololens/hololens2-moving-platform). - @@ -413,12 +399,12 @@ For more information, see [Moving platform mode on low dynamic motion moving pla This policy setting specifies a set of parameters for controlling the Windows NTP Client. -If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. +- If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. -If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. +- If you disable or do not configure this policy setting, the WIndows NTP Client uses the defaults of each of the following parameters. NtpServer -The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". +The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where "flags" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is "time.windows.com,0x09". Type This value controls the authentication that W32time uses. The default value is NT5DS. @@ -441,7 +427,6 @@ This value is a bitmask that controls events that may be logged to the System lo - **More information**: You may want to configure a different time server for your device fleet. You can use this policy to configure certain aspects of the NTP client. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. @@ -452,7 +437,6 @@ For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NT > This policy also requires enabling [NtpClientEnabled](#ntpclientenabled). > > After you enable this policy, restart the device for the changes to apply. - @@ -466,7 +450,7 @@ For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NT > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -481,7 +465,7 @@ For more information, see [ADMX_W32Time Policy CSP - W32Time_Policy_Configure_NT -\ + **Example**: @@ -497,7 +481,6 @@ The following XML string is an example of the value for this policy: ``` - @@ -524,9 +507,7 @@ Network Connection Status Indicator (NCSI) detects Internet connectivity and cor - Windows Network Connectivity Status Indicator may get a false positive internet-capable signal from passive polling. That behavior may result in the Wi-Fi adapter unexpectedly resetting when the device connects to an intranet-only access point. When you enable this policy, you can avoid unexpected network interruptions caused by false positive NCSI passive polling. - @@ -571,7 +552,7 @@ Windows Network Connectivity Status Indicator may get a false positive internet- -This policy controls when a new person uses Hololens device, if Hololens should automatically ask to run eye calibration. +This policy controls when a new person uses HoloLens device, if HoloLens should automatically ask to run eye calibration. @@ -675,14 +656,12 @@ This policy configures behavior of HUP to determine, which algorithm to use for - **Allowed values**: | Value | Description | |:--|:--| | `0` (Default) | Feature - Default feature based / SLAM-based tracker. | | `1` | Constellation - LR constellation based tracker. | - @@ -724,9 +703,7 @@ This policy controls whether the user can change down direction manually or not. - When the system automatically determines the down direction, it's using the measured gravity vector. - @@ -824,16 +801,14 @@ This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. -If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. +- If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. -If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. +- If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. - For more information, see the [ConfigureNtpClient](#configurentpclient) policy. - @@ -847,7 +822,7 @@ For more information, see the [ConfigureNtpClient](#configurentpclient) policy. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -864,7 +839,6 @@ For more information, see the [ConfigureNtpClient](#configurentpclient) policy. - **Example**: The following example XML string shows the value to enable this policy: @@ -872,7 +846,6 @@ The following example XML string shows the value to enable this policy: ```xml ``` - @@ -894,17 +867,13 @@ The following example XML string shows the value to enable this policy: -This policy configures whether the device will take the user through the eye tracking calibration process during device setup and first time user setup. If this policy is enabled, the device will not show the eye tracking calibration process during device setup and first time user setup. - -**Note** that until the user goes through the calibration process, eye tracking will not work on the device. If an app requires eye tracking and the user has not gone through the calibration process, the user will be prompted to do so. +This policy configures whether the device will take the user through the eye tracking calibration process during device setup and first time user setup. If this policy is enabled, the device will not show the eye tracking calibration process during device setup and first time user setup. **Note** that until the user goes through the calibration process, eye tracking will not work on the device. If an app requires eye tracking and the user has not gone through the calibration process, the user will be prompted to do so. - > [!NOTE] > The user will still be able to calibrate their device from the Settings app. - @@ -954,9 +923,7 @@ This policy configures whether the device will take the user through a training - It skips the training experience of interactions with the hummingbird and Start menu training. The user will still be able to learn these movement controls from the Tips app. - diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index c7e71ee0cf..c164d07e12 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -1,10 +1,10 @@ --- title: MSSLegacy Policy CSP -description: Learn more about the MSSLegacy Area in Policy CSP +description: Learn more about the MSSLegacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - MSSLegacy > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,7 +41,7 @@ ms.topic: reference - + @@ -61,7 +59,16 @@ Allow ICMP redirects to override OSPF generated routes. - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_EnableICMPRedirect | +| ADMX File Name | mss-legacy.admx | @@ -86,7 +93,7 @@ Allow ICMP redirects to override OSPF generated routes. - + @@ -104,7 +111,16 @@ Allow the computer to ignore NetBIOS name release requests except from WINS serv - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_NoNameReleaseOnDemand | +| ADMX File Name | mss-legacy.admx | @@ -129,7 +145,7 @@ Allow the computer to ignore NetBIOS name release requests except from WINS serv - + @@ -147,7 +163,16 @@ IP source routing protection level (protects against packet spoofing). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_DisableIPSourceRouting | +| ADMX File Name | mss-legacy.admx | @@ -172,7 +197,7 @@ IP source routing protection level (protects against packet spoofing). - + @@ -190,7 +215,16 @@ IPv6 source routing protection level (protects against packet spoofing). - + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | Pol_MSS_DisableIPSourceRoutingIPv6 | +| ADMX File Name | mss-legacy.admx | diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index c4ca1c6ea5..ee17cf4ab6 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -1,10 +1,10 @@ --- title: Multitasking Policy CSP -description: Learn more about the Multitasking Area in Policy CSP +description: Learn more about the Multitasking Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,7 +49,6 @@ Configures the inclusion of Microsoft Edge tabs into Alt-Tab. Enabling this policy restricts the number of Microsoft Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Microsoft Edge tabs, only the five most recent tabs, only the three most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior. This policy only applies to the Alt+Tab switcher. When the policy isn't enabled, the feature respects the user's setting in the Settings app. - @@ -67,10 +66,10 @@ This policy only applies to the Alt+Tab switcher. When the policy isn't enabled, | Value | Description | |:--|:--| -| 1 (Default) | Open windows and all tabs in Microsoft Edge | -| 2 | Open windows and 5 most recent tabs in Microsoft Edge | -| 3 | Open windows and 3 most recent tabs in Microsoft Edge | -| 4 | Open windows only | +| 1 (Default) | Open windows and all tabs in Microsoft Edge. | +| 2 | Open windows and 5 most recent tabs in Microsoft Edge. | +| 3 | Open windows and 3 most recent tabs in Microsoft Edge. | +| 4 | Open windows only. | diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 38259aea5f..2805dfa3b0 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -1,10 +1,10 @@ --- title: NetworkIsolation Policy CSP -description: Learn more about the NetworkIsolation Area in Policy CSP +description: Learn more about the NetworkIsolation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -188,7 +188,6 @@ Sets the enterprise IP ranges that define the computers in the enterprise networ 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ``` - @@ -214,9 +213,9 @@ This setting does not apply to desktop apps. Turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. -If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private. +- If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private. -If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment. +- If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment. For more information see: @@ -240,8 +239,8 @@ For more information see: | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -281,9 +280,10 @@ For more information see: -This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example contoso. sharepoint. com, Fabrikam. com. +This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example contoso. sharepoint. com, Fabrikam. com -**Note**: The client requires domain name to be canonical, otherwise the setting will be rejected by the client. Here are the steps to create canonical domain names:Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft. COM -> microsoft. com. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags. Call IdnToUnicode with no flags set (dwFlags = 0). +> [!NOTE] +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. Here are the steps to create canonical domain namesTransform the ASCII characters (A-Z only) to lower case. For example, Microsoft. COM -> microsoft. com. Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags. Call IdnToUnicode with no flags set (dwFlags = 0). @@ -293,7 +293,6 @@ For more information, see the following APIs: - [IdnToAscii function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntoascii) - [IdnToUnicode function (winnls.h)](/windows/win32/api/winnls/nf-winnls-idntounicode) - @@ -387,9 +386,9 @@ This setting does not apply to desktop apps. Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. -If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies. +- If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies. -If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses. +- If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses. For more information see: @@ -413,8 +412,8 @@ For more information see: | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 1639be5edb..44eecc6ae9 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -1,10 +1,10 @@ --- title: NetworkListManager Policy CSP -description: Learn more about the NetworkListManager Area in Policy CSP +description: Learn more about the NetworkListManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -54,7 +54,6 @@ When entering a list of TLS endpoints in Microsoft Intune, use the following for - The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. - A certificate shouldn't be a public certificate. - @@ -97,7 +96,6 @@ The string will be used to name the network authenticated against one of the end This policy setting provides the string that names a network. If this setting is used for Trusted Network Detection in an Always On VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute. - diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 53d736c546..7fa317d7de 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -1,10 +1,10 @@ --- title: NewsAndInterests Policy CSP -description: Learn more about the NewsAndInterests Area in Policy CSP +description: Learn more about the NewsAndInterests Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,6 @@ If you turned this feature on before, it will stay on automatically unless you t This policy applies to the entire widgets experience, including content on the taskbar. - diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 033b7c0132..1e4d224152 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,10 +1,10 @@ --- title: Notifications Policy CSP -description: Learn more about the Notifications Area in Policy CSP +description: Learn more about the Notifications Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,11 +39,11 @@ ms.topic: reference This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. -If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. +- If you enable this policy setting, applications and system features will not be able receive notifications from the network from WNS or via notification polling APIs. -If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. +- If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. -If you disable or do not configure this policy setting, the client computer will connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. +- If you disable or do not configure this policy setting, the client computer will connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. No reboots or service restarts are required for this policy setting to take effect. @@ -61,7 +61,6 @@ To validate the configuration: 1. Enable this policy. 1. Restart the computer. 1. Make sure that you can't receive a notification from an app like Facebook when the app isn't running. - @@ -103,67 +102,6 @@ To validate the configuration: - -## WnsEndpoint - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Notifications/WnsEndpoint -``` - - - - -FQDN for the WNS endpoint - - - - - -This policy setting determines which Windows Notification Service (WNS) endpoint will be used to connect for Windows push notifications. - -If you disable or don't configure this setting, the push notifications will connect to the default endpoint of `client.wns.windows.com`. - -> [!NOTE] -> Make sure the proper WNS FQDNs, VIPs, IPs and ports are also allowed through the firewall. - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | WnsEndpoint_Policy | -| Friendly Name | Enables group policy for the WNS FQDN | -| Element Name | FQDN for WNS | -| Location | Computer Configuration | -| Path | Start Menu and Taskbar > Notifications | -| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | -| ADMX File Name | WPN.admx | - - - - - - - - ## DisallowNotificationMirroring @@ -183,9 +121,9 @@ If you disable or don't configure this setting, the push notifications will conn This policy setting turns off notification mirroring. -If you enable this policy setting, notifications from applications and system will not be mirrored to your other devices. +- If you enable this policy setting, notifications from applications and system will not be mirrored to your other devices. -If you disable or do not configure this policy setting, notifications will be mirrored, and can be turned off by the administrator or user. +- If you disable or do not configure this policy setting, notifications will be mirrored, and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. @@ -194,7 +132,6 @@ No reboots or service restarts are required for this policy setting to take effe This feature can be turned off by apps that don't want to participate in notification mirroring. This feature can also be turned off by the user in the Cortana settings page. - @@ -255,9 +192,9 @@ This feature can be turned off by apps that don't want to participate in notific This policy setting turns off tile notifications. -If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. +- If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. -If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. +- If you disable or do not configure this policy setting, tile and badge notifications are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect. @@ -305,6 +242,66 @@ No reboots or service restarts are required for this policy setting to take effe + +## WnsEndpoint + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Notifications/WnsEndpoint +``` + + + + +FQDN for the WNS endpoint + + + + + +This policy setting determines which Windows Notification Service (WNS) endpoint will be used to connect for Windows push notifications. + +If you disable or don't configure this setting, the push notifications will connect to the default endpoint of `client.wns.windows.com`. + +> [!NOTE] +> Make sure the proper WNS FQDNs, VIPs, IPs and ports are also allowed through the firewall. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WnsEndpoint_Policy | +| Friendly Name | Enables group policy for the WNS FQDN | +| Element Name | FQDN for WNS | +| Location | Computer Configuration | +| Path | Start Menu and Taskbar > Notifications | +| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications | +| ADMX File Name | WPN.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 3853306b49..1af9f3391f 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,10 +1,10 @@ --- title: Power Policy CSP -description: Learn more about the Power Area in Policy CSP +description: Learn more about the Power Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Power > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -44,7 +42,7 @@ ms.topic: reference -This policy setting decides if hibernate on the machine is allowed or not. Supported values: 0 – Disable hibernate. 1 (default) - Allow hibernate. +This policy setting decides if hibernate on the machine is allowed or not. Supported values: 0 - Disable hibernate. 1 (default) - Allow hibernate. @@ -95,9 +93,9 @@ This policy setting decides if hibernate on the machine is allowed or not. Suppo This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. +- If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) are not allowed. +- If you disable this policy setting, standby states (S1-S3) are not allowed. @@ -115,13 +113,13 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowStandbyStatesDC | +| Name | AllowStandbyStatesDC_2 | | Friendly Name | Allow standby states (S1-S3) when sleeping (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -155,9 +153,9 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. -If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. +- If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. -If you disable this policy setting, standby states (S1-S3) are not allowed. +- If you disable this policy setting, standby states (S1-S3) are not allowed. @@ -175,13 +173,13 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowStandbyStatesAC | +| Name | AllowStandbyStatesAC_2 | | Friendly Name | Allow standby states (S1-S3) when sleeping (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -215,9 +213,9 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. This policy setting allows you to specify the period of inactivity before Windows turns off the display. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -237,13 +235,13 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | VideoPowerDownTimeOutDC | +| Name | VideoPowerDownTimeOutDC_2 | | Friendly Name | Turn off the display (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Video and Display Settings | @@ -276,9 +274,9 @@ If the user has configured a slide show to run on the lock screen when the machi This policy setting allows you to specify the period of inactivity before Windows turns off the display. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -298,13 +296,13 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | VideoPowerDownTimeOutAC | +| Name | VideoPowerDownTimeOutAC_2 | | Friendly Name | Turn off the display (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Video and Display Settings | @@ -335,7 +333,9 @@ If the user has configured a slide show to run on the lock screen when the machi -This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. +This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +- If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. +- If you disable or do not configure this policy setting, users control this setting. @@ -390,7 +390,9 @@ This policy setting allows you to specify battery charge level at which Energy S -This policy setting allows you to specify battery charge level at which Energy Saver is turned on. If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. If you disable or do not configure this policy setting, users control this setting. +This policy setting allows you to specify battery charge level at which Energy Saver is turned on. +- If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. +- If you disable or do not configure this policy setting, users control this setting. @@ -447,9 +449,9 @@ This policy setting allows you to specify battery charge level at which Energy S This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -469,13 +471,13 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCHibernateTimeOut | +| Name | DCHibernateTimeOut_2 | | Friendly Name | Specify the system hibernate timeout (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -508,9 +510,9 @@ If the user has configured a slide show to run on the lock screen when the machi This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -530,13 +532,13 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ACHibernateTimeOut | +| Name | ACHibernateTimeOut_2 | | Friendly Name | Specify the system hibernate timeout (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -569,9 +571,9 @@ If the user has configured a slide show to run on the lock screen when the machi This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. +- If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. +- If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. @@ -589,13 +591,13 @@ If you disable this policy setting, the user is not prompted for a password when > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCPromptForPasswordOnResume | +| Name | DCPromptForPasswordOnResume_2 | | Friendly Name | Require a password when a computer wakes (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -629,9 +631,9 @@ If you disable this policy setting, the user is not prompted for a password when This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. +- If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. +- If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. @@ -649,13 +651,13 @@ If you disable this policy setting, the user is not prompted for a password when > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ACPromptForPasswordOnResume | +| Name | ACPromptForPasswordOnResume_2 | | Friendly Name | Require a password when a computer wakes (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -687,7 +689,8 @@ If you disable this policy setting, the user is not prompted for a password when -This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. @@ -709,10 +712,10 @@ This policy setting specifies the action that Windows takes when a user closes t | Value | Description | |:--|:--| -| 0 | Take no action | -| 1 (Default) | Sleep | -| 2 | System hibernate sleep state | -| 3 | System shutdown | +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | @@ -752,7 +755,8 @@ This policy setting specifies the action that Windows takes when a user closes t -This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. +This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. @@ -774,10 +778,10 @@ This policy setting specifies the action that Windows takes when a user closes t | Value | Description | |:--|:--| -| 0 | Take no action | -| 1 (Default) | Sleep | -| 2 | System hibernate sleep state | -| 3 | System shutdown | +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | @@ -817,7 +821,8 @@ This policy setting specifies the action that Windows takes when a user closes t -This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. +This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. @@ -839,10 +844,10 @@ This policy setting specifies the action that Windows takes when a user presses | Value | Description | |:--|:--| -| 0 | Take no action | -| 1 (Default) | Sleep | -| 2 | System hibernate sleep state | -| 3 | System shutdown | +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | @@ -882,7 +887,8 @@ This policy setting specifies the action that Windows takes when a user presses -This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. +This policy setting specifies the action that Windows takes when a user presses the power button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. @@ -904,10 +910,10 @@ This policy setting specifies the action that Windows takes when a user presses | Value | Description | |:--|:--| -| 0 | Take no action | -| 1 (Default) | Sleep | -| 2 | System hibernate sleep state | -| 3 | System shutdown | +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | @@ -947,7 +953,8 @@ This policy setting specifies the action that Windows takes when a user presses -This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. +This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. @@ -969,10 +976,10 @@ This policy setting specifies the action that Windows takes when a user presses | Value | Description | |:--|:--| -| 0 | Take no action | -| 1 (Default) | Sleep | -| 2 | System hibernate sleep state | -| 3 | System shutdown | +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | @@ -1012,7 +1019,8 @@ This policy setting specifies the action that Windows takes when a user presses -This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. If you disable this policy setting or do not configure it, users can see and change this setting. +This policy setting specifies the action that Windows takes when a user presses the sleep button. Possible actions include: 0 - Take no action 1 - Sleep 2 - Hibernate 3 - Shut down If you enable this policy setting, you must select the desired action. +- If you disable this policy setting or do not configure it, users can see and change this setting. @@ -1034,10 +1042,10 @@ This policy setting specifies the action that Windows takes when a user presses | Value | Description | |:--|:--| -| 0 | Take no action | -| 1 (Default) | Sleep | -| 2 | System hibernate sleep state | -| 3 | System shutdown | +| 0 | Take no action. | +| 1 (Default) | Sleep. | +| 2 | System hibernate sleep state. | +| 3 | System shutdown. | @@ -1079,9 +1087,9 @@ This policy setting specifies the action that Windows takes when a user presses This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1101,13 +1109,13 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DCStandbyTimeOut | +| Name | DCStandbyTimeOut_2 | | Friendly Name | Specify the system sleep timeout (on battery) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -1140,9 +1148,9 @@ If the user has configured a slide show to run on the lock screen when the machi This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1162,13 +1170,13 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ACStandbyTimeOut | +| Name | ACStandbyTimeOut_2 | | Friendly Name | Specify the system sleep timeout (plugged in) | | Location | Computer Configuration | | Path | System > Power Management > Sleep Settings | @@ -1201,9 +1209,9 @@ If the user has configured a slide show to run on the lock screen when the machi This policy setting allows you to turn off hybrid sleep. -If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). +- If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -1225,8 +1233,8 @@ If you disable or do not configure this policy setting, users control this setti | Value | Description | |:--|:--| -| 0 (Default) | | -| 1 | hybrid sleep | +| 0 (Default) | . | +| 1 | Hybrid sleep. | @@ -1268,9 +1276,9 @@ If you disable or do not configure this policy setting, users control this setti This policy setting allows you to turn off hybrid sleep. -If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). +- If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). -If you disable or do not configure this policy setting, users control this setting. +- If you disable or do not configure this policy setting, users control this setting. @@ -1292,8 +1300,8 @@ If you disable or do not configure this policy setting, users control this setti | Value | Description | |:--|:--| -| 0 (Default) | | -| 1 | hybrid sleep | +| 0 (Default) | . | +| 1 | Hybrid sleep. | @@ -1333,7 +1341,9 @@ If you disable or do not configure this policy setting, users control this setti -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1388,7 +1398,9 @@ This policy setting allows you to specify the period of inactivity before Window -This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. +- If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. +- If you disable or do not configure this policy setting, users control this setting. If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index cc7fc5a089..d6abd1659d 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -1,6 +1,6 @@ --- title: Printers Policy CSP -description: Learn more about the Printers Area in Policy CSP +description: Learn more about the Printers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa @@ -468,10 +468,16 @@ The following are the supported values: + > [!TIP] > This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureRpcAuthnLevelPrivacyEnabled | +| ADMX File Name | Printing.admx | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index e3eda63ea8..24f10738e5 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,10 +1,10 @@ --- title: Privacy Policy CSP -description: Learn more about the Privacy Area in Policy CSP +description: Learn more about the Privacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,14 +36,15 @@ ms.topic: reference - -Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -**Note**: There were issues reported with the previous release of this policy and a fix was Most restricted value is 0. + +Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. Most restricted value is 0. + +> [!NOTE] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. @@ -89,8 +90,8 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con This policy setting determines whether Clipboard contents can be synchronized across devices. -If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. -If you disable this policy setting, Clipboard contents cannot be shared to other devices. +- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. +- If you disable this policy setting, Clipboard contents cannot be shared to other devices. Policy change takes effect immediately. @@ -98,7 +99,6 @@ Policy change takes effect immediately. Most restrictive value is `0` to not allow cross-device clipboard. - @@ -172,7 +172,6 @@ Updated in Windows 10, version 1809. When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft uses voice input to help improve speech services. The most restrictive value is `0` to not allow speech services. - @@ -233,9 +232,9 @@ The most restrictive value is `0` to not allow speech services. This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. -If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. +- If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. -If you disable or do not configure this policy setting, users can control whether apps can use the advertising ID for experiences across apps. +- If you disable or do not configure this policy setting, users can control whether apps can use the advertising ID for experiences across apps. @@ -314,7 +313,6 @@ If this policy is disabled or not configured, then the privacy experience may la In some managed environments, the privacy settings may be set by other policies. In this case, enable this policy to not show a screen for users to change these privacy settings. - @@ -374,8 +372,8 @@ In some managed environments, the privacy settings may be set by other policies. This policy setting determines whether ActivityFeed is enabled. -If you enable this policy setting, all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user. -If you disable this policy setting, activities can't be published and ActivityFeed shall disable cloud sync. +- If you enable this policy setting, all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user. +- If you disable this policy setting, activities can't be published and ActivityFeed shall disable cloud sync. Policy change takes effect immediately. @@ -446,7 +444,6 @@ This policy setting specifies whether Windows apps can access account informatio The most restrictive value is `2` to deny apps access to account information. - @@ -670,10 +667,8 @@ This policy setting specifies whether Windows apps can access the movement of th - > [!NOTE] > Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). - @@ -724,10 +719,8 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed - > [!NOTE] > Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). - @@ -771,7 +764,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed > [!NOTE] > Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). - @@ -815,7 +807,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use > [!NOTE] > Currently, this policy is supported only in [Microsoft HoloLens 2](/hololens/hololens2-hardware). - @@ -858,7 +849,6 @@ This policy setting specifies whether Windows apps can access the calendar. The most restrictive value is `2` to deny apps access to the calendar. - @@ -1084,7 +1074,6 @@ This policy setting specifies whether Windows apps can access call history. The most restrictive value is `2` to deny apps access to call history. - @@ -1287,7 +1276,7 @@ List of semi-colon delimited Package Family Names of Windows apps. The user is a -## LetAppsAccessCameras +## LetAppsAccessCamera | Scope | Editions | Applicable OS | @@ -1310,7 +1299,6 @@ This policy setting specifies whether Windows apps can access the camera. The most restrictive value is `2` to deny apps access to the camera. - @@ -1536,7 +1524,6 @@ This policy setting specifies whether Windows apps can access contacts. The most restrictive value is `2` to deny apps access to contacts. - @@ -1762,7 +1749,6 @@ This policy setting specifies whether Windows apps can access email. The most restrictive value is `2` to deny apps access to email. - @@ -2576,7 +2562,6 @@ This policy setting specifies whether Windows apps can access location. The most restrictive value is `2` to deny apps access to the device's location. - @@ -2802,7 +2787,6 @@ This policy setting specifies whether Windows apps can read or send messages (te The most restrictive value is `2` to deny apps access to messaging. - @@ -3028,7 +3012,6 @@ This policy setting specifies whether Windows apps can access the microphone. The most restrictive value is `2` to deny apps access to the microphone. - @@ -3254,7 +3237,6 @@ This policy setting specifies whether Windows apps can access motion data. The most restrictive value is `2` to deny apps access to motion data. - @@ -3480,7 +3462,6 @@ This policy setting specifies whether Windows apps can access notifications. The most restrictive value is `2` to deny apps access to notifications. - @@ -3706,7 +3687,6 @@ This policy setting specifies whether Windows apps can make phone calls The most restrictive value is `2` to deny apps access to make phone calls. - @@ -3932,7 +3912,6 @@ This policy setting specifies whether Windows apps have access to control radios The most restrictive value is `2` to deny apps access to control radios. - @@ -4372,7 +4351,6 @@ This policy setting specifies whether Windows apps can access trusted devices. The most restrictive value is `2` to deny apps access trusted devices. - @@ -4726,7 +4704,6 @@ This policy setting specifies whether Windows apps can get diagnostic informatio The most restrictive value is `2` to deny apps access to diagnostic data. - @@ -4950,12 +4927,10 @@ This policy setting specifies whether Windows apps can run in the background. - The most restrictive value is `2` to deny apps from running in the background. > [!WARNING] > Be careful when you determine which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. If you turn off background activity for these types of apps, it could cause text message, email, and voicemail notifications to not function. This policy could also cause background email syncing to not function properly. - @@ -5181,7 +5156,6 @@ This policy setting specifies whether Windows apps can communicate with unpaired The most restrictive value is `2` to deny apps syncing with devices. - @@ -5401,8 +5375,8 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u This policy setting determines whether User Activities can be published. -If you enable this policy setting, activities of type User Activity are allowed to be published. -If you disable this policy setting, activities of type User Activity are not allowed to be published. +- If you enable this policy setting, activities of type User Activity are allowed to be published. +- If you disable this policy setting, activities of type User Activity are not allowed to be published. Policy change takes effect immediately. @@ -5410,7 +5384,6 @@ Policy change takes effect immediately. For more information, see [Windows activity history and your privacy](https://support.microsoft.com/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd). - @@ -5470,8 +5443,8 @@ For more information, see [Windows activity history and your privacy](https://su This policy setting determines whether published User Activities can be uploaded. -If you enable this policy setting, activities of type User Activity are allowed to be uploaded. -If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. +- If you enable this policy setting, activities of type User Activity are allowed to be uploaded. +- If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. Deletion of activities of type User Activity are independent of this setting. Policy change takes effect immediately. @@ -5480,7 +5453,6 @@ Policy change takes effect immediately. For more information, see [Windows activity history and your privacy](https://support.microsoft.com/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd). - diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index ac016afb26..4cfd15a4b7 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -1,10 +1,10 @@ --- title: RemoteAssistance Policy CSP -description: Learn more about the RemoteAssistance Area in Policy CSP +description: Learn more about the RemoteAssistance Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - RemoteAssistance > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -50,11 +48,11 @@ The "Display warning message before sharing control" policy setting allows you t The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. -If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. +- If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. -If you disable this policy setting, the user sees the default warning message. +- If you disable this policy setting, the user sees the default warning message. -If you do not configure this policy setting, the user sees the default warning message. +- If you do not configure this policy setting, the user sees the default warning message. @@ -72,7 +70,7 @@ If you do not configure this policy setting, the user sees the default warning m > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -112,11 +110,11 @@ If you do not configure this policy setting, the user sees the default warning m This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. -If you enable this policy setting, log files are generated. +- If you enable this policy setting, log files are generated. -If you disable this policy setting, log files are not generated. +- If you disable this policy setting, log files are not generated. -If you do not configure this setting, application-based settings are used. +- If you do not configure this setting, application-based settings are used. @@ -134,7 +132,7 @@ If you do not configure this setting, application-based settings are used. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -174,19 +172,19 @@ If you do not configure this setting, application-based settings are used. This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. +- If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. -If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. +- If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. -If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. +- If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." +- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. -If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. +- If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. @@ -204,7 +202,7 @@ If you enable this policy setting you should also enable appropriate firewall ex > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -244,13 +242,13 @@ If you enable this policy setting you should also enable appropriate firewall ex This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. -If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +- If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +- If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. +- If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. +- If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: @@ -258,7 +256,7 @@ To configure the list of helpers, click "Show." In the window that opens, you ca ``\\`` -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. +- If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. Windows Vista and later @@ -297,7 +295,7 @@ Allow Remote Desktop Exception > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 6a4a8f629e..a82841ffd5 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -1,10 +1,10 @@ --- title: RemoteDesktop Policy CSP -description: Learn more about the RemoteDesktop Area in Policy CSP +description: Learn more about the RemoteDesktop Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -20,58 +20,6 @@ ms.topic: reference - -## LoadAadCredKeyFromProfile - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/RemoteDesktop/LoadAadCredKeyFromProfile -``` - - - - -Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts. - - - - - -This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs. - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Not allowed. | -| 1 | Allowed. | - - - - - - - - ## AutoSubscription @@ -98,7 +46,6 @@ Controls the list of URLs that the user should be auto-subscribed to This policy lets you enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the client uses the specified URL to subscribe the signed-in user and retrieve the remote resources assigned to them. To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/overview) in the Azure public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. - @@ -131,6 +78,57 @@ To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/ove + +## LoadAadCredKeyFromProfile + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/RemoteDesktop/LoadAadCredKeyFromProfile +``` + + + + +Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts. + + + + + +This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index b3089679b1..2a7bf33c7f 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -1,10 +1,10 @@ --- title: RemoteDesktopServices Policy CSP -description: Learn more about the RemoteDesktopServices Area in Policy CSP +description: Learn more about the RemoteDesktopServices Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - RemoteDesktopServices > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,13 +44,14 @@ ms.topic: reference This policy setting allows you to configure remote access to computers by using Remote Desktop Services. -If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. +- If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. -If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. +- If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. -If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. +- If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. -Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. +> [!NOTE] +> You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. @@ -72,7 +71,7 @@ You can limit the number of users who can connect simultaneously by configuring > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -111,7 +110,7 @@ You can limit the number of users who can connect simultaneously by configuring Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: +- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: * High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. @@ -119,9 +118,9 @@ If you enable this policy setting, all communications between clients and RD Ses * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. -If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. +- If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. -Important +**Important** FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. @@ -141,7 +140,7 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -182,11 +181,11 @@ This policy setting specifies whether to prevent the mapping of client drives in By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format `` on ``. You can use this policy setting to override this behavior. -If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later). +- If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows XP, Windows Server 2003, Windows Server 2012 (and later) or Windows 8 (and later). -If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. +- If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. -If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. +- If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. @@ -204,7 +203,7 @@ If you do not configure this policy setting, client drive redirection and Clipbo > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -244,9 +243,9 @@ If you do not configure this policy setting, client drive redirection and Clipbo Controls whether passwords can be saved on this computer from Remote Desktop Connection. -If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. +- If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. +- If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. @@ -264,13 +263,13 @@ If you disable this setting or leave it not configured, the user will be able to > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING | +| Name | TS_CLIENT_DISABLE_PASSWORD_SAVING_2 | | Friendly Name | Do not allow passwords to be saved | | Location | Computer Configuration | | Path | Windows Components > Remote Desktop Services > Remote Desktop Connection Client | @@ -306,9 +305,9 @@ This policy setting lets you control the redirection of web authentication (WebA By default, Remote Desktop allows redirection of WebAuthn requests. -If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. +- If you enable this policy setting, users can't use their local authenticator inside the Remote Desktop session. -If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. +- If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. @@ -326,7 +325,7 @@ If you disable or do not configure this policy setting, users can use local auth > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -370,11 +369,11 @@ You can use this setting to enforce a password prompt for users logging on to Re By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. -If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. +- If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. -If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. +- If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. -If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. +- If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. @@ -392,7 +391,7 @@ If you do not configure this policy setting, automatic logon is not specified at > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -440,7 +439,8 @@ If the status is set to Disabled, Remote Desktop Services always requests securi If the status is set to Not Configured, unsecured communication is allowed. -Note: The RPC interface is used for administering and configuring Remote Desktop Services. +> [!NOTE] +> The RPC interface is used for administering and configuring Remote Desktop Services. @@ -458,7 +458,7 @@ Note: The RPC interface is used for administering and configuring Remote Desktop > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 18ae30618b..1545ea14b2 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -1,10 +1,10 @@ --- title: RemoteManagement Policy CSP -description: Learn more about the RemoteManagement Area in Policy CSP +description: Learn more about the RemoteManagement Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - RemoteManagement > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. -If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. +- If you enable this policy setting, the WinRM client uses Basic authentication. If WinRM is configured to use HTTP transport, the user name and password are sent over the network as clear text. -If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication. +- If you disable or do not configure this policy setting, the WinRM client does not use Basic authentication. @@ -66,13 +64,13 @@ If you disable or do not configure this policy setting, the WinRM client does no > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowBasic | +| Name | AllowBasic_2 | | Friendly Name | Allow Basic authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | @@ -106,9 +104,9 @@ If you disable or do not configure this policy setting, the WinRM client does no This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. -If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client. +- If you enable this policy setting, the WinRM service accepts Basic authentication from a remote client. -If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service does not accept Basic authentication from a remote client. @@ -126,13 +124,13 @@ If you disable or do not configure this policy setting, the WinRM service does n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowBasic | +| Name | AllowBasic_1 | | Friendly Name | Allow Basic authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | @@ -166,9 +164,9 @@ If you disable or do not configure this policy setting, the WinRM service does n This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication. -If you enable this policy setting, the WinRM client uses CredSSP authentication. +- If you enable this policy setting, the WinRM client uses CredSSP authentication. -If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication. +- If you disable or do not configure this policy setting, the WinRM client does not use CredSSP authentication. @@ -186,13 +184,13 @@ If you disable or do not configure this policy setting, the WinRM client does no > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowCredSSP | +| Name | AllowCredSSP_2 | | Friendly Name | Allow CredSSP authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | @@ -226,9 +224,9 @@ If you disable or do not configure this policy setting, the WinRM client does no This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. -If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client. +- If you enable this policy setting, the WinRM service accepts CredSSP authentication from a remote client. -If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service does not accept CredSSP authentication from a remote client. @@ -246,13 +244,13 @@ If you disable or do not configure this policy setting, the WinRM service does n > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowCredSSP | +| Name | AllowCredSSP_1 | | Friendly Name | Allow CredSSP authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | @@ -286,11 +284,11 @@ If you disable or do not configure this policy setting, the WinRM service does n This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. -If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. +- If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. To allow WinRM service to receive requests over the network, configure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP). -If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. +- If you disable or do not configure this policy setting, the WinRM service will not respond to requests from a remote computer, regardless of whether or not any WinRM listeners are configured. The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. @@ -301,7 +299,7 @@ For example, if you want the service to listen only on IPv4 addresses, leave the Ranges are specified using the syntax IP1-IP2. Multiple ranges are separated using "," (comma) as the delimiter. Example IPv4 filters:\n2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22 -Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 +Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3. FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 @@ -319,7 +317,7 @@ Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FE > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -359,9 +357,9 @@ Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FE This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. -If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. +- If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +- If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. @@ -379,13 +377,13 @@ If you disable or do not configure this policy setting, the WinRM client sends o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowUnencrypted | +| Name | AllowUnencrypted_2 | | Friendly Name | Allow unencrypted traffic | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | @@ -419,9 +417,9 @@ If you disable or do not configure this policy setting, the WinRM client sends o This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. -If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. +- If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. -If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. +- If you disable or do not configure this policy setting, the WinRM client sends or receives only encrypted messages over the network. @@ -439,13 +437,13 @@ If you disable or do not configure this policy setting, the WinRM client sends o > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AllowUnencrypted | +| Name | AllowUnencrypted_1 | | Friendly Name | Allow unencrypted traffic | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | @@ -479,9 +477,9 @@ If you disable or do not configure this policy setting, the WinRM client sends o This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. -If you enable this policy setting, the WinRM client does not use Digest authentication. +- If you enable this policy setting, the WinRM client does not use Digest authentication. -If you disable or do not configure this policy setting, the WinRM client uses Digest authentication. +- If you disable or do not configure this policy setting, the WinRM client uses Digest authentication. @@ -499,7 +497,7 @@ If you disable or do not configure this policy setting, the WinRM client uses Di > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -539,9 +537,9 @@ If you disable or do not configure this policy setting, the WinRM client uses Di This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication. -If you enable this policy setting, the WinRM client does not use Negotiate authentication. +- If you enable this policy setting, the WinRM client does not use Negotiate authentication. -If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication. +- If you disable or do not configure this policy setting, the WinRM client uses Negotiate authentication. @@ -559,13 +557,13 @@ If you disable or do not configure this policy setting, the WinRM client uses Ne > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisallowNegotiate | +| Name | DisallowNegotiate_2 | | Friendly Name | Disallow Negotiate authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Client | @@ -599,9 +597,9 @@ If you disable or do not configure this policy setting, the WinRM client uses Ne This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication from a remote client. -If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client. +- If you enable this policy setting, the WinRM service does not accept Negotiate authentication from a remote client. -If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. +- If you disable or do not configure this policy setting, the WinRM service accepts Negotiate authentication from a remote client. @@ -619,13 +617,13 @@ If you disable or do not configure this policy setting, the WinRM service accept > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | DisallowNegotiate | +| Name | DisallowNegotiate_1 | | Friendly Name | Disallow Negotiate authentication | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | @@ -659,9 +657,9 @@ If you disable or do not configure this policy setting, the WinRM service accept This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. -If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. +- If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. -If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. +- If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. If you enable and then disable this policy setting,any values that were previously configured for RunAsPassword will need to be reset. @@ -681,7 +679,7 @@ If you enable and then disable this policy setting,any values that were previous > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -721,9 +719,9 @@ If you enable and then disable this policy setting,any values that were previous This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens. -If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token. +- If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to determine whether or not to accept a received request, based on a supplied channel binding token. -If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer. +- If you disable or do not configure this policy setting, you can configure the hardening level locally on each computer. If HardeningLevel is set to Strict, any request not containing a valid channel binding token is rejected. @@ -747,13 +745,13 @@ If HardeningLevel is set to None, all requests are accepted (though they are not > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | CBTHardeningLevel | +| Name | CBTHardeningLevel_1 | | Friendly Name | Specify channel binding token hardening level | | Location | Computer Configuration | | Path | Windows Components > Windows Remote Management (WinRM) > WinRM Service | @@ -787,9 +785,9 @@ If HardeningLevel is set to None, all requests are accepted (though they are not This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. -If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host. +- If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host. -If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. +- If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. @@ -807,7 +805,7 @@ If you disable or do not configure this policy setting and the WinRM client need > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -847,9 +845,9 @@ If you disable or do not configure this policy setting and the WinRM client need This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. -If you enable this policy setting, the HTTP listener always appears. +- If you enable this policy setting, the HTTP listener always appears. -If you disable or do not configure this policy setting, the HTTP listener never appears. +- If you disable or do not configure this policy setting, the HTTP listener never appears. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes to 5985. @@ -871,7 +869,7 @@ A listener might be automatically created on port 80 to ensure backward compatib > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -911,9 +909,9 @@ A listener might be automatically created on port 80 to ensure backward compatib This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. -If you enable this policy setting, the HTTPS listener always appears. +- If you enable this policy setting, the HTTPS listener always appears. -If you disable or do not configure this policy setting, the HTTPS listener never appears. +- If you disable or do not configure this policy setting, the HTTPS listener never appears. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number changes to 5986. @@ -935,7 +933,7 @@ A listener might be automatically created on port 443 to ensure backward compati > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 07cf2525c0..fc904f741b 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -1,10 +1,10 @@ --- title: RemoteProcedureCall Policy CSP -description: Learn more about the RemoteProcedureCall Area in Policy CSP +description: Learn more about the RemoteProcedureCall Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - RemoteProcedureCall > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,19 +46,20 @@ This policy setting controls how the RPC server runtime handles unauthenticated This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. -If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. +- If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. -If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. +- If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. +- If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. --- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. +- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. --- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. +- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. --- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. +- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. -Note: This policy setting will not be applied until the system is rebooted. +> [!NOTE] +> This policy setting will not be applied until the system is rebooted. @@ -78,7 +77,7 @@ Note: This policy setting will not be applied until the system is rebooted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -117,13 +116,14 @@ Note: This policy setting will not be applied until the system is rebooted. This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. -If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. +- If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +- If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +- If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -Note: This policy will not be applied until the system is rebooted. +> [!NOTE] +> This policy will not be applied until the system is rebooted. @@ -141,7 +141,7 @@ Note: This policy will not be applied until the system is rebooted. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 857bea7950..35fe66ae1a 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -1,10 +1,10 @@ --- title: RemoteShell Policy CSP -description: Learn more about the RemoteShell Area in Policy CSP +description: Learn more about the RemoteShell Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/20/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - RemoteShell > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting configures access to remote shells. -If you enable or do not configure this policy setting, new remote shell connections are accepted by the server. +- If you enable or do not configure this policy setting, new remote shell connections are accepted by the server. -If you set this policy to ‘disabled’, new remote shell connections are rejected by the server. +If you set this policy to 'disabled', new remote shell connections are rejected by the server. @@ -66,7 +64,7 @@ If you set this policy to ‘disabled’, new remote shell connections are rejec > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -108,9 +106,9 @@ This policy setting configures the maximum number of users able to concurrently The value can be any number from 1 to 100. -If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit. +- If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit. -If you disable or do not configure this policy setting, the default number is five users. +- If you disable or do not configure this policy setting, the default number is five users. @@ -128,7 +126,7 @@ If you disable or do not configure this policy setting, the default number is fi > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -169,7 +167,7 @@ This policy setting configures the maximum time in milliseconds remote shell wil Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values. -If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell. +- If you enable this policy setting, the server will wait for the specified amount of time since the last received message from the client before terminating the open shell. If you do not configure or disable this policy setting, the default value of 900000 or 15 min will be used. @@ -189,7 +187,7 @@ If you do not configure or disable this policy setting, the default value of 900 > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -230,9 +228,9 @@ This policy setting configures the maximum total amount of memory in megabytes t Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operations to allocate memory is only limited by the available virtual memory. -If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota. +- If you enable this policy setting, the remote operation is terminated when a new allocation exceeds the specified quota. -If you disable or do not configure this policy setting, the value 150 is used by default. +- If you disable or do not configure this policy setting, the value 150 is used by default. @@ -250,7 +248,7 @@ If you disable or do not configure this policy setting, the value 150 is used by > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -289,9 +287,9 @@ If you disable or do not configure this policy setting, the value 150 is used by This policy setting configures the maximum number of processes a remote shell is allowed to launch. -If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes. +- If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes. -If you disable or do not configure this policy setting, the limit is five processes per shell. +- If you disable or do not configure this policy setting, the limit is five processes per shell. @@ -309,7 +307,7 @@ If you disable or do not configure this policy setting, the limit is five proces > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -350,9 +348,9 @@ This policy setting configures the maximum number of concurrent shells any user Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells. -If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit. +- If you enable this policy setting, the user cannot open new remote shells if the count exceeds the specified limit. -If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user. +- If you disable or do not configure this policy setting, by default the limit is set to two remote shells per user. @@ -370,7 +368,7 @@ If you disable or do not configure this policy setting, by default the limit is > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -425,7 +423,7 @@ This policy setting is deprecated and has no effect when set to any state: Enabl > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index f4da38dfdc..77a826c617 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -1,10 +1,10 @@ --- title: RestrictedGroups Policy CSP -description: Learn more about the RestrictedGroups Area in Policy CSP +description: Learn more about the RestrictedGroups Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/19/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -23,7 +23,6 @@ ms.topic: reference > Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups. > > Don't apply both policies to the same device, it's unsupported and may yield unpredictable results. - @@ -43,7 +42,7 @@ ms.topic: reference -This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. +This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group > [!CAUTION] > If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. @@ -51,52 +50,12 @@ This security setting allows an administrator to define the members of a securit - > [!CAUTION] > You can't remove the built-in Administrator account from the built-in Administrators group. If you try to remove it, the command fails with the following error: > > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------| > | `0x55b` (Hex)
    `1371` (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | - -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group, and should be used with caution. - -```xml - - - - - - - - - - - - Restricted Group Member - - - - - - - - - - - - - - - Restricted Group - - - - - - -``` - @@ -182,7 +141,6 @@ Descriptions of the properties: > [!NOTE] > Currently, the RestrictedGroups/ConfigureGroupMembership policy doesn't have a MemberOf functionality. However, you can add a domain group as a member to a local group by using the member portion, as shown in this example. - diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index c3bd4ef159..a13b407ce0 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -1,10 +1,10 @@ --- title: Search Policy CSP -description: Learn more about the Search Area in Policy CSP +description: Learn more about the Search Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/19/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -170,7 +170,6 @@ This feature allows you to disable find my files completely on the machine This policy controls whether the user can configure search to *Find My Files* mode. This mode searches files in secondary hard drives and also outside of the user profile. Find My Files doesn't allow users to search files or locations to which they don't have access. - @@ -224,7 +223,10 @@ This policy controls whether the user can configure search to *Find My Files* mo -This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content. +This policy setting allows encrypted items to be indexed. +- If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). +- If you disable this policy setting, the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. +- If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled, the index is rebuilt completely. @@ -309,7 +311,6 @@ Disabling this setting turns off search highlights in the start menu search box |:--|:--| | 0 | Disabling this setting turns off search highlights in search home, and the taskbar search box (Windows 10) or the Start menu search box (Windows 11). | | 1 (Default) | Enabling or not configuring this setting turns on search highlights in search home, and the taskbar search box (Windows 10) or the Start menu search box (Windows 11). | - @@ -369,7 +370,6 @@ If this is enabled, search and Cortana can access location information. The most restrictive value is `0` to not allow search to use location. - @@ -477,16 +477,19 @@ This policy has been deprecated. -This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setting, words that only differ in diacritics are treated as different words. If you disable this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by default. If you do not configure this policy setting, the local setting, configured through Control Panel, will be used. +This policy setting allows words that contain diacritic characters to be treated as separate words. +- If you enable this policy setting, words that only differ in diacritics are treated as different words. +- If you disable this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by default. +- If you do not configure this policy setting, the local setting, configured through Control Panel, will be used -**Note**: By default, the Control Panel setting is set to treat words that differ only because of diacritics as the same word. +> [!NOTE] +> By default, the Control Panel setting is set to treat words that differ only because of diacritics as the same word. The most restrictive value is `0` to not allow the use of diacritics. - @@ -586,14 +589,15 @@ Allow Windows indexer. Value type is integer. -This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. If you enable this policy setting, Windows will always use automatic language detection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this policy setting only on PCs where documents are stored in many languages. If you disable or do not configure this policy setting, Windows will use automatic language detection only when it can determine the language of a document with high confidence. +This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. +- If you enable this policy setting, Windows will always use automatic language detection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this policy setting only on PCs where documents are stored in many languages. +- If you disable or do not configure this policy setting, Windows will use automatic language detection only when it can determine the language of a document with high confidence. The most restrictive value is `0` to now allow automatic language detection. - @@ -717,9 +721,9 @@ If enabled, the search indexer backoff feature will be disabled. Indexing will c This policy setting configures whether or not locations on removable drives can be added to libraries. -If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. +- If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. -If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. +- If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. @@ -782,9 +786,9 @@ If you disable or do not configure this policy setting, locations on removable d -If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar button will also be hidden. +- If you enable this policy, the Search UI will be disabled along with all its entry points, such as keyboard shortcuts, touchpad gestures, and type-to-search in the Start menu. The Start menu's search box and Search Taskbar button will also be hidden. -If you disable or don't configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown. +- If you disable or don't configure this policy setting, the user will be able to open the Search UI and its different entry points will be shown. @@ -849,11 +853,11 @@ If you disable or don't configure this policy setting, the user will be able to This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. -If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. +- If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. -If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search. +- If you disable this policy setting, queries will be performed on the web and web results will be displayed when a user performs a query in Search. -If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search. +- If you don't configure this policy setting, a user can choose whether or not Search can perform queries on the web, and if the web results are displayed in Search. @@ -915,12 +919,8 @@ If you don't configure this policy setting, a user can choose whether or not Sea - -Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. - -Enable this policy if computers in your environment have extremely limited hard drive space. - -When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. + +Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. Enable this policy if computers in your environment have extremely limited hard drive space. When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. @@ -981,8 +981,8 @@ When this policy is disabled or not configured, Windows Desktop Search automatic - -If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index. Default is disabled. + +If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index. . @@ -1070,8 +1070,8 @@ This policy is deprecated. | Value | Description | |:--|:--| -| 1 (Default) | Enable | -| 0 | Disable | +| 1 (Default) | Enable. | +| 0 | Disable. | diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 546441a436..f4b72810bf 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -1,10 +1,10 @@ --- title: Security Policy CSP -description: Learn more about the Security Area in Policy CSP +description: Learn more about the Security Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/19/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -239,7 +239,7 @@ This policy is deprecated. -This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system's TPM is in a state other than Ready, including if the TPM is "Ready, with reduced functionality". The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. @@ -307,6 +307,8 @@ Configures the use of passwords for Windows features +> [!NOTE] +> This policy is only supported in [Windows 10 S](/windows/deployment/s-mode). @@ -324,9 +326,9 @@ Configures the use of passwords for Windows features | Value | Description | |:--|:--| -| 0 | -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features) | -| 1 | Allow passwords (Passwords continue to be allowed to be used for Windows features) | -| 2 (Default) | as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords") | +| 0 | Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features). | +| 1 | Allow passwords (Passwords continue to be allowed to be used for Windows features). | +| 2 (Default) | As per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords"). | @@ -359,7 +361,6 @@ Specifies whether to allow automatic device encryption during OOBE when the devi For more information, see [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) - @@ -413,17 +414,16 @@ This policy controls the requirement of Admin Authentication in RecoveryEnvironm +**Validation procedure**: -**Validation procedure** - -To validate this policy, check whether Refresh ("Keep my files") and Reset ("Remove everything") require administraor authentication in Windows Recovery Environment (WinRE). +To validate this policy, check whether Refresh ("Keep my files") and Reset ("Remove everything") require administrator authentication in Windows Recovery Environment (WinRE). 1. First, start Push Button Reset (PBR) in WinRE. Open a command prompt as an administrator and run the following command: `reagentc /boottore` 1. The device should restart to WinRE. In the WinRE interface, go to **Troubleshoot** and select **Reset this PC**. You should see two options: **Keep my files** and **Remove everything**. 1. Choose the option to **Keep my files**. View the behavior for authentication. 1. Select the back arrow and choose **Remove everything**. View the behavior for authentication. - Instead of going back, alternatively you can go through the reset options, and select **Cancel** on the final confirmation page. It will then return to the main WinRE interface. +Instead of going back, alternatively you can go through the reset options, and select **Cancel** on the final confirmation page. It will then return to the main WinRE interface. The following table shows what behavior is expected for the policy settings with each scenario: @@ -435,7 +435,6 @@ The following table shows what behavior is expected for the policy settings with | Default (`0`) | :heavy_check_mark: | :x: | | RequireAuthentication" (`1`) | :heavy_check_mark: | :heavy_check_mark: | | NoRequireAuthentication" (`2`) | :x: | :x: | - @@ -453,9 +452,9 @@ The following table shows what behavior is expected for the policy settings with | Value | Description | |:--|:--| -| 0 (Default) | current) behavior | -| 1 | RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment | -| 2 | NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment | +| 0 (Default) | Current) behavior. | +| 1 | RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment. | +| 2 | NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment. | @@ -481,9 +480,7 @@ The following table shows what behavior is expected for the policy settings with -Allows enterprise to turn on internal storage encryption. Most restricted value is 1. - -**Important**: If encryption has been enabled, it cannot be turned off by using this policy. +Allows enterprise to turn on internal storage encryption. Most restricted value is 1. Important. If encryption has been enabled, it cannot be turned off by using this policy. @@ -581,9 +578,10 @@ Specifies whether provisioning packages must have a certificate signed by a devi -Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. Setting this policy to 1 (Required):Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2. 0. Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. +Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. Setting this policy to 1 (Required)Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2. 0. Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification -**Note**: We recommend that this policy is set to Required after MDM enrollment. Most restricted value is 1. +> [!NOTE] +> We recommend that this policy is set to Required after MDM enrollment. Most restricted value is 1. diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 36b8570d34..bec3edbcd6 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -1,10 +1,10 @@ --- title: ServiceControlManager Policy CSP -description: Learn more about the ServiceControlManager Area in Policy CSP +description: Learn more about the ServiceControlManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/19/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - ServiceControlManager > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,11 +44,11 @@ ms.topic: reference This policy setting enables process mitigation options on svchost.exe processes. -If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. +- If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. -If you disable or do not configure this policy setting, these stricter security settings will not be applied. +- If you disable or do not configure this policy setting, these stricter security settings will not be applied. @@ -60,7 +58,6 @@ If you enable this policy, it adds code integrity guard (CIG) and arbitrary code > [!IMPORTANT] > Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes. For example, third-party antivirus software. - @@ -74,7 +71,7 @@ If you enable this policy, it adds code integrity guard (CIG) and arbitrary code > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index a285171789..e26697bc7e 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -1,10 +1,10 @@ --- title: Settings Policy CSP -description: Learn more about the Settings Area in Policy CSP +description: Learn more about the Settings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,9 +37,10 @@ ms.topic: reference -Allows the user to change Auto Play settings. +Allows the user to change Auto Play settings -**Note**: Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. +> [!NOTE] +> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. @@ -96,7 +97,6 @@ Allows the user to change Data Sense settings. > [!NOTE] > The AllowDataSense policy isn't supported on Windows 10, version 2004 and later. - @@ -628,87 +628,6 @@ Allows user to change account settings. - -## PageVisibilityList - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList -``` - - - - -Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string showonly: or hide:. Pages are identified by a shortened version of their already published URIs, which is the URI minus the ms-settings: prefix. For example, if the URI for a settings page is ms-settings:bluetooth, the page identifier used in the policy will be just bluetooth. Multiple page identifiers are separated by semicolons. The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI ms-settings:about and ms-settings:bluetooth respectively:showonly:about;bluetooth. If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i. e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. - -**Note** that if a page is already hidden for another reason, then it will remain hidden even if it is in a showonly: list. The format of the PageVisibilityList value is as follows: The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. There are two variants: one that shows only the given pages and one which hides the given pages. The first variant starts with the string showonly: and the second with the string hide:. Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI ms-settings:network-wifi would be just network-wifi. The default value for this setting is an empty string, which is interpreted as show everything. Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:network-wifi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:showonly:network-wifi;bluetooth. Example 2, specifies that the wifi page should not be shown:hide:network-wifi - - - - - -For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). - -To validate this policy, use the following steps: - -1. In the Settings app, open **System** and verify that the **About** page is visible and accessible. -2. Configure this policy with the following string: `hide:about`. -3. Open **System** settings again and verify that the **About** page is hidden. - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | SettingsPageVisibility | -| Friendly Name | Settings Page Visibility | -| Element Name | Settings Page Visibility | -| Location | Computer and User Configuration | -| Path | Control Panel | -| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | -| ADMX File Name | ControlPanel.admx | - - - - - -**Example 1**: Only the wifi and bluetooth pages should be shown. They have URIs `ms-settings:network-wifi` and `ms-settings:bluetooth`. All other pages (and the categories they're in) will be hidden: - -`showonly:network-wifi;bluetooth` - -**Example 2**: The wifi page shouldn't be shown: - -`hide:network-wifi` - -**Example 3**: Allow access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: - -`showonly:about;bluetooth` - - - - - ## ConfigureTaskbarCalendar @@ -728,11 +647,11 @@ To validate this policy, use the following steps: By default, the calendar is set according to the locale of the operating system, and users can show an additional calendar. For zh-CN and zh-SG locales, an additional calendar shows the lunar month and date and holiday names in Simplified Chinese (Lunar) by default. For zh-TW, zh-HK, and zh-MO locales, an additional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default. -If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale. +- If you enable this policy setting, users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar), regardless of the locale. -If you disable this policy setting, users cannot show an additional calendar, regardless of the locale. +- If you disable this policy setting, users cannot show an additional calendar, regardless of the locale. -If you do not configure this policy setting, the calendar will be set according to the default logic. +- If you do not configure this policy setting, the calendar will be set according to the default logic. @@ -780,6 +699,83 @@ If you do not configure this policy setting, the calendar will be set according + +## PageVisibilityList + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList +``` + + + + +Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string showonly or hide. Pages are identified by a shortened version of their already published URIs, which is the URI minus the ms-settings prefix. For example, if the URI for a settings page is ms-settingsbluetooth, the page identifier used in the policy will be just bluetooth. Multiple page identifiers are separated by semicolons. The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI ms-settingsabout and ms-settingsbluetooth respectivelyshowonlyabout;bluetooth. If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i. e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. **Note** that if a page is already hidden for another reason, then it will remain hidden even if it is in a showonly list. The format of the PageVisibilityList value is as follows The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. There are two variants one that shows only the given pages and one which hides the given pages. The first variant starts with the string showonly and the second with the string hide. Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. Each page identifier is the ms-settingsxyz URI for the page, minus the ms-settings prefix, so the identifier for the page with URI ms-settingsnetwork-wifi would be just network-wifi. The default value for this setting is an empty string, which is interpreted as show everything. Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settingsnetwork-wifi and ms-settingsbluetooth). All other pages (and the categories they're in) will be hiddenshowonlynetwork-wifi;bluetooth. Example 2, specifies that the wifi page should not be shownhidenetwork-wifi + + + + + +For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). + +To validate this policy, use the following steps: + +1. In the Settings app, open **System** and verify that the **About** page is visible and accessible. +2. Configure this policy with the following string: `hide:about`. +3. Open **System** settings again and verify that the **About** page is hidden. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SettingsPageVisibility | +| Friendly Name | Settings Page Visibility | +| Element Name | Settings Page Visibility | +| Location | Computer and User Configuration | +| Path | Control Panel | +| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | +| ADMX File Name | ControlPanel.admx | + + + + + +**Example 1**: Only the wifi and bluetooth pages should be shown. They have URIs `ms-settings:network-wifi` and `ms-settings:bluetooth`. All other pages (and the categories they're in) will be hidden: + +`showonly:network-wifi;bluetooth` + +**Example 2**: The wifi page shouldn't be shown: + +`hide:network-wifi` + +**Example 3**: Allow access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: + +`showonly:about;bluetooth` + + + + diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md index 3be0b76457..e0f18ffd48 100644 --- a/windows/client-management/mdm/policy-csp-settingssync.md +++ b/windows/client-management/mdm/policy-csp-settingssync.md @@ -1,10 +1,10 @@ --- title: SettingsSync Policy CSP -description: Learn more about the SettingsSync Area in Policy CSP +description: Learn more about the SettingsSync Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/29/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - SettingsSync > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,9 +41,10 @@ ms.topic: reference + Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings. -If you enable this policy setting, the "accessibility", group will not be synced. +- If you enable this policy setting, the "accessibility", group will not be synced. Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled. @@ -66,6 +65,9 @@ If you do not set or disable this setting, syncing of the "accessibility" group +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -85,6 +87,57 @@ If you do not set or disable this setting, syncing of the "accessibility" group + +## DisableLanguageSettingSync + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableLanguageSettingSync +``` + + + + + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableLanguageSettingSync | +| ADMX File Name | SettingSync.admx | + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 6d510df4ba..907c344a75 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -1,10 +1,10 @@ --- title: SmartScreen Policy CSP -description: Learn more about the SmartScreen Area in Policy CSP +description: Learn more about the SmartScreen Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,7 +39,7 @@ ms.topic: reference App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. -If you enable this setting, you must choose from the following behaviors: +- If you enable this setting, you must choose from the following behaviors: - Turn off app recommendations @@ -49,7 +49,7 @@ If you enable this setting, you must choose from the following behaviors: - Allow apps from Store only -If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet. +- If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet. @@ -120,18 +120,18 @@ This policy allows you to turn Windows Defender SmartScreen on or off. SmartScre Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. -If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: +- If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: -• Warn and prevent bypass -• Warn +- Warn and prevent bypass +- Warn -If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. +- If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. -If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. +- If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. -If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. +- If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. -If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. +- If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index 379b03e5fa..967b68b67e 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -1,10 +1,10 @@ --- title: Speech Policy CSP -description: Learn more about the Speech Area in Policy CSP +description: Learn more about the Speech Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index d5550661b1..f0db80b75a 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1,10 +1,10 @@ --- title: Start Policy CSP -description: Learn more about the Start Area in Policy CSP +description: Learn more about the Start Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -552,7 +552,6 @@ With this policy you can push a new list of pinned apps to override the default/ For more information on how to configure the Start menu, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11). This string policy takes a JSON file named `LayoutModification.json`. The file enumerates the items to pin and their relative order. - @@ -602,7 +601,7 @@ This string policy takes a JSON file named `LayoutModification.json`. The file e This policy allows you to prevent users from being able to open context menus in the Start Menu. -If you enable this policy, then invocations of context menus within the Start Menu will be ignored. +- If you enable this policy, then invocations of context menus within the Start Menu will be ignored. @@ -648,6 +647,74 @@ If you enable this policy, then invocations of context menus within the Start Me + +## DisableControlCenter + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/DisableControlCenter +``` + + + + +This policy setting removes Quick Settings from the bottom right area on the taskbar. + +The quick settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. + +- If this setting is enabled, Quick Settings is not displayed in the quick settings area. + +A reboot is required for this policy setting to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Quick Settings. | +| 1 | Disable Quick Settings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableControlCenter | +| Friendly Name | Remove Quick Settings | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableControlCenter | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## DisableEditingQuickSettings @@ -665,9 +732,9 @@ If you enable this policy, then invocations of context menus within the Start Me -If you enable this policy, the user will be unable to modify Quick Settings. +- If you enable this policy, the user will be unable to modify Quick Settings. -If you disable or don't configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons. +- If you disable or don't configure this policy setting, the user will be able to edit Quick Settings, such as pinning or unpinning buttons. @@ -734,16 +801,15 @@ If you disable or don't configure this policy setting, the user will be able to -If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings. +- If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings. -If you disable or don’t configure this policy setting, Windows will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings. +- If you disable or don't configure this policy setting, Windows will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings. If there's a policy configuration conflict, the latest configuration request is applied to the device. - @@ -828,7 +894,6 @@ To validate this policy, do the following steps: 2. If set to `2`: Verify that the **All Apps** list is collapsed, and that the **Settings** toggle is grayed out. 3. If set to `3`: Verify that there's no way of opening the **All Apps** list from Start, and that the **Settings** toggle is grayed out. - @@ -928,9 +993,9 @@ Enabling this policy hides "Change account settings" from appearing in the user -If you enable this setting, the frequently used programs list is removed from the Start menu. +- If you enable this setting, the frequently used programs list is removed from the Start menu. -If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu. +- If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu. @@ -947,7 +1012,6 @@ To validate this policy, do the following steps: 4. Restart the explorer.exe process, or restart the computer. 5. Check that the **Show most used apps** Settings toggle is grayed out. 6. Check that most used apps don't appear in Start. - @@ -1014,7 +1078,6 @@ Enabling this policy hides "Hibernate" from appearing in the power button in the > [!NOTE] > This policy is only applicable on laptops. The **Hibernate** option doesn't appear on desktop PCs. - @@ -1092,6 +1155,71 @@ Enabling this policy hides "Lock" from appearing in the user tile in the start m + +## HidePeopleBar + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar +``` + + + + +This policy allows you to remove the People Bar from the taskbar and disables the My People experience. + +- If you enable this policy the people icon will be removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users will not be able to pin people to the taskbar. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not hide. | +| 1 | Hide. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HidePeopleBar | +| Friendly Name | Remove the People Bar from the taskbar | +| Location | User Configuration | +| Path | Start Menu and Taskbar | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | HidePeopleBar | +| ADMX File Name | StartMenu.admx | + + + + + + + + ## HidePowerButton @@ -1117,7 +1245,6 @@ Enabling this policy hides the power button from appearing in the start menu. > [!NOTE] > This policy requires a reboot to take effect. - @@ -1186,7 +1313,6 @@ To validate this policy, do the following steps: 7. Check that the Settings toggle is grayed out. 8. Open some images in the Photos app. 9. Right-click the pinned Photos app. Verify that there's no jump list of recent items. - @@ -1237,7 +1363,7 @@ To validate this policy, do the following steps: This policy allows you to prevent the Start Menu from displaying a list of recently installed applications. -If you enable this policy, the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled in Settings. +- If you enable this policy, the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled in Settings. @@ -1254,7 +1380,6 @@ To validate this policy, do the following steps: 4. Restart the explorer.exe process or restart the computer. 5. Check that the **Show recently added apps** Settings toggle is grayed out. 6. Check that recently added apps don't appear in Start. - @@ -1319,7 +1444,7 @@ To validate this policy, do the following steps: This policy allows you to prevent the Start Menu from displaying a list of recommended applications and files. -If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps. +- If you enable this policy setting, the Start Menu will no longer show the section containing a list of recommended files and apps. @@ -1634,7 +1759,7 @@ Enabling this policy hides "Switch account" from appearing in the user tile in t This policy setting allows you to hide the TaskView button. -If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled. +- If you enable this policy setting, the TaskView button will be hidden and the Settings toggle will be disabled. @@ -1705,7 +1830,6 @@ Enabling this policy hides the user tile from appearing in the start menu. > [!NOTE] > This policy requires a reboot to take effect. - @@ -1772,7 +1896,6 @@ To validate this policy, do the following steps: 2. Set the [StartLayout policy](#startlayout) to anything that triggers the Microsoft Edge assets import. 3. Sign out and sign in again. 4. Verify that all Microsoft Edge assets defined in the XML show up in the following path: `%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState`. - @@ -1807,7 +1930,9 @@ To validate this policy, do the following steps: -This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. +This policy setting allows you to control pinning programs to the Taskbar. +- If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. +- If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. @@ -1820,7 +1945,6 @@ To validate this policy, do the following steps: 3. Verify that the option to **Unpin from taskbar** doesn't show. 4. Open the Start menu and right-click on one of the app list icons. 5. Select **More** and verify that **Pin to taskbar** doesn't show. - @@ -1869,7 +1993,7 @@ To validate this policy, do the following steps: -If you enable this policy setting, you can configure Start menu to show or hide the list of user's most used apps, regardless of user settings. +- If you enable this policy setting, you can configure Start menu to show or hide the list of user's most used apps, regardless of user settings. Selecting "Show" will force the "Most used" list to be shown, and user cannot change to hide it using the Settings app. @@ -1877,7 +2001,7 @@ Selecting "Hide" will force the "Most used" list to be hidden, and user cannot c Selecting "Not Configured", or if you disable or do not configure this policy setting, all will allow users to turn on or off the display of "Most used" list using the Settings app. This is default behavior. -Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of Start menu but with fewer options). +**Note** configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of Start menu but with fewer options). @@ -1940,9 +2064,9 @@ Note: configuring this policy to "Show" or "Hide" on supported versions of Windo -If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. +- If you enable this policy, Quick Settings will be reduced to only having the WiFi, Bluetooth, Accessibility, and VPN buttons; the brightness and volume sliders; and battery indicator and link to the Settings app. -If you disable or don't configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked. +- If you disable or don't configure this policy setting, the regular Quick Settings layout will appear whenever Quick Settings is invoked. @@ -2016,7 +2140,7 @@ To use this setting, you must first manually configure a device's Start layout t Once the XML file is generated and moved to the desired file path, type the fully qualified path and name of the XML file. You can type a local path, such as C:\StartLayouts\myLayout.xml or a UNC path, such as \\Server\Share\Layout.xml. If the specified file is not available when the user logs on, the layout won't be changed. Users cannot customize their Start screen while this setting is enabled. -If you disable this setting or do not configure it, the Start screen layout won't be changed and users will be able to customize it. +- If you disable this setting or do not configure it, the Start screen layout won't be changed and users will be able to customize it. @@ -2025,7 +2149,6 @@ If you disable this setting or do not configure it, the Start screen layout won' If both user and device policies are set, the user policy is used. You can also use this policy to change apps that are pinned to the taskbar. For more information on how to customize the Start layout, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11) and [Customize the Taskbar on Windows 11](/windows/configuration/customize-taskbar-windows-11). - @@ -2057,139 +2180,6 @@ For more information on how to customize the Start layout, see [Customize the St - -## DisableControlCenter - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Start/DisableControlCenter -``` - - - - -This policy setting removes Quick Settings from the bottom right area on the taskbar. - -The quick settings area is located at the left of the clock in the taskbar and includes icons for current network and volume. - -If this setting is enabled, Quick Settings is not displayed in the quick settings area. - -A reboot is required for this policy setting to take effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Enable Quick Settings. | -| 1 | Disable Quick Settings. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DisableControlCenter | -| Friendly Name | Remove Quick Settings | -| Location | User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | DisableControlCenter | -| ADMX File Name | StartMenu.admx | - - - - - - - - - -## HidePeopleBar - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
    :heavy_check_mark: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```User -./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar -``` - - - - -This policy allows you to remove the People Bar from the taskbar and disables the My People experience. - -If you enable this policy the people icon will be removed from the taskbar, the corresponding settings toggle is removed from the taskbar settings page, and users will not be able to pin people to the taskbar. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Do not hide. | -| 1 | Hide. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | HidePeopleBar | -| Friendly Name | Remove the People Bar from the taskbar | -| Location | User Configuration | -| Path | Start Menu and Taskbar | -| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | -| Registry Value Name | HidePeopleBar | -| ADMX File Name | StartMenu.admx | - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index 9b2eeee68c..b466e095ca 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -1,10 +1,10 @@ --- title: Stickers Policy CSP -description: Learn more about the Stickers Area in Policy CSP +description: Learn more about the Stickers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,6 +36,7 @@ ms.topic: reference + This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 56c09fc0f4..bbf0efadb7 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,10 +1,10 @@ --- title: Storage Policy CSP -description: Learn more about the Storage Area in Policy CSP +description: Learn more about the Storage Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - Storage > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -75,8 +73,8 @@ Same as Enabled. | Value | Description | |:--|:--| -| 0 | Do not allow | -| 1 (Default) | Allow | +| 0 | Do not allow. | +| 1 (Default) | Allow. | @@ -116,10 +114,10 @@ Same as Enabled. -Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy. +Storage Sense can automatically clean some of the user's files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" group policy. Enabled: -Storage Sense is turned on for the machine, with the default cadence as ‘during low free disk space’. Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy). +Storage Sense is turned on for the machine, with the default cadence as 'during low free disk space'. Users cannot disable Storage Sense, but they can adjust the cadence (unless you also configure the "Configure Storage Sense cadence" group policy). Disabled: Storage Sense is turned off the machine. Users cannot enable Storage Sense. @@ -147,8 +145,8 @@ By default, Storage Sense is turned off until the user runs into low disk space | Value | Description | |:--|:--| -| 1 | Allow | -| 0 (Default) | Block | +| 1 | Allow. | +| 0 (Default) | Block. | @@ -188,18 +186,18 @@ By default, Storage Sense is turned off until the user runs into low disk space -When Storage Sense runs, it can delete the user’s temporary files that are not in use. +When Storage Sense runs, it can delete the user's temporary files that are not in use. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: -Storage Sense will delete the user’s temporary files that are not in use. Users cannot disable this setting in Storage settings. +Storage Sense will delete the user's temporary files that are not in use. Users cannot disable this setting in Storage settings. Disabled: -Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings. +Storage Sense will not delete the user's temporary files. Users cannot enable this setting in Storage settings. Not Configured: -By default, Storage Sense will delete the user’s temporary files. Users can configure this setting in Storage settings. +By default, Storage Sense will delete the user's temporary files. Users can configure this setting in Storage settings. @@ -221,8 +219,8 @@ By default, Storage Sense will delete the user’s temporary files. Users can co | Value | Description | |:--|:--| -| 1 (Default) | Allow | -| 0 | Block | +| 1 (Default) | Allow. | +| 0 | Block. | @@ -262,7 +260,7 @@ By default, Storage Sense will delete the user’s temporary files. Users can co -When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. +When Storage Sense runs, it can dehydrate cloud-backed content that hasn't been opened in a certain amount of days. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. @@ -325,16 +323,16 @@ By default, Storage Sense will not dehydrate any cloud-backed content. Users can -When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. +When Storage Sense runs, it can delete files in the user's Downloads folder if they haven't been opened for more than a certain number of days. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: You must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365. -If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder. +If you set this value to zero, Storage Sense will not delete files in the user's Downloads folder. The default is 0, or never deleting files in the Downloads folder. Disabled or Not Configured: -By default, Storage Sense will not delete files in the user’s Downloads folder. Users can configure this setting in Storage settings. +By default, Storage Sense will not delete files in the user's Downloads folder. Users can configure this setting in Storage settings. @@ -388,7 +386,7 @@ By default, Storage Sense will not delete files in the user’s Downloads folder -Storage Sense can automatically clean some of the user’s files to free up disk space. +Storage Sense can automatically clean some of the user's files to free up disk space. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. @@ -396,7 +394,7 @@ Enabled: You must provide the desired Storage Sense cadence. Supported options are: daily, weekly, monthly, and during low free disk space. The default is 0 (during low free disk space). Disabled or Not Configured: -By default, the Storage Sense cadence is set to “during low free disk space”. Users can configure this setting in Storage settings. +By default, the Storage Sense cadence is set to "during low free disk space". Users can configure this setting in Storage settings. @@ -408,7 +406,6 @@ Use the following integer values for the supported options: - `1`: Daily - `7`: Weekly - `30`: Monthly - @@ -458,16 +455,16 @@ Use the following integer values for the supported options: -When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. +When Storage Sense runs, it can delete files in the user's Recycle Bin if they have been there for over a certain amount of days. If the group policy "Allow Storage Sense" is disabled, then this policy does not have any effect. Enabled: You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0 - 365. -If you set this value to zero, Storage Sense will not delete files in the user’s Recycle Bin. The default is 30 days. +If you set this value to zero, Storage Sense will not delete files in the user's Recycle Bin. The default is 30 days. Disabled or Not Configured: -By default, Storage Sense will delete files in the user’s Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. +By default, Storage Sense will delete files in the user's Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. @@ -523,9 +520,9 @@ By default, Storage Sense will delete files in the user’s Recycle Bin that hav This policy setting configures whether or not Windows will activate an Enhanced Storage device. -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. +- If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. +- If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. @@ -543,7 +540,7 @@ If you disable or do not configure this policy setting, Windows will activate un > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -583,11 +580,12 @@ If you disable or do not configure this policy setting, Windows will activate un This policy setting denies write access to removable disks. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. -Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." +> [!NOTE] +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." @@ -651,9 +649,9 @@ Note: To require that users write data to BitLocker-protected storage, enable th This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -664,13 +662,11 @@ This policy does enforcement over the following protocols that are used by most - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. - >[!NOTE] > WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. - @@ -684,13 +680,13 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WPDDevices_DenyRead_Access | +| Name | WPDDevices_DenyRead_Access_2 | | Friendly Name | WPD Devices: Deny read access | | Location | Computer Configuration | | Path | System > Removable Storage Access | @@ -705,79 +701,6 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an - -## WPDDevicesDenyWriteAccessPerDevice - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerDevice -``` - - - - -This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. - -If you enable this policy setting, write access is denied to this removable storage class. - -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. - - - - - -This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: - -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. -- Mass Storage Class (MSC) over USB. - - - ->[!NOTE] -> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -> [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**ADMX mapping**: - -| Name | Value | -|:--|:--| -| Name | WPDDevices_DenyWrite_Access | -| Friendly Name | WPD Devices: Deny write access | -| Location | Computer Configuration | -| Path | System > Removable Storage Access | -| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | -| Registry Value Name | Deny_Write | -| ADMX File Name | RemovableStorage.admx | - - - - - - - - ## WPDDevicesDenyReadAccessPerUser @@ -797,9 +720,9 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, read access is denied to this removable storage class. +- If you enable this policy setting, read access is denied to this removable storage class. -If you disable or do not configure this policy setting, read access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, read access is allowed to this removable storage class. @@ -810,13 +733,11 @@ This policy does enforcement over the following protocols that are used by most - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. - >[!NOTE] > WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. - @@ -830,13 +751,13 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WPDDevices_DenyRead_Access | +| Name | WPDDevices_DenyRead_Access_1 | | Friendly Name | WPD Devices: Deny read access | | Location | User Configuration | | Path | System > Removable Storage Access | @@ -851,6 +772,77 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an + +## WPDDevicesDenyWriteAccessPerDevice + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Storage/WPDDevicesDenyWriteAccessPerDevice +``` + + + + +This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. + +- If you enable this policy setting, write access is denied to this removable storage class. + +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + + + + + +This policy does enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: + +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. + + +>[!NOTE] +> WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +**ADMX mapping**: + +| Name | Value | +|:--|:--| +| Name | WPDDevices_DenyWrite_Access_2 | +| Friendly Name | WPD Devices: Deny write access | +| Location | Computer Configuration | +| Path | System > Removable Storage Access | +| Registry Key Name | Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33} | +| Registry Value Name | Deny_Write | +| ADMX File Name | RemovableStorage.admx | + + + + + + + + ## WPDDevicesDenyWriteAccessPerUser @@ -870,9 +862,9 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. -If you enable this policy setting, write access is denied to this removable storage class. +- If you enable this policy setting, write access is denied to this removable storage class. -If you disable or do not configure this policy setting, write access is allowed to this removable storage class. +- If you disable or do not configure this policy setting, write access is allowed to this removable storage class. @@ -883,13 +875,11 @@ This policy does enforcement over the following protocols that are used by most - Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. - Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. - Mass Storage Class (MSC) over USB. - >[!NOTE] > WPD policy isn't a reliable policy for removable storage. You can't use WPD policy to entirely block removable storage. For example, if a user inserts a USB drive to a device with a WPD policy, the policy may block PTP or MTP, but the user can still browse the drive in Windows Explorer. - @@ -903,13 +893,13 @@ To enable this policy, the minimum OS requirement is Windows 10, version 1809 an > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | WPDDevices_DenyWrite_Access | +| Name | WPDDevices_DenyWrite_Access_1 | | Friendly Name | WPD Devices: Deny write access | | Location | User Configuration | | Path | System > Removable Storage Access | diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 2a3fa4504c..ac45cee0eb 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,10 +1,10 @@ --- title: System Policy CSP -description: Learn more about the System Area in Policy CSP +description: Learn more about the System Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - System > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,9 +44,9 @@ ms.topic: reference This policy setting determines whether users can get preview builds of Windows, by configuring controls in Settings > Update and security > Windows Insider Program. -If you enable or do not configure this policy setting, users can download and install preview builds of Windows by configuring Windows Insider Program settings. +- If you enable or do not configure this policy setting, users can download and install preview builds of Windows by configuring Windows Insider Program settings. -If you disable this policy setting, Windows Insider Program settings will be unavailable to users through the Settings app. +- If you disable this policy setting, Windows Insider Program settings will be unavailable to users through the Settings app. This policy is only supported up to Windows 10, Version 1703. Please use 'Manage preview builds' under 'Windows Update for Business' for newer Windows 10 versions. @@ -116,11 +114,12 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . To enable this behavior: + 1. Enable this policy setting 2. Join an Azure Active Directory account to the device Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting does not change the Windows diagnostic data collection level set for the device -If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing”. +- If you disable or do not configure this setting, Microsoft will be the controller of the Windows diagnostic data collected from the device and processed in accordance with Microsoft's privacy statement at unless you have enabled policies like 'Allow Update Compliance Processing' or 'Allow Desktop Analytics Processing". See the documentation at for information on this and other policies that will result in Microsoft being the processor of Windows diagnostic data. @@ -187,13 +186,16 @@ See the documentation at for i This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor for Windows diagnostic data collected from the device, subject to the Product Terms at . To enable this behavior: + 1. Enable this policy setting 2. Join an Azure Active Directory account to the device + 3. Set Allow Telemetry to value 1 - Required, or higher 4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. If you disable this policy setting, devices will not appear in Desktop Analytics. +This setting has no effect on devices unless they are properly enrolled in Desktop Analytics. +- If you disable this policy setting, devices will not appear in Desktop Analytics. @@ -257,7 +259,7 @@ This setting has no effect on devices unless they are properly enrolled in Deskt This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. -If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. +- If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. @@ -368,7 +370,8 @@ Specifies whether set general purpose device to be in embedded mode. Most restri -NoteThis policy is not supported in Windows 10, version 1607. This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. Most restricted value is 0. +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. Most restricted value is 0. @@ -420,11 +423,11 @@ NoteThis policy is not supported in Windows 10, version 1607. This policy settin This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. -If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. +- If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. -If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. +- If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. -If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. +- If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot. @@ -557,7 +560,12 @@ Specifies whether to allow app access to the Location service. Most restricted v -This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows. This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See for more information. hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. +This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows. +This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . +For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See for more information. +hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. +This setting has no effect on devices unless they are properly enrolled in Microsoft Managed Desktop. +- If you disable this policy setting, devices may not appear in Microsoft Managed Desktop. @@ -665,9 +673,9 @@ By configuring this policy setting you can adjust what diagnostic data is collec - Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the "Optional diagnostic data" control in the Settings app. - Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent. -If you disable or do not configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app. +- If you disable or do not configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app. -Note: +**Note**: The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings. @@ -734,13 +742,15 @@ Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Educati This policy setting, in combination with the Allow Telemetry and Configure the Commercial ID, enables organizations to configure the device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . To enable this behavior: + 1. Enable this policy setting 2. Join an Azure Active Directory account to the device + 3. Set Allow Telemetry to value 1 - Required, or higher 4. Set the Configure the Commercial ID setting for your Update Compliance workspace When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -If you disable or do not configure this policy setting, devices will not appear in Update Compliance. +- If you disable or do not configure this policy setting, devices will not appear in Update Compliance. @@ -853,12 +863,14 @@ Specifies whether to allow the user to factory reset the device by using control This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at . To enable this behavior: + 1. Enable this policy setting 2. Join an Azure Active Directory account to the device + 3. Set Allow Telemetry to value 1 - Required, or higher When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. -If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features. +- If you disable or do not configure this policy setting, devices enrolled to the Windows Update for Business deployment service will not be able to take advantage of some deployment service features. @@ -926,9 +938,9 @@ This policy setting allows you to specify which boot-start drivers are initializ - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. -If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. +- If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. -If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. +- If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. @@ -947,6 +959,9 @@ If your malware detection application does not include an Early Launch Antimalwa +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -983,7 +998,7 @@ If your malware detection application does not include an Early Launch Antimalwa -This policy sets the upload endpoint for this device’s diagnostic data as part of the Desktop Analytics program. +This policy sets the upload endpoint for this device's diagnostic data as part of the Desktop Analytics program. If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. @@ -1109,9 +1124,9 @@ This policy setting determines whether an end user can change diagnostic data se If you set this policy setting to "Disable diagnostic data opt-in settings", diagnostic data settings are disabled in the Settings app. -If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app. +- If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app. -Note: +**Note**: To set a limit on the amount of diagnostic data that is sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting. @@ -1176,9 +1191,9 @@ To set a limit on the amount of diagnostic data that is sent to Microsoft by you This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & feedback Settings page. -If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +- If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. +- If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. @@ -1242,9 +1257,9 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & feedback Settings page. -If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +- If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. +- If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. @@ -1364,7 +1379,8 @@ This group policy allows control over whether the DirectX Database Updater task -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. +- If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. @@ -1386,8 +1402,8 @@ This policy setting blocks the Connected User Experience and Telemetry service f | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -1427,15 +1443,15 @@ This policy setting blocks the Connected User Experience and Telemetry service f This policy setting lets you prevent apps and features from working with files on OneDrive. -If you enable this policy setting: +- If you enable this policy setting: -* Users can’t access OneDrive from the OneDrive app and file picker. -* Windows Store apps can’t access OneDrive using the WinRT API. -* OneDrive doesn’t appear in the navigation pane in File Explorer. -* OneDrive files aren’t kept in sync with the cloud. -* Users can’t automatically upload photos and videos from the camera roll folder. +* Users can't access OneDrive from the OneDrive app and file picker. +* Windows Store apps can't access OneDrive using the WinRT API. +* OneDrive doesn't appear in the navigation pane in File Explorer. +* OneDrive files aren't kept in sync with the cloud. +* Users can't automatically upload photos and videos from the camera roll folder. -If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. +- If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. @@ -1500,9 +1516,9 @@ If you disable or do not configure this policy setting, apps and features can wo This policy setting controls whether Windows attempts to connect with the OneSettings service. -If you enable this policy, Windows will not attempt to connect with the OneSettings Service. +- If you enable this policy, Windows will not attempt to connect with the OneSettings Service. -If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the OneSettings service to download configuration settings. +- If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the OneSettings service to download configuration settings. @@ -1570,9 +1586,9 @@ This policy setting allows you to turn off System Restore. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. +- If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. +- If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. @@ -1591,6 +1607,9 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | @@ -1629,9 +1648,9 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog. -If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel. +- If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel. -If you disable or don't configure this policy setting, Windows will not record attempts to connect with the OneSettings service to the EventLog. +- If you disable or don't configure this policy setting, Windows will not record attempts to connect with the OneSettings service to the EventLog. @@ -1744,9 +1763,9 @@ Diagnostic files created when a feedback is filed in the Feedback Hub app will a This policy controls messages which are shown when Windows is running on a device that does not meet the minimum system requirements for this OS version. -If you enable this policy setting, these messages will never appear on desktop or in the Settings app. +- If you enable this policy setting, these messages will never appear on desktop or in the Settings app. -If you disable or do not configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that does not meet the minimum system requirements for this OS version. +- If you disable or do not configure this policy setting, these messages will appear on desktop and in the Settings app when Windows is running on a device that does not meet the minimum system requirements for this OS version. @@ -1813,7 +1832,7 @@ This policy setting controls whether additional diagnostic logs are collected wh By enabling this policy setting, diagnostic logs will not be collected. -If you disable or do not configure this policy setting, we may occasionally collect diagnostic logs if the device has been configured to send optional diagnostic data. +- If you disable or do not configure this policy setting, we may occasionally collect diagnostic logs if the device has been configured to send optional diagnostic data. @@ -1879,7 +1898,7 @@ This policy setting limits the type of dumps that can be collected when more inf By enabling this setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps. -If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data. +- If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data. @@ -1944,14 +1963,16 @@ If you disable or do not configure this policy setting, we may occasionally coll This policy setting, in combination with the "Allow Diagnostic Data" policy setting, enables organizations to send the minimum data required by Desktop Analytics. To enable the behavior described above, complete the following steps: + 1. Enable this policy setting 2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data" + 3. Enable the "Limit Dump Collection" policy 4. Enable the "Limit Diagnostic Log Collection" policy When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at . -If you disable or do not configure this policy setting, diagnostic data collection is determined by the "Allow Diagnostic Data" policy setting or by the end user from the Settings app. +- If you disable or do not configure this policy setting, diagnostic data collection is determined by the "Allow Diagnostic Data" policy setting or by the end user from the Settings app. @@ -2013,7 +2034,8 @@ If you disable or do not configure this policy setting, diagnostic data collecti -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is ``:``. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is ``:``. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. +- If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. @@ -2068,9 +2090,9 @@ Allows you to specify the fully qualified domain name (FQDN) or IP address of a This policy setting allows you to turn off File History. -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. +- If you enable this policy setting, File History cannot be activated to create regular, automatic backups. -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. +- If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index f21931616b..7cfbd6b1fa 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -1,10 +1,10 @@ --- title: SystemServices Policy CSP -description: Learn more about the SystemServices Area in Policy CSP +description: Learn more about the SystemServices Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -159,9 +159,9 @@ This setting determines whether the service's start type is Automatic(2), Manual | Value | Description | |:--|:--| -| 2 | Automatic | -| 3 (Default) | Manual | -| 4 | Disabled | +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | @@ -218,9 +218,9 @@ This setting determines whether the service's start type is Automatic(2), Manual | Value | Description | |:--|:--| -| 2 | Automatic | -| 3 (Default) | Manual | -| 4 | Disabled | +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | @@ -277,9 +277,9 @@ This setting determines whether the service's start type is Automatic(2), Manual | Value | Description | |:--|:--| -| 2 | Automatic | -| 3 (Default) | Manual | -| 4 | Disabled | +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | @@ -336,9 +336,9 @@ This setting determines whether the service's start type is Automatic(2), Manual | Value | Description | |:--|:--| -| 2 | Automatic | -| 3 (Default) | Manual | -| 4 | Disabled | +| 2 | Automatic. | +| 3 (Default) | Manual. | +| 4 | Disabled. | diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 5c46c7733c..6c58c87151 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,10 +1,10 @@ --- title: TaskManager Policy CSP -description: Learn more about the TaskManager Area in Policy CSP +description: Learn more about the TaskManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index f18ac472a3..855e816358 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,10 +1,10 @@ --- title: TaskScheduler Policy CSP -description: Learn more about the TaskScheduler Area in Policy CSP +description: Learn more about the TaskScheduler Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -59,8 +59,8 @@ This setting determines whether the specific task is enabled (1) or disabled (0) | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md index 0ab6c560aa..a3d3f7355e 100644 --- a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md +++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md @@ -1,10 +1,10 @@ --- title: TenantDefinedTelemetry Policy CSP -description: Learn more about the TenantDefinedTelemetry Area in Policy CSP +description: Learn more about the TenantDefinedTelemetry Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 11/02/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -36,6 +36,7 @@ ms.topic: reference + This policy is used to let mission control what type of Edition we are currently in. @@ -58,9 +59,9 @@ This policy is used to let mission control what type of Edition we are currently | Value | Description | |:--|:--| -| 0 (Default) | Base | -| 1 | Education | -| 2 | Commercial | +| 0 (Default) | Base. | +| 1 | Education. | +| 2 | Commercial. | diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index bb44b6a25a..babefd000e 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -1,10 +1,10 @@ --- title: TenantRestrictions Policy CSP -description: Learn more about the TenantRestrictions Area in Policy CSP +description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - TenantRestrictions > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -43,16 +41,18 @@ ms.topic: reference + This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory. When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant. -Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. +> [!NOTE] +> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details. -https://go.microsoft.com/fwlink/?linkid=2148762 + Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information. -For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230 +For details about setting up WDAC with tenant restrictions, see @@ -69,6 +69,9 @@ For details about setting up WDAC with tenant restrictions, see https://go.micro +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 282bca427e..656d59762c 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,10 +1,10 @@ --- title: TextInput Policy CSP -description: Learn more about the TextInput Area in Policy CSP +description: Learn more about the TextInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -86,7 +86,8 @@ Placeholder only. Do not use in production environment. -Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. Most restricted value is 0. @@ -184,7 +185,8 @@ Allows the user to turn on Open Extended Dictionary, Internet search integration -Allows the IT admin to disable the touch/handwriting keyboard on Windows. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the IT admin to disable the touch/handwriting keyboard on Windows. Most restricted value is 0. @@ -233,7 +235,8 @@ Allows the IT admin to disable the touch/handwriting keyboard on Windows. Most r -Allows the Japanese IME surrogate pair characters. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the Japanese IME surrogate pair characters. Most restricted value is 0. @@ -282,7 +285,8 @@ Allows the Japanese IME surrogate pair characters. Most restricted value is 0. -Allows Japanese Ideographic Variation Sequence (IVS) characters. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows Japanese Ideographic Variation Sequence (IVS) characters. Most restricted value is 0. @@ -331,7 +335,8 @@ Allows Japanese Ideographic Variation Sequence (IVS) characters. Most restricted -Allows the Japanese non-publishing standard glyph. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the Japanese non-publishing standard glyph. Most restricted value is 0. @@ -380,7 +385,8 @@ Allows the Japanese non-publishing standard glyph. Most restricted value is 0. -Allows the Japanese user dictionary. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the Japanese user dictionary. Most restricted value is 0. @@ -429,7 +435,8 @@ Allows the Japanese user dictionary. Most restricted value is 0. - Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. Most restricted value is 0. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. Most restricted value is 0. @@ -483,7 +490,7 @@ To validate that text prediction is disabled on Windows 10 for desktop, do the f -When this policy setting is enabled, some language features (such as handwriting recognizers and spell checking dictionaries) included with a language can be uninstalled from a user’s machine when the language is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting is disabled, language features remain on the user’s machine when the language is uninstalled. +When this policy setting is enabled, some language features (such as handwriting recognizers and spell checking dictionaries) included with a language can be uninstalled from a user's machine when the language is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting is disabled, language features remain on the user's machine when the language is uninstalled. @@ -658,17 +665,18 @@ Allows the user to turn on or off the automatic downloading of newer versions of -This policy setting controls the version of Microsoft IME.​ +This policy setting controls the version of Microsoft IME. -If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. -If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. This Policy setting applies only to Microsoft Japanese IME. -Note: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -732,17 +740,18 @@ Note: Changes to this setting will not take effect until the user logs off. -This policy setting controls the version of Microsoft IME.​ +This policy setting controls the version of Microsoft IME. -If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. -If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. This Policy setting applies only to Microsoft Korean IME. -Note: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -797,17 +806,18 @@ Note: Changes to this setting will not take effect until the user logs off. -This policy setting controls the version of Microsoft IME.​ +This policy setting controls the version of Microsoft IME. -If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. -If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. This Policy setting applies only to Microsoft Simplified Chinese IME. -Note: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -871,17 +881,18 @@ Note: Changes to this setting will not take effect until the user logs off. -This policy setting controls the version of Microsoft IME.​ +This policy setting controls the version of Microsoft IME. -If you don’t configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default.​ +- If you don't configure this policy setting, user can control IME version to use. The new Microsoft IME is on by default. -If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected.​ +- If you enable this, user is not allowed to control IME version to use. The previous version of Microsoft IME is always selected. -If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. +- If you disable this, user is not allowed to control IME version to use. The new Microsoft IME is always selected. This Policy setting applies only to Microsoft Traditional Chinese IME. -Note: Changes to this setting will not take effect until the user logs off. +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. @@ -994,7 +1005,8 @@ This policy allows the IT admin to enable the touch keyboard to automatically sh -Allows the users to restrict character code range of conversion by setting the character filter. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the users to restrict character code range of conversion by setting the character filter. @@ -1043,7 +1055,8 @@ Allows the users to restrict character code range of conversion by setting the c -Allows the users to restrict character code range of conversion by setting the character filter. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the users to restrict character code range of conversion by setting the character filter. @@ -1092,7 +1105,8 @@ Allows the users to restrict character code range of conversion by setting the c -Allows the users to restrict character code range of conversion by setting the character filter. +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. Allows the users to restrict character code range of conversion by setting the character filter. diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index c48183ccf1..7a3dfd08c5 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,10 +1,10 @@ --- title: TimeLanguageSettings Policy CSP -description: Learn more about the TimeLanguageSettings Area in Policy CSP +description: Learn more about the TimeLanguageSettings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -91,9 +91,9 @@ This policy is deprecated. This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used by any users on that machine. -If you enable this policy setting, language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. +- If you enable this policy setting, language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. -If you disable or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task. +- If you disable or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task. @@ -199,9 +199,9 @@ Specifies the time zone to be applied to the device. This is the standard Window This policy setting controls which UI language is used for computers with more than one UI language installed. -If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. +- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. -If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs. +- If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs. diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index ce26e2a58d..ddcdb2743d 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,10 +1,10 @@ --- title: Troubleshooting Policy CSP -description: Learn more about the Troubleshooting Area in Policy CSP +description: Learn more about the Troubleshooting Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,14 +50,17 @@ Enabling this policy allows you to configure how troubleshooting is applied on t 5 = Allow the user to choose their own troubleshooting settings. After setting this policy, you can use the following instructions to check devices in your domain for available troubleshooting from Microsoft: + 1. Create a bat script with the following contents: rem The following batch script triggers Recommended Troubleshooting schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" 2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. 3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7). + 4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox. 5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1. + 6. Configure the task to deploy to your domain. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 557daee705..d7228c5219 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,10 +1,10 @@ --- title: Update Policy CSP -description: Learn more about the Update Area in Policy CSP +description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,10 @@ ms.topic: reference -Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. **Note**: The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM). +Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM). @@ -96,7 +99,7 @@ Enable this policy to specify the maximum number of hours from the start time th The max active hours range can be set between 8 and 18 hours. -If you disable or do not configure this policy, the default max active hours range will be used. +- If you disable or do not configure this policy, the default max active hours range will be used. @@ -151,7 +154,10 @@ If you disable or do not configure this policy, the default max active hours ran -Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. **Note**: The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM). +Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM). @@ -206,7 +212,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Supported operations are Get and Replace. **Important**: This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Supported operations are Get and Replace. Important. This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). @@ -298,8 +304,8 @@ This policy is accessible through the Update setting in the user interface or Gr | Value | Description | |:--|:--| -| 0 (Default) | Not allowed | -| 1 | Allowed | +| 0 (Default) | Not allowed. | +| 1 | Allowed. | @@ -458,7 +464,10 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. **Note**: This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. @@ -524,9 +533,9 @@ This policy setting allows you to configure Automatic Maintenance wake up policy The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. +- If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. +- If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. @@ -593,9 +602,10 @@ Specify the deadline before the PC will automatically restart to apply updates. The restart may happen inside active hours. -If you disable or do not configure this policy, the PC will restart according to the default schedule. +- If you disable or do not configure this policy, the PC will restart according to the default schedule. Enabling either of the following two policies will override the above policy: + 1. No auto-restart with logged on users for scheduled automatic updates installations. 2. Always automatically restart at scheduled time. @@ -652,7 +662,9 @@ Enabling either of the following two policies will override the above policy: -For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Value type is integer. Default is 7 days. Supported values range: 2-30. **Note** that the PC must restart for certain updates to take effect. If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. If you disable or do not configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installations. Always automatically restart at scheduled time. +For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Value type is integer. Default is 7 days. Supported values range 2-30. **Note** that the PC must restart for certain updates to take effect. +- If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. +- If you disable or do not configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effectNo auto-restart with logged on users for scheduled automatic updates installations. Always automatically restart at scheduled time. @@ -729,11 +741,11 @@ Allows the IT Admin to specify the period for auto-restart reminder notification | Value | Description | |:--|:--| -| 15 (Default) | 15 Minutes | -| 30 | 30 Minutes | -| 60 | 60 Minutes | -| 120 | 120 Minutes | -| 240 | 240 Minutes | +| 15 (Default) | 15 Minutes. | +| 30 | 30 Minutes. | +| 60 | 60 Minutes. | +| 120 | 120 Minutes. | +| 240 | 240 Minutes. | @@ -777,7 +789,7 @@ Enable this policy to specify the method by which the auto-restart required noti The method can be set to require user action to dismiss the notification. -If you disable or do not configure this policy, the default method will be used. +- If you disable or do not configure this policy, the default method will be used. @@ -862,11 +874,11 @@ Allows the IT admin to set which branch a device receives their updates from. As | Value | Description | |:--|:--| -| 2 | {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) | -| 4 | {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) | -| 8 | {0x8} - Release Windows Insider build (added in Windows 10, version 1709) | +| 2 | {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709). | +| 4 | {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709). | +| 8 | {0x8} - Release Windows Insider build (added in Windows 10, version 1709). | | 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). | -| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16) | +| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). | | 64 | {0x40} - Release Preview of Quality Updates Only. | @@ -1328,7 +1340,10 @@ Enable enterprises/IT admin to configure feature update uninstall period -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days. **Important**: The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. @@ -1438,7 +1453,7 @@ Defers Quality Updates for the specified number of days. Supported values are 0- -Note. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:Update/RequireDeferUpgrade must be set to 1System/AllowTelemetry must be set to 1 or higherIf the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. OS upgrade:Maximum deferral: 8 monthsDeferral increment: 1 monthUpdate type/notes:Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5Update:Maximum deferral: 1 monthDeferral increment: 1 weekUpdate type/notes:If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0Other/cannot defer:Maximum deferral: No deferralDeferral increment: No deferralUpdate type/notes:Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B +Note. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:Update/RequireDeferUpgrade must be set to 1. System/AllowTelemetry must be set to 1 or higherIf the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. OS upgrade:Maximum deferral: 8 monthsDeferral increment: 1 monthUpdate type/notes:Upgrade - 3689. BDC8-B205-4. AF4-8. D4A-A63924C5E9D5Update:Maximum deferral: 1 monthDeferral increment: 1 weekUpdate type/notes:If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - Security Update - 0. FA1201D-4330-4. FA8-8. AE9-B877473B6441- Critical Update - E6CF1350-C01B-414. D-A61F-263. D14D133B4- Update Rollup - 28. BC880E-0592-4. CBF-8. F95-C79B17911D5F- Service Pack - 68. C5B0A3-D1A6-4553-AE49-01. D3A7827828- Tools - B4832BD8-E735-4761-8. DAF-37. F882276DAB- Feature Pack - B54E7D24-7. ADD-428. F-8. B75-90. A396FA584F- Update - CD5FFD1E-E932-4. E3A-BF74-18. BF0B1BBD83- Driver - EBFC1FC5-71. A4-4. F7B-9. ACA-3. B9A503104A0Other/cannot defer:Maximum deferral: No deferralDeferral increment: No deferralUpdate type/notes:Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495. B842F43B @@ -1489,7 +1504,8 @@ Note. Don't use this policy in Windows 10, version 1607 devices, instead use th -NoteSince this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> [!NOTE] +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -1600,7 +1616,8 @@ Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. Enable this policy to not allow update deferral policies to cause scans against Windows Update. If this policy is disabled or not configured, then the Windows Update client may initiate automatic scans against Windows Update while update deferral policies are enabled. -Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect. +> [!NOTE] +> This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect. @@ -1624,8 +1641,8 @@ Note: This policy applies only when the intranet Microsoft update service this c | Value | Description | |:--|:--| -| 0 (Default) | allow scan against Windows Update | -| 1 | do not allow update deferral policies to cause scans against Windows Update | +| 0 (Default) | Allow scan against Windows Update. | +| 1 | Do not allow update deferral policies to cause scans against Windows Update. | @@ -1779,7 +1796,8 @@ Do not enforce TLS certificate pinning for Windows Update client for detecting u -For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. **Note**: If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation +For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Note. If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). +- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1834,7 +1852,8 @@ For Quality Updates, this policy specifies the deadline in days before automatic -For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation +For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). +- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1889,7 +1908,8 @@ For Feature Updates, this policy specifies the deadline in days before automatic -For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation +For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. +- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -1944,7 +1964,8 @@ For Quality Updates, this policy specifies the number of days a user can snooze -For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation +For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. +- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -2007,11 +2028,13 @@ You can specify the deadline in days before automatically scheduling and executi If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. -If you disable or do not configure this policy, the PC will restart following the default schedule. +- If you disable or do not configure this policy, the PC will restart following the default schedule. Enabling any of the following policies will override the above policy: + 1. No auto-restart with logged on users for scheduled automatic updates installations 2. Always automatically restart at scheduled time + 3. Specify deadline before auto-restart for update installation @@ -2067,7 +2090,8 @@ Enabling any of the following policies will override the above policy: -For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Value type is integer. Default value is 7 days. Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation +For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Value type is integer. Default value is 7 days. Supported value range: 2 - 30. +- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation @@ -2124,7 +2148,7 @@ For Feature Updates, this policy specifies the timing before transitioning from Enable this policy to not include drivers with Windows quality updates. -If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. +- If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. @@ -2187,7 +2211,10 @@ If you disable or do not configure this policy, Windows Update will include upda -Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). **Note**: This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. +Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL) + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. @@ -2250,7 +2277,10 @@ Allows Windows Update Agent to determine the download URL when it is missing fro -Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators. +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. @@ -2307,7 +2337,10 @@ To validate this policy: -Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. **Warning**: Setting this policy might cause devices to incur costs from MO operators. +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. @@ -2386,10 +2419,10 @@ Used to manage Windows 10 Insider Preview builds. Value type is integer. | Value | Description | |:--|:--| -| 0 | Disable Preview builds | -| 1 | Disable Preview builds once the next release is public | -| 2 | Enable Preview builds | -| 3 (Default) | Preview builds is left to user selection | +| 0 | Disable Preview builds. | +| 1 | Disable Preview builds once the next release is public. | +| 2 | Enable Preview builds. | +| 3 (Default) | Preview builds is left to user selection. | @@ -2428,7 +2461,7 @@ Used to manage Windows 10 Insider Preview builds. Value type is integer. -When enabled, notifications will only be disabled during active hours. Takes effect only if Update/UpdateNotificationLevel is configured to 1 or 2. To ensure that the device stays secure, a notification will still be shown if this option is selected once “Specify deadlines for automatic updates and restarts” deadline has been reached if configured, regardless of active hours. +When enabled, notifications will only be disabled during active hours. Takes effect only if Update/UpdateNotificationLevel is configured to 1 or 2. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. @@ -2489,7 +2522,8 @@ When enabled, notifications will only be disabled during active hours. Takes eff -NoteDon't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -2548,7 +2582,7 @@ NoteDon't use this policy in Windows 10, version 1607 devices, instead use the -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days. +Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days. @@ -2881,7 +2915,8 @@ Supported value type is a string containing a Windows product. For example, "Win -NoteDon't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. @@ -2940,7 +2975,8 @@ NoteDon't use this policy in Windows 10, version 1607 devices, instead use the -Note If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace. +> [!NOTE] +> If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace. @@ -3013,14 +3049,14 @@ Enables the IT admin to schedule the day of the update installation. The data ty | Value | Description | |:--|:--| -| 0 (Default) | Every day | -| 1 | Sunday | -| 2 | Monday | -| 3 | Tuesday | -| 4 | Wednesday | -| 5 | Thursday | -| 6 | Friday | -| 7 | Saturday | +| 0 (Default) | Every day. | +| 1 | Sunday. | +| 2 | Monday. | +| 3 | Tuesday. | +| 4 | Wednesday. | +| 5 | Thursday. | +| 6 | Friday. | +| 7 | Saturday. | @@ -3084,8 +3120,8 @@ Enables the IT admin to schedule the update installation on the every week. Valu | Value | Description | |:--|:--| -| 0 | no update in the schedule | -| 1 (Default) | update is scheduled every week | +| 0 | No update in the schedule. | +| 1 (Default) | Update is scheduled every week. | @@ -3149,8 +3185,8 @@ Enables the IT admin to schedule the update installation on the first week of th | Value | Description | |:--|:--| -| 0 (Default) | no update in the schedule | -| 1 | update is scheduled every first week of the month | +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every first week of the month. | @@ -3214,8 +3250,8 @@ Enables the IT admin to schedule the update installation on the fourth week of t | Value | Description | |:--|:--| -| 0 (Default) | no update in the schedule | -| 1 | update is scheduled every fourth week of the month | +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every fourth week of the month. | @@ -3279,8 +3315,8 @@ Enables the IT admin to schedule the update installation on the second week of t | Value | Description | |:--|:--| -| 0 (Default) | no update in the schedule | -| 1 | update is scheduled every second week of the month | +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every second week of the month. | @@ -3344,8 +3380,8 @@ Enables the IT admin to schedule the update installation on the third week of th | Value | Description | |:--|:--| -| 0 (Default) | no update in the schedule | -| 1 | update is scheduled every third week of the month | +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every third week of the month. | @@ -3385,7 +3421,8 @@ Enables the IT admin to schedule the update installation on the third week of th -Note This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. @@ -3466,9 +3503,9 @@ Allows the IT Admin to specify the period for auto-restart imminent warning noti | Value | Description | |:--|:--| -| 15 (Default) | 15 Minutes | -| 30 | 30 Minutes | -| 60 | 60 Minutes | +| 15 (Default) | 15 Minutes. | +| 30 | 30 Minutes. | +| 60 | 60 Minutes. | @@ -3514,7 +3551,7 @@ Specifies the amount of time prior to a scheduled restart to display the warning You can specify the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work. -If you disable or do not configure this policy, the default notification behaviors will be used. +- If you disable or do not configure this policy, the default notification behaviors will be used. @@ -3536,11 +3573,11 @@ If you disable or do not configure this policy, the default notification behavio | Value | Description | |:--|:--| -| 2 | 2 Hours | -| 4 (Default) | 4 Hours | -| 8 | 8 Hours | -| 12 | 12 Hours | -| 24 | 24 Hours | +| 2 | 2 Hours. | +| 4 (Default) | 4 Hours. | +| 8 | 8 Hours. | +| 12 | 12 Hours. | +| 24 | 24 Hours. | @@ -3602,8 +3639,8 @@ Allows the IT Admin to disable auto-restart notifications for update installatio | Value | Description | |:--|:--| -| 0 (Default) | Enabled | -| 1 | Disabled | +| 0 (Default) | Enabled. | +| 1 | Disabled. | @@ -3666,8 +3703,8 @@ Once enabled user access to pause updates is removed. | Value | Description | |:--|:--| -| 1 | Enable | -| 0 (Default) | Disable | +| 1 | Enable. | +| 0 (Default) | Disable. | @@ -3709,7 +3746,7 @@ Once enabled user access to pause updates is removed. This setting allows you to remove access to scan Windows Update. -If you enable this setting user access to Windows Update scan, download and install is removed. +- If you enable this setting user access to Windows Update scan, download and install is removed. @@ -3731,8 +3768,8 @@ If you enable this setting user access to Windows Update scan, download and ins | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -3794,8 +3831,8 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po | Value | Description | |:--|:--| -| 0 (Default) | not configured | -| 1 | configured | +| 0 (Default) | Not configured. | +| 1 | Configured. | @@ -3856,8 +3893,8 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po | Value | Description | |:--|:--| -| 0 | Detect, download and deploy Driver Updates from Windows Update | -| 1 (Default) | Detect, download and deploy Driver Updates from Windows Server Update Services (WSUS) | +| 0 | Detect, download and deploy Driver Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Driver Updates from Windows Server Update Services (WSUS). | @@ -3917,8 +3954,8 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po | Value | Description | |:--|:--| -| 0 | Detect, download and deploy Feature Updates from Windows Update | -| 1 (Default) | Detect, download and deploy Feature Updates from Windows Server Update Services (WSUS) | +| 0 | Detect, download and deploy Feature Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Feature Updates from Windows Server Update Services (WSUS). | @@ -3978,8 +4015,8 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po | Value | Description | |:--|:--| -| 0 | Detect, download and deploy other Updates from Windows Update | -| 1 (Default) | Detect, download and deploy other Updates from Windows Server Update Services (WSUS) | +| 0 | Detect, download and deploy other Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy other Updates from Windows Server Update Services (WSUS). | @@ -4039,8 +4076,8 @@ Enabling this policy for EDU devices that remain on Carts overnight will skip po | Value | Description | |:--|:--| -| 0 | Detect, download and deploy Quality Updates from Windows Update | -| 1 (Default) | Detect, download and deploy Quality Updates from Windows Server Update Services (WSUS) | +| 0 | Detect, download and deploy Quality Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Quality Updates from Windows Server Update Services (WSUS). | @@ -4107,8 +4144,8 @@ This policy setting doesn't impact those customers who have, per Microsoft recom | Value | Description | |:--|:--| -| 0 (Default) | Only use system proxy for detecting updates (default) | -| 1 | Allow user proxy to be used as a fallback if detection using system proxy fails | +| 0 (Default) | Only use system proxy for detecting updates (default). | +| 1 | Allow user proxy to be used as a fallback if detection using system proxy fails. | @@ -4201,15 +4238,15 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp -0 (default) – Use the default Windows Update notifications -1 – Turn off all notifications, excluding restart warnings -2 – Turn off all notifications, including restart warnings +0 (default) - Use the default Windows Update notifications +1 - Turn off all notifications, excluding restart warnings +2 - Turn off all notifications, including restart warnings -This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. +This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. -Important: if you choose not to get update notifications and also define other Group policy so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. +**Important** if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. -If you select “Apply only during active hours” in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting “Turn off auto-restart for updates during active hours” or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once “Specify deadlines for automatic updates and restarts” deadline has been reached if configured, regardless of active hours. +If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. @@ -4231,9 +4268,9 @@ If you select “Apply only during active hours” in conjunction with Option 1 | Value | Description | |:--|:--| -| 0 (Default) | Use the default Windows Update notifications | -| 1 | Turn off all notifications, excluding restart warnings | -| 2 | Turn off all notifications, including restart warnings | +| 0 (Default) | Use the default Windows Update notifications. | +| 1 | Turn off all notifications, excluding restart warnings. | +| 2 | Turn off all notifications, including restart warnings. | @@ -4273,7 +4310,8 @@ If you select “Apply only during active hours” in conjunction with Option 1 -ImportantStarting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace. +> [!IMPORTANT] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace. @@ -4327,7 +4365,10 @@ ImportantStarting in Windows 10, version 1703 this policy is not supported in Wi -Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. **Note**: If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. +Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet + +> [!NOTE] +> If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index c6c6ea7779..3e96dc09de 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,10 +1,10 @@ --- title: UserRights Policy CSP -description: Learn more about the UserRights Area in Policy CSP +description: Learn more about the UserRights Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/08/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -18,7 +18,6 @@ ms.topic: reference - User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as Security Identifiers (SID) or strings. For more information, see [Well-known SID structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). Even though strings are supported for well-known accounts and groups, it's better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. @@ -103,7 +102,6 @@ For example, the following syntax grants user rights to a specific user or group ```xml ``` - @@ -172,9 +170,10 @@ This user right is used by Credential Manager during Backup/Restore. No accounts -This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. +This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right -**Note**: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. +> [!NOTE] +> Remote Desktop Services was called Terminal Services in previous versions of Windows Server. @@ -223,7 +222,7 @@ This user right determines which users and groups are allowed to connect to the -This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. +This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned > [!CAUTION] > Assigning this user right can be a security risk. Only assign this user right to trusted users. @@ -275,9 +274,10 @@ This user right allows a process to impersonate any user without authentication. -This user right determines which users can log on to the computer. +This user right determines which users can log on to the computer -**Note**: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( ) at the Microsoft website. +> [!NOTE] +> Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally ( ) at the Microsoft website. @@ -326,7 +326,7 @@ This user right determines which users can log on to the computer. -This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. +This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the systemTraverse Folder/Execute File, Read > [!CAUTION] > Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users @@ -441,7 +441,6 @@ This user right determines which users and groups can change the time and date o > | Error code | Symbolic name | Error description | Header | > |--------------------|---------------------|------------------------------|------------| > | `0x80070032` (Hex) | ERROR_NOT_SUPPORTED | The request isn't supported. | winerror.h | - @@ -535,7 +534,7 @@ This user right determines which users and groups can change the time zone used -This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. +This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right only to trusted users. @@ -685,12 +684,13 @@ This user right determines which accounts can be used by processes to create a d -This user right determines if the user can create a symbolic link from the computer he is logged on to. +This user right determines if the user can create a symbolic link from the computer he is logged on to > [!CAUTION] -> This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. +> This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them -**Note**: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. +> [!NOTE] +> This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. @@ -739,7 +739,7 @@ This user right determines if the user can create a symbolic link from the compu -This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. +This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System > [!CAUTION] > Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. @@ -791,7 +791,7 @@ This user right determines which accounts can be used by processes to create a t -This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. +This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components > [!CAUTION] > Assigning this user right can be a security risk. Only assign this user right to trusted users. @@ -892,16 +892,15 @@ This user right determines which users are prevented from accessing a computer o -This security setting determines which service accounts are prevented from registering a process as a service. +This security setting determines which service accounts are prevented from registering a process as a service -**Note**: This security setting does not apply to the System, Local Service, or Network Service accounts. +> [!NOTE] +> This security setting does not apply to the System, Local Service, or Network Service accounts. - - - + @@ -1044,7 +1043,7 @@ This user right determines which users and groups are prohibited from logging on -This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. +This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set > [!CAUTION] > Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. @@ -1145,14 +1144,16 @@ This user right determines which accounts can be used by a process to add entrie -Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. +Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels > [!CAUTION] -> Assigning this user right can be a security risk. Only assign this user right to trusted users. +> Assigning this user right can be a security risk. Only assign this user right to trusted users -**Note**: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right. +> [!NOTE] +> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right -**Warning**: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. +> [!WARNING] +> If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. @@ -1201,9 +1202,10 @@ Assigning this user right to a user allows programs running on behalf of that us -Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process’s working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. +Increase a process working set. This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process -**Warning**: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. +> [!WARNING] +> Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. @@ -1262,7 +1264,6 @@ This user right determines which accounts can use a process with Write Property > If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers won't function correctly. In particular, the INK workspace doesn't function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 or later and that use the Intel GFX driver. > > On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. - @@ -1307,7 +1308,7 @@ This user right determines which accounts can use a process with Write Property -This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. +This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users > [!CAUTION] > Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. @@ -1604,9 +1605,10 @@ This user right determines which users and groups can run maintenance tasks on a -This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. +This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows -**Note**: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. +> [!NOTE] +> This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. @@ -1900,7 +1902,7 @@ This security setting determines which user accounts can call the CreateProcessA -This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. +This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the systemTraverse Folder/Execute File, Write > [!CAUTION] > Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. @@ -2001,7 +2003,7 @@ This security setting determines which users who are logged on locally to the co -This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. +This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads > [!CAUTION] > Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index 1da9f8bae4..055490b65d 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -1,10 +1,10 @@ --- title: VirtualizationBasedTechnology Policy CSP -description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP +description: Learn more about the VirtualizationBasedTechnology Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -123,8 +123,8 @@ Require UEFI Memory Attributes Table | Value | Description | |:--|:--| -| 0 (Default) | Do not require UEFI Memory Attributes Table | -| 1 | Require UEFI Memory Attributes Table | +| 0 (Default) | Do not require UEFI Memory Attributes Table. | +| 1 | Require UEFI Memory Attributes Table. | diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index b7c56f1f8f..2862cf0565 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -1,10 +1,10 @@ --- title: WebThreatDefense Policy CSP -description: Learn more about the WebThreatDefense Area in Policy CSP +description: Learn more about the WebThreatDefense Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -61,8 +61,8 @@ Configures Enhanced Phishing Protection notifications to allow to capture the su | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled | +| 0 | Disabled. | +| 1 (Default) | Enabled. | @@ -99,9 +99,9 @@ Configures Enhanced Phishing Protection notifications to allow to capture the su This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a Microsoft login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a Microsoft login URL with an invalid certificate. -If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. -If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn your users if they type their work or school password into one of the malicious scenarios described above. +- If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn your users if they type their work or school password into one of the malicious scenarios described above. @@ -123,8 +123,8 @@ If you disable or don’t configure this policy setting, Enhanced Phishing Prote | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -166,9 +166,9 @@ If you disable or don’t configure this policy setting, Enhanced Phishing Prote This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they reuse their work or school password. -If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it. +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns users if they reuse their work or school password and encourages them to change it. -If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they reuse their work or school password. +- If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they reuse their work or school password. @@ -190,8 +190,8 @@ If you disable or don’t configure this policy setting, Enhanced Phishing Prote | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -233,9 +233,9 @@ If you disable or don’t configure this policy setting, Enhanced Phishing Prote This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc. -If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps. +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps. -If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps. +- If you disable or don't configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps. @@ -257,8 +257,8 @@ If you disable or don’t configure this policy setting, Enhanced Phishing Prote | Value | Description | |:--|:--| -| 0 (Default) | Disabled | -| 1 | Enabled | +| 0 (Default) | Disabled. | +| 1 | Enabled. | @@ -300,11 +300,11 @@ If you disable or don’t configure this policy setting, Enhanced Phishing Prote This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen is in audit mode or off. Users do not see notifications for any protection scenarios when Enhanced Phishing Protection in Microsoft Defender is in audit mode. Audit mode captures unsafe password entry events and sends telemetry through Microsoft Defender. -If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off. +- If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is enabled in audit mode and your users are unable to turn it off. -If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it will not capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. +- If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it will not capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. -If you don’t configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen. +- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen. @@ -326,8 +326,8 @@ If you don’t configure this setting, users can decide whether or not they will | Value | Description | |:--|:--| -| 0 | Disabled | -| 1 (Default) | Enabled | +| 0 | Disabled. | +| 1 (Default) | Enabled. | diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5ff30f8fd7..62d4b45e2a 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,10 +1,10 @@ --- title: Wifi Policy CSP -description: Learn more about the Wifi Area in Policy CSP +description: Learn more about the Wifi Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,9 +45,9 @@ This policy setting determines whether users can enable the following WLAN setti "Enable paid services" enables Windows to temporarily connect to open hotspots to determine if paid services are available. -If this policy setting is disabled, both "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services" will be turned off and users on this device will be prevented from enabling them. +- If this policy setting is disabled, both "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services" will be turned off and users on this device will be prevented from enabling them. -If this policy setting is not configured or is enabled, users can choose to enable or disable either "Connect to suggested open hotspots" or "Connect to networks shared by my contacts". +- If this policy setting is not configured or is enabled, users can choose to enable or disable either "Connect to suggested open hotspots" or "Connect to networks shared by my contacts". @@ -114,19 +114,23 @@ Determines whether administrators can enable and configure the Internet Connecti ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. -If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. +- If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. -If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) +- If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. -Note: Internet Connection Sharing is only available when two or more network connections are present. +> [!NOTE] +> Internet Connection Sharing is only available when two or more network connections are present. -Note: When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. -Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. +> [!NOTE] +> Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. -Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. +> [!NOTE] +> Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. @@ -189,7 +193,10 @@ Note: Disabling this setting does not prevent Wireless Hosted Networking from us -Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0. **Note**: Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. +Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. Most restricted value is 0 + +> [!NOTE] +> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 0d01446a54..1780b6b35e 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -1,10 +1,10 @@ --- title: WindowsAutopilot Policy CSP -description: Learn more about the WindowsAutopilot Area in Policy CSP +description: Learn more about the WindowsAutopilot Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -59,8 +59,8 @@ Specifies whether to check for Windows Autopilot updates after enrollment. Most | Value | Description | |:--|:--| -| 0 (Default) | Not enabled | -| 1 | Enabled | +| 0 (Default) | Not enabled. | +| 1 | Enabled. | diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 93a5f796b3..3b51c6bc44 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,10 +1,10 @@ --- title: WindowsConnectionManager Policy CSP -description: Learn more about the WindowsConnectionManager Area in Policy CSP +description: Learn more about the WindowsConnectionManager Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - WindowsConnectionManager > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,7 +44,7 @@ ms.topic: reference This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. -If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: +- If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: Automatic connection attempts - When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. @@ -56,7 +54,7 @@ Manual connection attempts - When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. - When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. -If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. +- If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. @@ -74,7 +72,7 @@ If this policy setting is not configured or is disabled, computers are allowed t > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 9aace46fee..020c169b11 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,10 +1,10 @@ --- title: WindowsDefenderSecurityCenter Policy CSP -description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP +description: Learn more about the WindowsDefenderSecurityCenter Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -37,7 +37,8 @@ ms.topic: reference -The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. +The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. @@ -266,7 +267,7 @@ Same as Disabled. | Value | Description | |:--|:--| | 0 (Default) | (Disabled or not configured) The security processor troubleshooting page shows a button that initiates the process to clear the security processor (TPM). | -| 1 | (Enabled) The security processor troubleshooting page will not show a button to initiate the process to clear the security processor (TPM) | +| 1 | (Enabled) The security processor troubleshooting page will not show a button to initiate the process to clear the security processor (TPM). | @@ -956,7 +957,8 @@ Same as Disabled. -The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. +The email address that is displayed to users. The default mail application is used to initiate email actions. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace and Delete. @@ -1046,7 +1048,7 @@ Same as Disabled. | Value | Description | |:--|:--| -| 0 (Default) | notification text. | +| 0 (Default) | Notification text. | | 1 | (Enable) Notifications contain the company name and contact options. | @@ -1413,8 +1415,8 @@ Same as Disabled. | Value | Description | |:--|:--| -| 0 (Default) | | -| 1 | Enabled | +| 0 (Default) | . | +| 1 | Enabled. | @@ -1454,7 +1456,8 @@ Same as Disabled. -The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace, and Delete. +The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options. Value type is string. Supported operations are Add, Get, Replace, and Delete. @@ -1507,7 +1510,8 @@ The phone number or Skype ID that is displayed to users.  Skype is used to init -The help portal URL this is displayed to users.  The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. +The help portal URL this is displayed to users. The default browser is used to initiate this action. +- If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options. Value type is Value type is string. Supported operations are Add, Get, Replace, and Delete. diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 3d1e96e1ef..c2a2419ae6 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,10 +1,10 @@ --- title: WindowsInkWorkspace Policy CSP -description: Learn more about the WindowsInkWorkspace Area in Policy CSP +description: Learn more about the WindowsInkWorkspace Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -122,9 +122,9 @@ Specifies whether to allow the user to access the ink workspace. | Value | Description | |:--|:--| -| 0 | access to ink workspace is disabled. The feature is turned off. | -| 1 | ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. | -| 2 (Default) | ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. | +| 0 | Access to ink workspace is disabled. The feature is turned off. | +| 1 | Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. | +| 2 (Default) | Ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. | diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 15d68c57a4..51b6c8cc5e 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,10 +1,10 @@ --- title: WindowsLogon Policy CSP -description: Learn more about the WindowsLogon Area in Policy CSP +description: Learn more about the WindowsLogon Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/09/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - WindowsLogon > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -46,15 +44,15 @@ ms.topic: reference This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot. -This only occurs if the last interactive user didn’t sign out before the restart or shutdown.​ +This only occurs if the last interactive user didn't sign out before the restart or shutdown. -If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.​ +If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns. -If you don’t configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​ +- If you don't configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots. -After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​. +After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot . -If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts. +- If you disable this policy setting, the device does not configure automatic sign in. The user's lock screen apps are not restarted after the system restarts. @@ -72,13 +70,13 @@ If you disable this policy setting, the device does not configure automatic sign > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | AutomaticRestartSignOnDescription | +| Name | AutomaticRestartSignOn | | Friendly Name | Sign-in and lock last interactive user automatically after a restart | | Location | Computer Configuration | | Path | Windows Components > Windows Logon Options | @@ -110,17 +108,18 @@ If you disable this policy setting, the device does not configure automatic sign -This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured. +This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign on will not occur and this policy does not need to be configured. -If you enable this policy setting, you can choose one of the following two options: +- If you enable this policy setting, you can choose one of the following two options: -1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. +1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: -- The device doesn’t have TPM 2.0 and PCR7, or -- The device doesn’t use a TPM-only protector -2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. +- The device doesn't have TPM 2.0 and PCR7, or +- The device doesn't use a TPM-only protector -If you disable or don’t configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior. +2. "Always Enabled" specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location. + +- If you disable or don't configure this setting, automatic sign on will default to the "Enabled if BitLocker is on and not suspended" behavior. @@ -138,13 +137,13 @@ If you disable or don’t configure this setting, automatic sign on will default > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: | Name | Value | |:--|:--| -| Name | ConfigAutomaticRestartSignOnDescription | +| Name | ConfigAutomaticRestartSignOn | | Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot | | Location | Computer Configuration | | Path | Windows Components > Windows Logon Options | @@ -177,9 +176,9 @@ If you disable or don’t configure this setting, automatic sign on will default This policy setting allows you to prevent app notifications from appearing on the lock screen. -If you enable this policy setting, no app notifications are displayed on the lock screen. +- If you enable this policy setting, no app notifications are displayed on the lock screen. -If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. +- If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. @@ -197,7 +196,7 @@ If you disable or do not configure this policy setting, users can choose which a > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -237,9 +236,9 @@ If you disable or do not configure this policy setting, users can choose which a This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. -If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. +- If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. -If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. +- If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. @@ -257,7 +256,7 @@ If you disable or don't configure this policy setting, any user can disconnect t > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -323,13 +322,14 @@ Here's an example to enable this policy: This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. +- If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. +- If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. +- If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. +> [!NOTE] +> The first sign-in animation will not be shown on Server, so this policy will have no effect. @@ -394,9 +394,9 @@ Note: The first sign-in animation will not be shown on Server, so this policy wi This policy controls the configuration under which winlogon sends MPR notifications in the system. -If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. +- If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured. -If you disable this setting, winlogon does not send MPR notifications. +- If you disable this setting, winlogon does not send MPR notifications. @@ -414,7 +414,7 @@ If you disable this setting, winlogon does not send MPR notifications. > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -454,9 +454,9 @@ If you disable this setting, winlogon does not send MPR notifications. This policy setting allows local users to be enumerated on domain-joined computers. -If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. +- If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. -If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. +- If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. @@ -474,7 +474,7 @@ If you disable or do not configure this policy setting, the Logon UI will not en > [!TIP] -> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). **ADMX mapping**: @@ -514,11 +514,11 @@ If you disable or do not configure this policy setting, the Logon UI will not en This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. -If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. +- If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. -If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. +- If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. @@ -588,7 +588,7 @@ The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell does not have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. -If you disable or do not configure this policy setting, then the default shell will be launched. +- If you disable or do not configure this policy setting, then the default shell will be launched. @@ -611,8 +611,8 @@ If you disable or do not configure this policy setting, then the default shell w | Value | Description | |:--|:--| -| 0 (Default) | Not Configured | -| 1 | Apply Lightweight shell | +| 0 (Default) | Not Configured. | +| 1 | Apply Lightweight shell. | diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 8de42485a9..7547dce65b 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,10 +1,10 @@ --- title: WindowsPowerShell Policy CSP -description: Learn more about the WindowsPowerShell Area in Policy CSP +description: Learn more about the WindowsPowerShell Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,9 +17,7 @@ ms.topic: reference # Policy CSP - WindowsPowerShell > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -48,15 +46,17 @@ ms.topic: reference -This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, +This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. +- If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. -If you disable this policy setting, logging of PowerShell script input is disabled. +- If you disable this policy setting, logging of PowerShell script input is disabled. If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. -Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. @@ -73,6 +73,9 @@ Note: This policy setting exists under both Computer Configuration and User Conf +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + **ADMX mapping**: | Name | Value | diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index aa8978ec78..9dcfc90191 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -1,10 +1,10 @@ --- title: WindowsSandbox Policy CSP -description: Learn more about the WindowsSandbox Area in Policy CSP +description: Learn more about the WindowsSandbox Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -39,13 +39,13 @@ ms.topic: reference This policy setting enables or disables audio input to the Sandbox. -If you enable this policy setting, Windows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting. +- If you enable this policy setting, Windows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting. -If you disable this policy setting, Windows Sandbox will not be able to receive audio input from the user. Applications using a microphone may not function properly with this setting. +- If you disable this policy setting, Windows Sandbox will not be able to receive audio input from the user. Applications using a microphone may not function properly with this setting. -If you do not configure this policy setting, audio input will be enabled. +- If you do not configure this policy setting, audio input will be enabled. -Note that there may be security implications of exposing host audio input to the container. +**Note** that there may be security implications of exposing host audio input to the container. @@ -104,11 +104,11 @@ Note that there may be security implications of exposing host audio input to the This policy setting enables or disables clipboard sharing with the sandbox. -If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted. +- If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted. -If you disable this policy setting, copy and paste in and out of Sandbox will be restricted. +- If you disable this policy setting, copy and paste in and out of Sandbox will be restricted. -If you do not configure this policy setting, clipboard sharing will be enabled. +- If you do not configure this policy setting, clipboard sharing will be enabled. @@ -167,13 +167,13 @@ If you do not configure this policy setting, clipboard sharing will be enabled. This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. -If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtual NIC. +- If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtual NIC. -If you disable this policy setting, networking is disabled in Windows Sandbox. +- If you disable this policy setting, networking is disabled in Windows Sandbox. -If you do not configure this policy setting, networking will be enabled. +- If you do not configure this policy setting, networking will be enabled. -Note that enabling networking can expose untrusted applications to the internal network. +**Note** that enabling networking can expose untrusted applications to the internal network. @@ -232,11 +232,11 @@ Note that enabling networking can expose untrusted applications to the internal This policy setting enables or disables printer sharing from the host into the Sandbox. -If you enable this policy setting, host printers will be shared into Windows Sandbox. +- If you enable this policy setting, host printers will be shared into Windows Sandbox. -If you disable this policy setting, Windows Sandbox will not be able to view printers from the host. +- If you disable this policy setting, Windows Sandbox will not be able to view printers from the host. -If you do not configure this policy setting, printer redirection will be disabled. +- If you do not configure this policy setting, printer redirection will be disabled. @@ -295,13 +295,13 @@ If you do not configure this policy setting, printer redirection will be disable This policy setting is to enable or disable the virtualized GPU. -If you enable this policy setting, vGPU will be supported in the Windows Sandbox. +- If you enable this policy setting, vGPU will be supported in the Windows Sandbox. -If you disable this policy setting, Windows Sandbox will use software rendering, which can be slower than virtualized GPU. +- If you disable this policy setting, Windows Sandbox will use software rendering, which can be slower than virtualized GPU. -If you do not configure this policy setting, vGPU will be enabled. +- If you do not configure this policy setting, vGPU will be enabled. -Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox. +**Note** that enabling virtualized GPU can potentially increase the attack surface of the sandbox. @@ -360,13 +360,13 @@ Note that enabling virtualized GPU can potentially increase the attack surface o This policy setting enables or disables video input to the Sandbox. -If you enable this policy setting, video input is enabled in Windows Sandbox. +- If you enable this policy setting, video input is enabled in Windows Sandbox. -If you disable this policy setting, video input is disabled in Windows Sandbox. Applications using video input may not function properly in Windows Sandbox. +- If you disable this policy setting, video input is disabled in Windows Sandbox. Applications using video input may not function properly in Windows Sandbox. -If you do not configure this policy setting, video input will be disabled. Applications that use video input may not function properly in Windows Sandbox. +- If you do not configure this policy setting, video input will be disabled. Applications that use video input may not function properly in Windows Sandbox. -Note that there may be security implications of exposing host video input to the container. +**Note** that there may be security implications of exposing host video input to the container. diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 7e12e9fd78..2bfc6d28b5 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,10 +1,10 @@ --- title: WirelessDisplay Policy CSP -description: Learn more about the WirelessDisplay Area in Policy CSP +description: Learn more about the WirelessDisplay Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 12/07/2022 +ms.date: 01/09/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -135,7 +135,9 @@ This policy setting allows you to turn off discovering the display service adver -This policy setting allows you to disable the infrastructure movement detection feature. If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. +This policy setting allows you to disable the infrastructure movement detection feature. +If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. +If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. @@ -184,7 +186,9 @@ This policy setting allows you to disable the infrastructure movement detection -This policy setting allows a PC acting as a Wireless Display receiver to be a TCP server for the TCP session carrying the projection stream to the receiver. If you set it to 0, your PC receiver will start the outbound connection as a TCP client. If you set it to 1, your PC may receive the incoming projection as a TCP server. +This policy setting allows a PC acting as a Wireless Display receiver to be a TCP server for the TCP session carrying the projection stream to the receiver. +If you set it to 0, your PC receiver will start the outbound connection as a TCP client. +If you set it to 1, your PC may receive the incoming projection as a TCP server. @@ -233,7 +237,9 @@ This policy setting allows a PC acting as a Wireless Display receiver to be a TC -This policy setting allows a PC acting as a Wireless Display sender to be a TCP client for the TCP session carrying the projection stream to the receiver. If you set it to 0, your PC will only participate in an outgoing projection as a TCP server. If you set it to 1, your PC may start an outgoing projection as a TCP client. +This policy setting allows a PC acting as a Wireless Display sender to be a TCP client for the TCP session carrying the projection stream to the receiver. +If you set it to 0, your PC will only participate in an outgoing projection as a TCP server. +If you set it to 1, your PC may start an outgoing projection as a TCP client. @@ -282,7 +288,9 @@ This policy setting allows a PC acting as a Wireless Display sender to be a TCP -This policy allows you to turn off projection from a PC. If you set it to 0, your PC cannot discover or project to other devices. If you set it to 1, your PC can discover and project to other devices. +This policy allows you to turn off projection from a PC. +If you set it to 0, your PC cannot discover or project to other devices. +If you set it to 1, your PC can discover and project to other devices. @@ -331,7 +339,9 @@ This policy allows you to turn off projection from a PC. If you set it to 0, you -This policy allows you to turn off projection from a PC over infrastructure. If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. If you set it to 1, your PC can discover and project to other devices over infrastructure. +This policy allows you to turn off projection from a PC over infrastructure. +If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. +If you set it to 1, your PC can discover and project to other devices over infrastructure. @@ -382,12 +392,8 @@ This policy allows you to turn off projection from a PC over infrastructure. If This policy setting allows you to turn off projection to a PC. - - If you turn it on, your PC isn't discoverable and can't be projected to except if the user manually launches the Wireless Display app. - - If you turn it off or don't configure it, your PC is discoverable and can be projected to above lock screen only. The user has an option to turn it always on or off except for manual launch, too. @@ -451,7 +457,9 @@ If you turn it off or don't configure it, your PC is discoverable and can be pro -This policy setting allows you to turn off projection to a PC over infrastructure. If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. +This policy setting allows you to turn off projection to a PC over infrastructure. +If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. +If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. @@ -500,7 +508,7 @@ This policy setting allows you to turn off projection to a PC over infrastructur -Setting this policy controls whether or not the wireless display can send input—keyboard, mouse, pen, and touch input if the display supports it—back to the source device. +Setting this policy controls whether or not the wireless display can send input-keyboard, mouse, pen, and touch input if the display supports it-back to the source device. @@ -578,8 +586,8 @@ If you set this to 'Always', all pairings will require PIN. | Value | Description | |:--|:--| | 0 (Default) | PIN is not required. | -| 1 | Pairing ceremony for new devices will always require a PIN | -| 2 | All pairings will require PIN | +| 1 | Pairing ceremony for new devices will always require a PIN. | +| 2 | All pairings will require PIN. | diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 28a7e49547..919e4cac79 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -118,6 +118,10 @@ items: href: policy-csp-admx-digitallocker.md - name: ADMX_DiskDiagnostic href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DiskNVCache + href: policy-csp-admx-disknvcache.md + - name: ADMX_DiskQuota + href: policy-csp-admx-diskquota.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -156,7 +160,7 @@ items: href: policy-csp-admx-folderredirection.md - name: ADMX_FramePanes href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC + - name: ADMX_fthsvc href: policy-csp-admx-fthsvc.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md @@ -166,7 +170,7 @@ items: href: policy-csp-admx-help.md - name: ADMX_HelpAndSupport href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth + - name: ADMX_hotspotauth href: policy-csp-admx-hotspotauth.md - name: ADMX_ICM href: policy-csp-admx-icm.md @@ -242,8 +246,12 @@ items: href: policy-csp-admx-printing2.md - name: ADMX_Programs href: policy-csp-admx-programs.md + - name: ADMX_PushToInstall + href: policy-csp-admx-pushtoinstall.md - name: ADMX_QOS href: policy-csp-admx-qos.md + - name: ADMX_Radar + href: policy-csp-admx-radar.md - name: ADMX_Reliability href: policy-csp-admx-reliability.md - name: ADMX_RemoteAssistance @@ -280,6 +288,10 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md + - name: ADMX_SoundRec + href: policy-csp-admx-soundrec.md + - name: ADMX_srmfci + href: policy-csp-admx-srmfci.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore @@ -312,6 +324,8 @@ items: href: policy-csp-admx-wdi.md - name: ADMX_WinCal href: policy-csp-admx-wincal.md + - name: ADMX_WindowsColorSystem + href: policy-csp-admx-windowscolorsystem.md - name: ADMX_WindowsConnectNow href: policy-csp-admx-windowsconnectnow.md - name: ADMX_WindowsExplorer @@ -328,6 +342,8 @@ items: href: policy-csp-admx-wininit.md - name: ADMX_WinLogon href: policy-csp-admx-winlogon.md + - name: ADMX_Winsrv + href: policy-csp-admx-winsrv.md - name: ADMX_wlansvc href: policy-csp-admx-wlansvc.md - name: ADMX_WordWheel @@ -336,8 +352,6 @@ items: href: policy-csp-admx-workfoldersclient.md - name: ADMX_WPN href: policy-csp-admx-wpn.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - name: ApplicationDefaults href: policy-csp-applicationdefaults.md - name: ApplicationManagement @@ -354,7 +368,7 @@ items: href: policy-csp-authentication.md - name: Autoplay href: policy-csp-autoplay.md - - name: BitLocker + - name: Bitlocker href: policy-csp-bitlocker.md - name: BITS href: policy-csp-bits.md @@ -406,7 +420,7 @@ items: href: policy-csp-display.md - name: DmaGuard href: policy-csp-dmaguard.md - - name: EAP + - name: Eap href: policy-csp-eap.md - name: Education href: policy-csp-education.md @@ -420,7 +434,7 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md - - name: Federated Authentication + - name: FederatedAuthentication href: policy-csp-federatedauthentication.md - name: Feeds href: policy-csp-feeds.md From b84cde52c4692ddfa2eaea6ae215dd1df8863ee3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 9 Jan 2023 17:59:17 -0500 Subject: [PATCH 126/152] Update supporting articles --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 2 +- .../mdm/policies-in-policy-csp-supported-by-group-policy.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 83951a7148..d11de25447 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1,6 +1,6 @@ --- title: ADMX-backed policies in Policy CSP -description: Learn about the ADMX-backed policies in Policy CSP.. +description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 7deb3ca9d1..cbca4a74cd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -1,6 +1,6 @@ --- title: Policies in Policy CSP supported by Group Policy -description: Learn about the policies in Policy CSP supported by Group Policy.. +description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa From dc6110f03fc407dd018555e7d9125b28daca5878 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 9 Jan 2023 18:39:10 -0500 Subject: [PATCH 127/152] Fix broken links in supporting articles --- .../change-history-for-mdm-documentation.md | 10 +- .../enable-admx-backed-policies-in-mdm.md | 2 +- ...-in-your-organization-modern-management.md | 7 +- ...ed-by-hololens-1st-gen-commercial-suite.md | 90 +++---- ...by-hololens-1st-gen-development-edition.md | 86 +++---- ...es-in-policy-csp-supported-by-hololens2.md | 238 +++++++++--------- ...ies-in-policy-csp-supported-by-iot-core.md | 104 ++++---- ...-in-policy-csp-supported-by-surface-hub.md | 107 ++++---- ...in-policy-csp-that-can-be-set-using-eas.md | 42 ++-- .../mdm/policy-csp-devicehealthmonitoring.md | 6 +- .../mdm/policy-csp-localusersandgroups.md | 51 ++-- 11 files changed, 361 insertions(+), 382 deletions(-) diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md index 899c2dc399..327fe626a7 100644 --- a/windows/client-management/change-history-for-mdm-documentation.md +++ b/windows/client-management/change-history-for-mdm-documentation.md @@ -3,7 +3,7 @@ title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. author: vinaypamnani-msft ms.author: vinpa -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article ms.prod: windows-client @@ -20,14 +20,14 @@ As of November 2020 This page will no longer be updated. This article lists new |New or updated article | Description| |--- | ---| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:
    - [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policy:
    - [Multitasking/BrowserAltTabBlowout](mdm/policy-csp-multitasking.md#browseralttabblowout) | | [SurfaceHub CSP](mdm/surfacehub-csp.md) | Added the following new node:
    -Properties/SleepMode | ## October 2020 |New or updated article | Description| |--- | ---| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies
    - [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#experience-disablecloudoptimizedcontent)
    - [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#localusersandgroups-configure)
    - [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
    - [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
    - [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
    - [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#mixedreality-microphonedisabled)
    - [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
    - [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#update-disablewufbsafeguards)
    - [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)
    - [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)
    - [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#windowssandbox-allownetworking)
    - [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)
    - [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#windowssandbox-allowvgpu)
    - [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following new policies
    - [Experience/DisableCloudOptimizedContent](mdm/policy-csp-experience.md#disablecloudoptimizedcontent)
    - [LocalUsersAndGroups/Configure](mdm/policy-csp-localusersandgroups.md#configure)
    - [MixedReality/AADGroupMembershipCacheValidityInDays](mdm/policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays)
    - [MixedReality/BrightnessButtonDisabled](mdm/policy-csp-mixedreality.md#brightnessbuttondisabled)
    - [MixedReality/FallbackDiagnostics](mdm/policy-csp-mixedreality.md#fallbackdiagnostics)
    - [MixedReality/MicrophoneDisabled](mdm/policy-csp-mixedreality.md#microphonedisabled)
    - [MixedReality/VolumeButtonDisabled](mdm/policy-csp-mixedreality.md#volumebuttondisabled)
    - [Update/DisableWUfBSafeguards](mdm/policy-csp-update.md#disablewufbsafeguards)
    - [WindowsSandbox/AllowAudioInput](mdm/policy-csp-windowssandbox.md#allowaudioinput)
    - [WindowsSandbox/AllowClipboardRedirection](mdm/policy-csp-windowssandbox.md#allowclipboardredirection)
    - [WindowsSandbox/AllowNetworking](mdm/policy-csp-windowssandbox.md#allownetworking)
    - [WindowsSandbox/AllowPrinterRedirection](mdm/policy-csp-windowssandbox.md#allowprinterredirection)
    - [WindowsSandbox/AllowVGPU](mdm/policy-csp-windowssandbox.md#allowvgpu)
    - [WindowsSandbox/AllowVideoInput](mdm/policy-csp-windowssandbox.md#allowvideoinput) | ## September 2020 @@ -46,7 +46,7 @@ As of November 2020 This page will no longer be updated. This article lists new |New or updated article | Description| |--- | ---| -|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings:
    - System/AllowDesktopAnalyticsProcessing
    - System/AllowMicrosoftManagedDesktopProcessing
    - System/AllowUpdateComplianceProcessing
    - System/AllowWUfBCloudProcessing


    Updated the following policy setting:
    - System/AllowCommercialDataPipeline
    | +|[Policy CSP - System](mdm/policy-csp-system.md)|Added the following new policy settings:
    - System/AllowDesktopAnalyticsProcessing
    - System/AllowMicrosoftManagedDesktopProcessing
    - System/AllowUpdateComplianceProcessing
    - System/AllowWUfBCloudProcessing


    Updated the following policy setting:
    - System/AllowCommercialDataPipeline
    | ## June 2020 @@ -239,7 +239,7 @@ As of November 2020 This page will no longer be updated. This article lists new |[AccountManagement CSP](mdm/accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.| |[RootCATrustedCertificates CSP](mdm/rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:
  3. UntrustedCertificates| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
  4. ApplicationDefaults/EnableAppUriHandlers
  5. ApplicationManagement/MSIAllowUserControlOverInstall
  6. ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
  7. Connectivity/AllowPhonePCLinking
  8. Notifications/DisallowCloudNotification
  9. Notifications/DisallowTileNotification
  10. RestrictedGroups/ConfigureGroupMembership

    The following existing policies were updated:
  11. Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.
  12. InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
  13. TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

    Added a new section:
  14. [[Policies in Policy CSP supported by Group Policy](mdm/policies-in-policy-csp-supported-by-group-policy.md) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.| -|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#servicesallowedlist-usage-guide).| +|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#usage-guide).| |[MultiSIM CSP](mdm/multisim-csp.md)|Added SyncML examples and updated the settings descriptions.| |[RemoteWipe CSP](mdm/remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.| diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index ce77a2e025..67353c881b 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ 2. Find the variable names of the parameters in the ADMX file. - You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2). + You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 466a326260..37aae00014 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.date: 06/03/2022 author: vinaypamnani-msft ms.author: vinpa -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: overview ms.technology: itpro-manage @@ -30,11 +30,8 @@ This six-minute video demonstrates how users can bring in a new retail device an This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) - - [Identity and Authentication](#identity-and-authentication) - - [Configuration](#settings-and-configuration) - - [Updating and Servicing](#updating-and-servicing) ## Reviewing the management options with Windows 10 @@ -121,7 +118,7 @@ There are various steps you can take to begin the process of modernizing device **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 5b7486628f..0bdb057669 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,50 +14,50 @@ ms.date: 09/17/2019 # Policies in Policy CSP supported by HoloLens (first gen) Commercial Suite -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) -- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#allowspeechmodelupdate) +- [System/AllowLocation](policy-csp-system.md#allowlocation) +- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [Update/AllowAutoUpdate](policy-csp-update.md#allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [Update/RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade) +- [Update/RequireUpdateApproval](policy-csp-update.md#requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#updateserviceurl) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index eebc6a88cf..d610e84f01 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,48 +14,48 @@ ms.date: 07/18/2019 # Policies in Policy CSP supported by HoloLens (first gen) Development Edition -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) -- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#allowalltrustedapps) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [Experience/AllowCortana](policy-csp-experience.md#allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#allowspeechmodelupdate) +- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [System/AllowLocation](policy-csp-system.md#allowlocation) +- [Update/AllowAutoUpdate](policy-csp-update.md#allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [Update/RequireUpdateApproval](policy-csp-update.md#requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#updateserviceurl) +- [Update/RequireDeferUpgrade](policy-csp-update.md#requiredeferupgrade) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 00aeb772d0..a4c22104bd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by HoloLens 2 description: Learn about the policies in Policy CSP supported by HoloLens 2. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,125 +14,125 @@ ms.date: 08/01/2022 # Policies in Policy CSP supported by HoloLens 2 -- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) -- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) -- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) -- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) -- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) -- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) 12 -- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 -- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 -- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 -- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) 12 -- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) 12 -- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 -- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 -- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 -- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) 12 -- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) 12 -- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) 12 -- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 -- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9 -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) 9 -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) 9 -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 -- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) Insider -- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) 8 -- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) 8 -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) 8 -- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera) -- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation) -- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#allowcortana) +- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#allowmanualmdmunenrollment) +- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) +- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) 9 +- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalpeforelogon) 12 +- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#allowlaunchuriinsingleappkiosk)10 +- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#autologonuser) 11 +- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#brightnessbuttondisabled) 9 +- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) +- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 +- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disablesisallownetworkconnectivitypassivepolling) 12 +- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 +- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) 9 +- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) +- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) 9 +- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) 12 +- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#skipcalibrationduringsetup) 12 +- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) 12 +- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) 10 +- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9 +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) Insider +- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo-forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo-forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#letappsaccessbackgroundspatialperception) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception-forceallowtheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception-forcedenytheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#letappsaccessgazeinput) 8 +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessgazeinput-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera) +- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) +- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone-userincontroloftheseapps) 8 - [RemoteLock/Lock](./remotelock-csp.md) 9 -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9 -- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9 -- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) -- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) -- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 -- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) 12 -- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) 12 -- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) 12 -- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) 12 -- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) 12 -- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9 -- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9 -- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9 -- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 -- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) -- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 11 -- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 11 -- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 11 -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 11 -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 11 -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 11 -- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) -- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) -- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) -- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) -- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 11 -- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 11 -- [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess) -- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 11 -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/AllowAddProvisioningPackage](policy-csp-security.md#allowaddprovisioningpackage) 9 +- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#allowremoveprovisioningpackage) 9 +- [Settings/AllowDateTime](policy-csp-settings.md#allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#allowvpn) +- [Settings/PageVisibilityList](./policy-csp-settings.md#pagevisibilitylist) 9 +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#allowspeechmodelupdate) +- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#allowstoragesenseglobal) 12 +- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#allowstoragesensetemporaryfilescleanup) 12 +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#configstoragesensecloudcontentdehydrationthreshold) 12 +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12 +- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12 +- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline) +- [System/AllowLocation](policy-csp-system.md#allowlocation) +- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) +- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9 +- [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9 +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9 +- [Update/ActiveHoursStart](./policy-csp-update.md#activehoursstart) 9 +- [Update/AllowAutoUpdate](policy-csp-update.md#allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#allowupdateservice) +- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#autorestartnotificationschedule) 11 +- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#autorestartrequirednotificationdismissal) 11 +- [Update/BranchReadinessLevel](policy-csp-update.md#branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) 11 +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) 11 +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) 11 +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) 11 +- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#deferqualityupdatesperiodindays) +- [Update/ManagePreviewBuilds](policy-csp-update.md#managepreviewbuilds) +- [Update/PauseFeatureUpdates](policy-csp-update.md#pausefeatureupdates) +- [Update/PauseQualityUpdates](policy-csp-update.md#pausequalityupdates) +- [Update/ScheduledInstallDay](policy-csp-update.md#scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#scheduledinstalltime) +- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#scheduleimminentrestartwarning) 11 +- [Update/ScheduleRestartWarning](policy-csp-update.md#schedulerestartwarning) 11 +- [Update/SetDisablePauseUXAccess](policy-csp-update.md#setdisablepauseuxaccess) +- [Update/UpdateNotificationLevel](policy-csp-update.md#updatenotificationlevel) 11 +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) 8 Footnotes: diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index 3e333af7f9..ade224d1ce 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP supported by Windows 10 IoT Core description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,57 +14,57 @@ ms.date: 09/16/2019 # Policies in Policy CSP supported by Windows 10 IoT Core -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) -- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess) -- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) -- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) -- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) -- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource) -- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) -- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) -- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) -- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) -- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated) -- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated) -- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) -- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) -- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) -- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) -- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) -- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) -- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) -- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) -- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) -- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) +- [Camera/AllowCamera](policy-csp-camera.md#allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui) +- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#allowpinlogon) +- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#blockpicturepassword) +- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#allowdirectmemoryaccess) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#disablecompatview) +- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#disablegeolocation) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) +- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid) +- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#dogroupidsource) +- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#domaxuploadbandwidth) (deprecated) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) +- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#allowdevicehealthmonitoring) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#configdevicehealthmonitoringscope) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#letappsactivatewithvoiceabovelock) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#configuredeadlinenoautoreboot) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) +- [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index bcc22cc6cb..e5b6bf466c 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -14,13 +14,13 @@ ms.date: 07/22/2020 # Policies in Policy CSP supported by Microsoft Surface Hub -- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) -- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) +- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#allowdeveloperunlock) +- [Accounts/AllowMicrosoftAccountConnection](./policy-csp-accounts.md#allowmicrosoftaccountconnection) +- [Camera/AllowCamera](policy-csp-camera.md#allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui) +- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#tlsciphersuites) - [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning) - [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring) - [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection) @@ -47,53 +47,52 @@ ms.date: 07/22/2020 - [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval) - [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent) - [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction) -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) -- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) -- [System/AllowLocation](policy-csp-system.md#system-allowlocation) -- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) -- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) -- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis) -- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) -- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting) -- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) -- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#wifi-allowwifidirect) -- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsadvertisement) -- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery) -- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc) -- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompcoverinfrastructure) -- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) -- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure) -- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) -- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) - +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxdownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#preventuserredirectionofprofilefolders) +- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership) +- [System/AllowLocation](policy-csp-system.md#allowlocation) +- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) +- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [TextInput/AllowIMELogging](policy-csp-textinput.md#allowimelogging) +- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#allowimenetworkaccess) +- [TextInput/AllowInputPanel](policy-csp-textinput.md#allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#excludejapaneseimeexceptshiftjis) +- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#configuretimezone) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) +- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#allowwifihotspotreporting) +- [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode) +- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect) +- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement) +- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#allowmdnsdiscovery) +- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#allowprojectionfrompc) +- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectionfrompcoverinfrastructure) +- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#allowprojectiontopc) +- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#allowprojectiontopcoverinfrastructure) +- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#allowuserinputfromwirelessdisplayreceiver) +- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#requirepinforpairing) ## Related topics diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index 601ad0b197..3d2e78b195 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -1,7 +1,7 @@ --- title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS) description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,26 +14,26 @@ ms.date: 07/18/2019 # Policies in Policy CSP that can be set using Exchange Active Sync (EAS) -- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) -- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](policy-csp-connectivity.md#connectivity-allowcellulardataroaming) -- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) -- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) -- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) -- [System/TelemetryProxy](policy-csp-system.md#system-telemetryproxy) -- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) +- [Camera/AllowCamera](policy-csp-camera.md#allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#showappcellularaccessui) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](policy-csp-connectivity.md#allowcellulardataroaming) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength) +- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#preventlockscreenslideshow) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#requiredeviceencryption) +- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) +- [System/TelemetryProxy](policy-csp-system.md#telemetryproxy) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) +- [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) ## Related topics diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index e1d39bcbd8..cd689bed30 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -92,9 +92,7 @@ If the device is not opted-in to the DeviceHealthMonitoring service via the Allo -This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. -This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. -IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. +This policy is applicable only if the [AllowDeviceHealthMonitoring](#allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection. IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service. @@ -175,7 +173,7 @@ If the device is not opted-in to the DeviceHealthMonitoring service via the Allo -This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. +This policy is applicable only if the [AllowDeviceHealthMonitoring](#allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device. The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios. In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 930981e88b..f2cfa06fb3 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -37,16 +37,10 @@ ms.topic: reference -This Setting allows an administrator to manage local groups on a Device. -Possible settings +This Setting allows an administrator to manage local groups on a Device. Possible settings: -1. Update Group Membership Update a group and add and/or remove members though the 'U' action. -When using Update, existing group members that are not specified in the policy remain untouched. - -2. Replace Group Membership Restrict a group by replacing group membership through the 'R' action. -When using Replace, existing group membership is replaced by the list of members specified in -the add member section. This option works in the same way as a Restricted Group and any group -members that are not specified in the policy are removed +1. Update Group Membership Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that are not specified in the policy remain untouched. +2. Replace Group Membership Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group members that are not specified in the policy are removed. > [!CAUTION] > If the same group is configured with both Replace and Update, then Replace will win. @@ -55,9 +49,9 @@ members that are not specified in the policy are removed > [!NOTE] -> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. > -> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersAndGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. @@ -142,7 +136,7 @@ members that are not specified in the policy are removed -**Example**: +**Examples**: Here is an example of the policy definition XML for group configuration: @@ -160,27 +154,25 @@ where: - ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. - ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: - - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. - - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. + - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. + - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting. - ``: Specifies the SID or name of the member to configure. - ``: Specifies the SID or name of the member to remove from the specified group. > [!NOTE] - > When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk". + > When specifying member names of the user accounts, you must use following format - AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk". For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. > [!IMPORTANT] +> > - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. > - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. > - `` is not valid for the R (Restrict) action and will be ignored if present. > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. - -**Examples** - **Example 1**: Azure Active Directory focused. The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. @@ -198,9 +190,7 @@ The following example updates the built-in administrators group with the SID **S **Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] -> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. - -**Example**: +> When using the 'R' replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. ```xml @@ -228,8 +218,7 @@ The following example shows how you can update a local group (**Administrators** ``` > [!NOTE] -> -> When Azure Active Directory group SID’s are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: +> When Azure Active Directory group SID's are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: > > - Administrators > - Users @@ -237,7 +226,12 @@ The following example shows how you can update a local group (**Administrators** > - Power Users > - Remote Desktop Users > - Remote Management Users + + + + + ## FAQs This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. @@ -281,8 +275,7 @@ If you specify both R and U in the same XML, the R (Restrict) action takes prece After a policy is applied on the client device, you can investigate the event log to review the result: 1. Open Event Viewer (**eventvwr.exe**). -2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise- -Diagnostics-Provider** > **Admin**. +2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostics-Provider** > **Admin**. 3. Search for the `LocalUsersAndGroups` string to review the relevant details. ### How can I troubleshoot Name/SID lookup APIs? @@ -293,7 +286,6 @@ To troubleshoot Name/SID lookup APIs: ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force - Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force ``` @@ -303,15 +295,8 @@ To troubleshoot Name/SID lookup APIs: ```powershell Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force - Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force ``` - - - - - - From 8997b8b92bb64371e6f7a02a3336a950279a2bef Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 9 Jan 2023 19:04:56 -0500 Subject: [PATCH 128/152] Fix more warnings --- .../change-history-for-mdm-documentation.md | 2 +- ...es-in-policy-csp-supported-by-hololens2.md | 34 +++--- ...ies-in-policy-csp-supported-by-iot-core.md | 6 +- ...-in-policy-csp-supported-by-surface-hub.md | 8 +- .../mdm/policy-csp-bluetooth.md | 110 ++++++++++++++++++ 5 files changed, 135 insertions(+), 25 deletions(-) diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md index 327fe626a7..b77a1761a8 100644 --- a/windows/client-management/change-history-for-mdm-documentation.md +++ b/windows/client-management/change-history-for-mdm-documentation.md @@ -239,7 +239,7 @@ As of November 2020 This page will no longer be updated. This article lists new |[AccountManagement CSP](mdm/accountmanagement-csp.md)|Added a new CSP in Windows 10, version 1803.| |[RootCATrustedCertificates CSP](mdm/rootcacertificates-csp.md)|Added the following node in Windows 10, version 1803:
  15. UntrustedCertificates| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
  16. ApplicationDefaults/EnableAppUriHandlers
  17. ApplicationManagement/MSIAllowUserControlOverInstall
  18. ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
  19. Connectivity/AllowPhonePCLinking
  20. Notifications/DisallowCloudNotification
  21. Notifications/DisallowTileNotification
  22. RestrictedGroups/ConfigureGroupMembership

    The following existing policies were updated:
  23. Browser/AllowCookies - updated the supported values. There are three values - 0, 1, 2.
  24. InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
  25. TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.

    Added a new section:
  26. [[Policies in Policy CSP supported by Group Policy](mdm/policies-in-policy-csp-supported-by-group-policy.md) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.| -|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#usage-guide).| +|[Policy CSP - Bluetooth](mdm/policy-csp-bluetooth.md)|Added new section [ServicesAllowedList usage guide](mdm/policy-csp-bluetooth.md#servicesallowedlist-usage-guide).| |[MultiSIM CSP](mdm/multisim-csp.md)|Added SyncML examples and updated the settings descriptions.| |[RemoteWipe CSP](mdm/remotewipe-csp.md)|Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.| diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 5cf399b45d..ee5e75bc24 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -46,13 +46,13 @@ ms.date: 08/01/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalpeforelogon) 12 +- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalbeforelogon) 12 - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#allowlaunchuriinsingleappkiosk)10 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 -- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disablesisallownetworkconnectivitypassivepolling) 12 +- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) 12 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) 9 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) @@ -71,26 +71,26 @@ ms.date: 08/01/2022 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) - [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo) -- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo-forceallowtheseapps) -- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo-forcedenytheseapps) -- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_userincontroloftheseapps) - [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#letappsaccessbackgroundspatialperception) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception-forceallowtheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception-forcedenytheseapps) -- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception-userincontroloftheseapps) -- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forceallowtheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forcedenytheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera_forceallowtheseapps) 8 +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera_forcedenytheseapps) 8 +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera_userincontroloftheseapps) 8 - [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#letappsaccessgazeinput) 8 -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessgazeinput-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forceallowtheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8 - [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera) - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) -- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone-forceallowtheseapps) 8 -- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone-forcedenytheseapps) 8 -- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_userincontroloftheseapps) 8 - [RemoteLock/Lock](./remotelock-csp.md) 9 - [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation) - [Security/AllowAddProvisioningPackage](policy-csp-security.md#allowaddprovisioningpackage) 9 diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index ade224d1ce..e15af01618 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -36,9 +36,9 @@ ms.date: 09/16/2019 - [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth) - [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage) - [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) - [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#domaxuploadbandwidth) (deprecated) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) - [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos) - [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#dominbatterypercentageallowedtoupload) - [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer) @@ -47,7 +47,7 @@ ms.date: 09/16/2019 - [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive) - [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap) - [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxdownloadbandwidth) (deprecated) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) - [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth) - [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#dorestrictpeerselectionby) - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index e5b6bf466c..ce20ebe3db 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -53,15 +53,15 @@ ms.date: 07/22/2020 - [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#dogroupid) - [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#domaxcacheage) - [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#domaxuploadbandwidth) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) - [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#dominbackgroundqos) - [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#domindisksizeallowedtopeer) - [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#dominfilesizetocache) - [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#dominramallowedtopeer) - [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#domodifycachedrive) - [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md) (Deprecated) - [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#preventuserredirectionofprofilefolders) - [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md#configuregroupmembership) - [System/AllowLocation](policy-csp-system.md#allowlocation) @@ -82,7 +82,7 @@ ms.date: 07/22/2020 - [Wifi/AllowInternetSharing](policy-csp-wifi.md#allowinternetsharing) - [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#allowmanualwificonfiguration) - [Wifi/AllowWiFi](policy-csp-wifi.md#allowwifi) -- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#allowwifihotspotreporting) +- [Wifi/AllowWiFiHotSpotReporting](policy-csp-wifi.md) (Deprecated) - [Wifi/WLANScanMode](policy-csp-wifi.md#wlanscanmode) - [Wifi/AllowWiFiDirect](policy-csp-wifi.md#allowwifidirect) - [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#allowmdnsadvertisement) diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 09c8018c48..e2910d975d 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -338,6 +338,116 @@ There are multiple levels of encryption strength when pairing Bluetooth devices. +## ServicesAllowedList usage guide + +When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It's an allowed list, enabling admins to still allow custom Bluetooth profiles that aren't defined by the Bluetooth Special Interests Group (SIG). + +- Disabling a service shall block incoming and outgoing connections for such services +- Disabling a service shall not publish an SDP record containing the service being blocked +- Disabling a service shall not allow SDP to expose a record for a blocked service +- Disabling a service shall log when a service is blocked for auditing purposes +- Disabling a service shall take effect upon reload of the stack or system reboot + +To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. + +These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID. + +Here are some examples: + +**Example of how to enable Hands Free Profile (HFP)**: + +BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB + +| UUID name | Protocol specification | UUID | +|-------------------------|----------------------------|--------| +| HFP(Hands Free Profile) | Hands-Free Profile (HFP) * | 0x111E | + +Footnote: * Used as both Service Class Identifier and Profile Identifier. + +Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB + +**Allow Audio Headsets (Voice)**: + +| Profile | Reasoning | UUID | +|--------------------------|---------------------------------------|--------| +| HFP (Hands Free Profile) | For voice-enabled headsets | 0x111E | +| Generic Audio Service | Generic audio service | 0x1203 | +| Headset Service Class | For older voice-enabled headsets | 0x1108 | +| PnP Information | Used to identify devices occasionally | 0x1200 | + +If you only want Bluetooth headsets, the UUIDs to include are: `{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}`. + + + +**Allow Audio Headsets and Speakers (Voice & Music)**: + +|Profile |Reasoning |UUID | +|---------|---------|---------| +|HFP (Hands Free Profile) |For voice enabled headsets |0x111E | +|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B| +|Generic Audio Service|Generic service used by Bluetooth|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|AV Remote Control Target Service|For controlling audio remotely|0x110C| +|AV Remote Control Service|For controlling audio remotely|0x110E| +|AV Remote Control Controller Service|For controlling audio remotely|0x110F| +|PnP Information|Used to identify devices occasionally|0x1200| + +{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; + +**Classic Keyboards and Mice**: + +|Profile |Reasoning |UUID | +|---------|---------|---------| +|HID (Human Interface Device) |For classic BR/EDR keyboards and mice |0x1124 | +|PnP Information|Used to identify devices occasionally|0x1200| + +{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; + +**LE Keyboards and Mice**: + +|Profile |Reasoning |UUID | +|---------|---------|---------| +|Generic Access Attribute |For the LE Protocol |0x1801 | +|HID Over GATT * |For LE keyboards and mice |0x1812 | +|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | +|DID (Device ID) |Generic service used by Bluetooth |0x180A | +|Scan Parameters |Generic service used by Bluetooth |0x1813 | + +Footnote: * The Surface pen uses the HID over GATT profile + +{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} + +**Allow File Transfer**: + +|Profile |Reasoning |UUID | +|---------|---------|---------| +|OBEX Object Push (OPP) |For file transfer |0x1105 | +|Object Exchange (OBEX) |Protocol for file transfer |0x0008 | +|PnP Information|Used to identify devices occasionally|0x1200| + +{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} + +Disabling file transfer shall have the following effects: + +- Fsquirt shall not allow sending of files +- Fsquirt shall not allow receiving of files +- Fsquirt shall display error message informing user of policy preventing file transfer +- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API From 04a178ce9cabc8ccef509071c06f4067cc75bfc4 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 9 Jan 2023 19:29:11 -0500 Subject: [PATCH 129/152] Fix PreventTurningOffRequiredExtensions policy --- .../client-management/mdm/policy-csp-browser.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index ff36317996..4c5e5997cb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -3233,12 +3233,24 @@ This policy setting lets you decide whether employees can override the Windows D - -You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft. OneNoteWebClipper_8wekyb3d8bbwe;Microsoft. OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user's computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. If disabled or not configured, extensions defined as part of this policy get ignored. Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: - Find a package family name (PFN) for per-app VPN ( - How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune ( - How to assign apps to groups with Microsoft Intune ( - Manage apps from the Microsoft Store for Business with System Center Configuration Manager ( - How to add Windows line-of-business (LOB) apps to Microsoft Intune ( + +You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +- When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding `Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe` prevents a user from turning off the OneNote Web Clipper and Office Online extension. When enabled, removing extensions from the list does not uninstall the extension from the user's computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. +- If disabled or not configured, extensions defined as part of this policy get ignored. +- Default setting: Disabled or not configured + +Related Documents: + +- [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) +- [Assign apps to groups with Microsoft Intune](/mem/intune/apps-deploy) +- [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) From 56a611703fecd1ba55996fc123708af79f0bb629 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 12 Jan 2023 10:34:15 -0500 Subject: [PATCH 130/152] Add important note for data collection policies --- .../mdm/policy-csp-admx-datacollection.md | 2 ++ windows/client-management/mdm/policy-csp-system.md | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index d4ca4a3c81..39f610dc84 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -49,6 +49,8 @@ This policy setting defines the identifier used to uniquely associate this devic +> [!IMPORTANT] +> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index ac45cee0eb..6bbc764350 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -127,6 +127,9 @@ See the documentation at for i > [!NOTE] > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. + +> [!IMPORTANT] +> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -200,6 +203,8 @@ This setting has no effect on devices unless they are properly enrolled in Deskt +> [!IMPORTANT] +> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -755,6 +760,8 @@ When these policies are configured, Windows diagnostic data collected from the d +> [!IMPORTANT] +> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -875,6 +882,8 @@ When these policies are configured, Windows diagnostic data collected from the d +> [!IMPORTANT] +> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). From 8ec828418f1b201bebea0ce0b0efee42a74d81b3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 12 Jan 2023 11:16:08 -0500 Subject: [PATCH 131/152] Add note for Issue 10764 --- .../client-management/mdm/policy-csp-deliveryoptimization.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 2425d81cee..fe04df23d4 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -171,6 +171,8 @@ One or more values can be added as either fully qualified domain names (FQDN) or +> [!NOTE] +> Clients don't talk to multiple Microsoft Connected Cache (MCC) servers at the same time. If you configure a list of MCC servers in this policy, the clients will round robin until they successfully connect to an MCC server. The clients have no way to determine if the MCC server has the content or not. If the MCC server doesn't have the content, it caches the content as it is handing the content back to the client. @@ -583,6 +585,8 @@ Specifies the download method that Delivery Optimization can use in downloads of +> [!NOTE] +> The Delivery Optimization service on the clients checks to see if there are peers and/or an MCC server which contains the content and determines the best source for the content. From 829144c6f470390e8f66c46e87858502d2801f8b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 12 Jan 2023 17:04:18 -0500 Subject: [PATCH 132/152] Update text for the deprecation --- .../mdm/policy-csp-admx-datacollection.md | 2 +- windows/client-management/mdm/policy-csp-system.md | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 39f610dc84..d658533761 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -50,7 +50,7 @@ This policy setting defines the identifier used to uniquely associate this devic > [!IMPORTANT] -> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 6bbc764350..6981dab41d 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -129,7 +129,7 @@ See the documentation at for i > Configuring this setting doesn't affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. > [!IMPORTANT] -> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -204,7 +204,7 @@ This setting has no effect on devices unless they are properly enrolled in Deskt > [!IMPORTANT] -> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -575,6 +575,8 @@ This setting has no effect on devices unless they are properly enrolled in Micro +> [!IMPORTANT] +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -761,7 +763,7 @@ When these policies are configured, Windows diagnostic data collected from the d > [!IMPORTANT] -> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). @@ -883,7 +885,7 @@ When these policies are configured, Windows diagnostic data collected from the d > [!IMPORTANT] -> Starting in January 2023, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). +> Starting with the January 2023 preview cumulative update, this policy is no longer supported to configure the processor option. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). From fd1d1d6c623527ad873421bf8fd99e311faad5b0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 12 Jan 2023 17:06:15 -0500 Subject: [PATCH 133/152] Minor updates --- .../mdm/policies-in-policy-csp-admx-backed.md | 2 +- .../mdm/policies-in-policy-csp-supported-by-group-policy.md | 2 +- windows/client-management/mdm/policy-csp-admx-appxruntime.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index d11de25447..33562b74cf 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 01/12/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index cbca4a74cd..3969452dea 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 01/12/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 71173b8d82..b440390a21 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_AppXRuntime Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 01/12/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ This policy setting lets you turn on Content URI Rules to supplement the static - If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. -If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. +- If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules. From df4b045a49bbef8bc53aa31c67ff4123338d12c2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 17 Jan 2023 16:10:15 -0500 Subject: [PATCH 134/152] Add Update CSP + soe other missing CSPs --- .../mdm/policies-in-policy-csp-admx-backed.md | 2 +- ...in-policy-csp-supported-by-group-policy.md | 2 +- .../policy-configuration-service-provider.md | 2 +- .../policy-csp-admx-controlpaneldisplay.md | 6 +- .../mdm/policy-csp-connectivity.md | 1 + .../mdm/policy-csp-update.md | 6132 +++++++++-------- 6 files changed, 3153 insertions(+), 2992 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 33562b74cf..36696838f9 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/12/2023 +ms.date: 01/17/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 3969452dea..7c231966ef 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/12/2023 +ms.date: 01/17/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 95d89d8ebf..6ab8b5a7a4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 01/17/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 314b420ed6..68499c0c39 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 01/13/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -349,9 +349,9 @@ Enables desktop screen savers. - If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. -If you do not configure it, this setting has no effect on the system. +- If you do not configure it, this setting has no effect on the system. -If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. +- If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel. Also, see the "Prevent changing Screen Saver" setting. diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index ec53263eab..0254386450 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -816,6 +816,7 @@ This policy setting configures secure access to UNC paths. +For more information, see [MS15-011: Vulnerability in Group Policy could allow remote code execution](https://support.microsoft.com/kb/3000483). diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d7228c5219..b4148eeeb1 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 01/17/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -20,8 +20,1403 @@ ms.topic: reference +## Manage updates offered from Windows Update + + +### BranchReadinessLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel +``` + + + + +Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 16 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709). | +| 4 | {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709). | +| 8 | {0x8} - Release Windows Insider build (added in Windows 10, version 1709). | +| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). | +| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). | +| 64 | {0x40} - Release Preview of Quality Updates Only. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DeferFeatureUpdatesPeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays +``` + + + + +Defers Feature Updates for the specified number of days. Supported values are 0-365 days. + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-365]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Element Name | How many days after a Feature Update is released would you like to defer the update before it is offered to the device? | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DeferQualityUpdatesPeriodInDays + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays +``` + + + + +Defers Quality Updates for the specified number of days. Supported values are 0-30. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates | +| Friendly Name | Select when Quality Updates are received | +| Element Name | After a quality update is released, defer receiving it for this many days | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ExcludeWUDriversInQualityUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ExcludeWUDriversInQualityUpdate +``` + + + + +Enable this policy to not include drivers with Windows quality updates. + +- If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Allow Windows Update drivers. | +| 1 | Exclude Windows Update drivers. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExcludeWUDriversInQualityUpdate | +| Friendly Name | Do not include drivers with Windows Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | ExcludeWUDriversInQualityUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ManagePreviewBuilds + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds +``` + + + + +Used to manage Windows 10 Insider Preview builds. Value type is integer. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 3 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disable Preview builds. | +| 1 | Disable Preview builds once the next release is public. | +| 2 | Enable Preview builds. | +| 3 (Default) | Preview builds is left to user selection. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ManagePreviewBuilds | +| Friendly Name | Manage preview builds | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdates +``` + + + + +Allows IT Admins to pause Feature Updates for up to 60 days. + + + + +> [!NOTE] +> We recommend that you use the Update/PauseFeatureUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Feature Updates are not paused. | +| 1 | Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseFeatureUpdatesStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdatesStartTime +``` + + + + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferFeatureUpdates | +| Friendly Name | Select when Preview Builds and Feature Updates are received | +| Element Name | Pause Preview Builds or Feature Updates starting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates +``` + + + + +Allows IT Admins to pause Quality Updates. + + + + +> [!NOTE] +> We recommend that you use the Update/PauseQualityUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Quality Updates are not paused. | +| 1 | Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates | +| Friendly Name | Select when Quality Updates are received | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### PauseQualityUpdatesStartTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdatesStartTime +``` + + + + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). + + + + +> [!NOTE] +> When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferQualityUpdates | +| Friendly Name | Select when Quality Updates are received | +| Element Name | Pause Quality Updates starting | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ProductVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ProductVersion +``` + + + + +Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows release information](/windows/release-health/release-information). + + + + +Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device: + +1. The applicable Windows license was purchased through volume licensing, or +2. You're authorized to bind your organization and are accepting on its behalf the relevant [Microsoft Software License Terms](https://www.microsoft.com/Useterms). + +> [!NOTE] +> If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | TargetReleaseVersion | +| Friendly Name | Select the target Feature Update version | +| Element Name | Which Windows product version would you like to receive feature updates for? e.g., Windows 10 | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### TargetReleaseVersion + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1488] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.836] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion +``` + + + + +Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information). + + + + +Supported value type is a string containing Windows version number. For example, `1809`, `1903`, etc. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | TargetReleaseVersion | +| Friendly Name | Select the target Feature Update version | +| Element Name | Target Version for Feature Updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + +## Manage updates offered from Windows Server Update Service + + +### AllowUpdateService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowUpdateService +``` + + + + +Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed. | +| 1 (Default) | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DetectionFrequency + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DetectionFrequency +``` + + + + +Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + + +This policy should be enabled only when [UpdateServiceUrl](#updateserviceurl) is configured to point the device at a WSUS server rather than Microsoft Update. + +> [!NOTE] +> There is a random variant of 0-4 hours applied to the scan frequency, which cannot be configured. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[1-22]` | +| Default Value | 22 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DetectionFrequency_Title | +| Friendly Name | Automatic Updates detection frequency | +| Element Name | interval (hours) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18818] and later
    :heavy_check_mark: Windows 10, version 1607 [10.0.14393.4169] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063.2108] and later
    :heavy_check_mark: Windows 10, version 1709 [10.0.16299.2166] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1967] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1697] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1316] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1316] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.746] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.746] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection +``` + + + + +Do not enforce TLS certificate pinning for Windows Update client for detecting updates. + + + + +> [!NOTE] +> By default, certificate pinning for Windows Update client isn't enforced. To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Do not enforce TLS certificate pinning for Windows Update client for detecting updates. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### FillEmptyContentUrls + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/FillEmptyContentUrls +``` + + + + +Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Download files with no Url in the metadata if alternate download server is set. | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForDriverUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForDriverUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Windows Driver Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Driver Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Driver Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Windows Feature Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Feature Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Feature Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForOtherUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForOtherUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Other Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy other Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy other Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetPolicyDrivenUpdateSourceForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForQualityUpdates +``` + + + + + + + + +Configure this policy to specify whether to receive **Windows Quality Updates** from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: + +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates + +> [!NOTE] +> If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Detect, download and deploy Quality Updates from Windows Update. | +| 1 (Default) | Detect, download and deploy Quality Updates from Windows Server Update Services (WSUS). | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetProxyBehaviorForUpdateDetection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18696] and later
    :heavy_check_mark: Windows 10, version 1607 [10.0.14393.3930] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063.2500] and later
    :heavy_check_mark: Windows 10, version 1709 [10.0.16299.2107] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1726] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1457] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1082] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1082] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.508] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetProxyBehaviorForUpdateDetection +``` + + + + +Select the proxy behavior for Windows Update client for detecting updates + + + + +By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. + +This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. + +> [!NOTE] +> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Only use system proxy for detecting updates (default). | +| 1 | Allow user proxy to be used as a fallback if detection using system proxy fails. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Select the proxy behavior for Windows Update client for detecting updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### UpdateServiceUrl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl +``` + + + + +Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. + + + + +The following list shows the supported values: + +- Not configured: The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`: The device checks for updates from the WSUS server at the specified URL. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Default Value | CorpWSUS | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Set the intranet update service for detecting updates | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + +**Example**: + +```xml + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + + + + + +### UpdateServiceUrlAlternate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrlAlternate +``` + + + + +Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!NOTE] +> If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | CorpWuURL | +| Friendly Name | Specify intranet Microsoft update service location | +| Element Name | Set the alternate download server | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + +## Manage end user experience + -## ActiveHoursEnd +### ActiveHoursEnd | Scope | Editions | Applicable OS | @@ -37,7 +1432,7 @@ ms.topic: reference -Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time +Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default is 17 (5 PM). @@ -79,7 +1474,7 @@ Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range o -## ActiveHoursMaxRange +### ActiveHoursMaxRange | Scope | Editions | Applicable OS | @@ -138,7 +1533,7 @@ The max active hours range can be set between 8 and 18 hours. -## ActiveHoursStart +### ActiveHoursStart | Scope | Editions | Applicable OS | @@ -154,7 +1549,7 @@ The max active hours range can be set between 8 and 18 hours. -Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time +Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See Update/ActiveHoursMaxRange above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. The default value is 8 (8 AM). @@ -196,7 +1591,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of -## AllowAutoUpdate +### AllowAutoUpdate | Scope | Editions | Applicable OS | @@ -212,7 +1607,7 @@ Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Supported operations are Get and Replace. Important. This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). +Enables the IT admin to manage automatic update behavior to scan, download, and install updates. Important. This option should be used only for systems under regulatory compliance, as you will not get security updates as well. If the policy is not configured, end-users get the default behavior (Auto install and restart). @@ -263,7 +1658,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and -## AllowAutoWindowsUpdateDownloadOverMeteredNetwork +### AllowAutoWindowsUpdateDownloadOverMeteredNetwork | Scope | Editions | Applicable OS | @@ -329,7 +1724,7 @@ This policy is accessible through the Update setting in the user interface or Gr -## AllowMUUpdateService +### AllowMUUpdateService | Scope | Editions | Applicable OS | @@ -398,151 +1793,464 @@ Allows the IT admin to manage whether to scan for app updates from Microsoft Upd - -## AllowNonMicrosoftSignedUpdate + +### ConfigureDeadlineForFeatureUpdates - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate -``` - - - - -Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. Supported operations are Get and Replace. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. | -| 1 (Default) | Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer. | - - - - - - - - - -## AllowUpdateService - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/AllowUpdateService -``` - - - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the Specify intranet Microsoft update service location policy. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Not allowed. | -| 1 (Default) | Allowed. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## AutomaticMaintenanceWakeUp - - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForFeatureUpdates ``` - + - - -This policy setting allows you to configure Automatic Maintenance wake up policy. + + +Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. + -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -- If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -- If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - + - +> [!NOTE] +> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 2 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForQualityUpdates +``` + + + + +Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. + + + + +> [!NOTE] +> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-30]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Deadline (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineGracePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriod +``` + + + + +Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | +| Default Value | 2 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Grace period (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineGracePeriodForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1852] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1474] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.906] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriodForFeatureUpdates +``` + + + + +Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-7]` | +| Default Value | 7 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Grace Period (days) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ConfigureDeadlineNoAutoReboot + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot +``` + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ComplianceDeadline | +| Friendly Name | Specify deadlines for automatic updates and restarts | +| Element Name | Don't auto-restart until end of grace period | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### NoUpdateNotificationsDuringActiveHours + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/NoUpdateNotificationsDuringActiveHours +``` + + + + +0 (default) - Use the default Windows Update notifications +1 - Turn off all notifications, excluding restart warnings +2 - Turn off all notifications, including restart warnings + +This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. + +**Important** if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + +If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. + + + + +> [!NOTE] +> This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. If no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UpdateNotificationLevel | +| Friendly Name | Display options for update notifications | +| Element Name | Apply only during active hours | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallDay + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallDay +``` + + + + +Enables the IT admin to schedule the day of the update installation. The data type is a integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Every day. | +| 1 | Sunday. | +| 2 | Monday. | +| 3 | Tuesday. | +| 4 | Wednesday. | +| 5 | Thursday. | +| 6 | Friday. | +| 7 | Saturday. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Scheduled install day | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallEveryWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallEveryWeek +``` + + + + +Enables the IT admin to schedule the update installation on the every week. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + **Description framework properties**: | Property name | Property value | @@ -550,39 +2258,625 @@ The maintenance wakeup policy specifies if Automatic Maintenance should make a w | Format | int | | Access Type | Add, Delete, Get, Replace | | Default Value | 1 | - + - + **Allowed values**: | Value | Description | |:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - +| 0 | No update in the schedule. | +| 1 (Default) | Update is scheduled every week. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | WakeUpPolicy | -| Friendly Name | Automatic Maintenance WakeUp Policy | +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Every week | | Location | Computer Configuration | -| Path | Windows Components > Maintenance Scheduler | -| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | -| Registry Value Name | WakeUp | -| ADMX File Name | msched.admx | - +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + - + - + - + + + +### ScheduledInstallFirstWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFirstWeek +``` + + + + +Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every first week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | First week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallFourthWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFourthWeek +``` + + + + +Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every fourth week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Fourth week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallSecondWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallSecondWeek +``` + + + + +Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every second week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Second week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallThirdWeek + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallThirdWeek +``` + + + + +Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. + + + + +> [!NOTE] +> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | No update in the schedule. | +| 1 | Update is scheduled every third week of the month. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Third week of the month | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduledInstallTime + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime +``` + + + + + the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + + + + +> [!NOTE] +> +> - This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. +> - There is a window of approximately 30 minutes to allow for higher success rates of installation. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-23]` | +| Default Value | 3 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoUpdateCfg | +| Friendly Name | Configure Automatic Updates | +| Element Name | Scheduled install time | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetDisablePauseUXAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetDisablePauseUXAccess +``` + + + + +This setting allows to remove access to "Pause updates" feature. + +Once enabled user access to pause updates is removed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | Enable. | +| 0 (Default) | Disable. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisablePauseUXAccess | +| Friendly Name | Remove access to "Pause updates" feature | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetDisablePauseUXAccess | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetDisableUXWUAccess + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetDisableUXWUAccess +``` + + + + +This setting allows you to remove access to scan Windows Update. + +- If you enable this setting user access to Windows Update scan, download and install is removed. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableUXWUAccess | +| Friendly Name | Remove access to use all Windows Update features | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetDisableUXWUAccess | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetEDURestart + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetEDURestart +``` + + + + +Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not configured. | +| 1 | Configured. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | SetEDURestart | +| Friendly Name | Update Power Policy for Cart Restarts | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetEDURestart | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### UpdateNotificationLevel + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel +``` + + + + +0 (default) - Use the default Windows Update notifications +1 - Turn off all notifications, excluding restart warnings +2 - Turn off all notifications, including restart warnings + +This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. + +**Important** if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + +If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Use the default Windows Update notifications. | +| 1 | Turn off all notifications, excluding restart warnings. | +| 2 | Turn off all notifications, including restart warnings. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | UpdateNotificationLevel | +| Friendly Name | Display options for update notifications | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | SetUpdateNotificationLevel | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + +## Legacy Policies -## AutoRestartDeadlinePeriodInDays +### AutoRestartDeadlinePeriodInDays | Scope | Editions | Applicable OS | @@ -646,7 +2940,7 @@ Enabling either of the following two policies will override the above policy: -## AutoRestartDeadlinePeriodInDaysForFeatureUpdates +### AutoRestartDeadlinePeriodInDaysForFeatureUpdates | Scope | Editions | Applicable OS | @@ -661,10 +2955,17 @@ Enabling either of the following two policies will override the above policy: - -For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Value type is integer. Default is 7 days. Supported values range 2-30. **Note** that the PC must restart for certain updates to take effect. -- If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled. -- If you disable or do not configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effectNo auto-restart with logged on users for scheduled automatic updates installations. Always automatically restart at scheduled time. + +Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default restart date. + +The restart may happen inside active hours. + +- If you disable or do not configure this policy, the PC will restart according to the default schedule. + +Enabling either of the following two policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. @@ -703,7 +3004,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic -## AutoRestartNotificationSchedule +### AutoRestartNotificationSchedule | Scope | Editions | Applicable OS | @@ -769,7 +3070,7 @@ Allows the IT Admin to specify the period for auto-restart reminder notification -## AutoRestartRequiredNotificationDismissal +### AutoRestartRequiredNotificationDismissal | Scope | Editions | Applicable OS | @@ -835,769 +3136,8 @@ The method can be set to require user action to dismiss the notification. - -## BranchReadinessLevel - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel -``` - - - - -Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 16 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 2 | {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709). | -| 4 | {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709). | -| 8 | {0x8} - Release Windows Insider build (added in Windows 10, version 1709). | -| 16 (Default) | {0x10} - Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). | -| 32 | 2 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16). | -| 64 | {0x40} - Release Preview of Quality Updates Only. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferFeatureUpdates | -| Friendly Name | Select when Preview Builds and Feature Updates are received | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ConfigureDeadlineForFeatureUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForFeatureUpdates -``` - - - - -Number of days before feature updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-30]` | -| Default Value | 2 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineForFeatureUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineForFeatureUpdates | - - - - - - - - - -## ConfigureDeadlineForQualityUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineForQualityUpdates -``` - - - - -Number of days before quality updates are installed on devices automatically regardless of active hours. Before the deadline passes, users will be able to schedule restarts, and automatic restarts can happen outside of active hours. When set to 0, updates will download and install immediately, but might not finish within the day due to device availability and network connectivity. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-30]` | -| Default Value | 7 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineForQualityUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineForQualityUpdates | - - - - - - - - - -## ConfigureDeadlineGracePeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriod -``` - - - - -Minimum number of days from update installation until restarts occur automatically for quality updates. This policy only takes effect when Update/ConfigureDeadlineForQualityUpdates is configured. If Update/ConfigureDeadlineForQualityUpdates is configured but this policy is not, then the default value of 2 days will take effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-7]` | -| Default Value | 2 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineGracePeriod | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineGracePeriod | - - - - - - - - - -## ConfigureDeadlineGracePeriodForFeatureUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1852] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1474] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.906] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineGracePeriodForFeatureUpdates -``` - - - - -Minimum number of days from update installation until restarts occur automatically for feature updates. This policy only takes effect when Update/ConfigureDeadlineForFeatureUpdates is configured. If Update/ConfigureDeadlineForFeatureUpdates is configured but this policy is not, then the value configured by Update/ConfigureDeadlineGracePeriod will be used. If Update/ConfigureDeadlineGracePeriod is also not configured, then the default value of 7 days will take effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-7]` | -| Default Value | 7 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineGracePeriodForFeatureUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineGracePeriodForFeatureUpdates | - - - - - - - - - -## ConfigureDeadlineNoAutoReboot - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoReboot -``` - - - - -When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates or Update/ConfigureDeadlineForFeatureUpdates is configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineNoAutoReboot | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineNoAutoReboot | - - - - - - - - - -## ConfigureDeadlineNoAutoRebootForFeatureUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates -``` - - - - -When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | - - - - - - - - - -## ConfigureDeadlineNoAutoRebootForQualityUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates -``` - - - - -When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | - - - - - - - - - -## ConfigureFeatureUpdateUninstallPeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod -``` - - - - -Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[2-60]` | -| Default Value | 10 | - - - - - - - - - -## DeferFeatureUpdatesPeriodInDays - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays -``` - - - - -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. Supported values are 0-365 days - -> [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-365]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferFeatureUpdates | -| Friendly Name | Select when Preview Builds and Feature Updates are received | -| Element Name | How many days after a Feature Update is released would you like to defer the update before it is offered to the device? | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## DeferQualityUpdatesPeriodInDays - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays -``` - - - - -Defers Quality Updates for the specified number of days. Supported values are 0-30. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-30]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferQualityUpdates | -| Friendly Name | Select when Quality Updates are received | -| Element Name | After a quality update is released, defer receiving it for this many days | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## DeferUpdatePeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod -``` - - - - -Note. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to 4 weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:Update/RequireDeferUpgrade must be set to 1. System/AllowTelemetry must be set to 1 or higherIf the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. OS upgrade:Maximum deferral: 8 monthsDeferral increment: 1 monthUpdate type/notes:Upgrade - 3689. BDC8-B205-4. AF4-8. D4A-A63924C5E9D5Update:Maximum deferral: 1 monthDeferral increment: 1 weekUpdate type/notes:If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - Security Update - 0. FA1201D-4330-4. FA8-8. AE9-B877473B6441- Critical Update - E6CF1350-C01B-414. D-A61F-263. D14D133B4- Update Rollup - 28. BC880E-0592-4. CBF-8. F95-C79B17911D5F- Service Pack - 68. C5B0A3-D1A6-4553-AE49-01. D3A7827828- Tools - B4832BD8-E735-4761-8. DAF-37. F882276DAB- Feature Pack - B54E7D24-7. ADD-428. F-8. B75-90. A396FA584F- Update - CD5FFD1E-E932-4. E3A-BF74-18. BF0B1BBD83- Driver - EBFC1FC5-71. A4-4. F7B-9. ACA-3. B9A503104A0Other/cannot defer:Maximum deferral: No deferralDeferral increment: No deferralUpdate type/notes:Any update category not specifically enumerated above falls into this category. - Definition Update - E0789628-CE08-4437-BE74-2495. B842F43B - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-4]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferUpgrade | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | DeferUpdatePeriodId | - - - - - - - - - -## DeferUpgradePeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod -``` - - - - -> [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-8]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferUpgrade | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | DeferUpgradePeriodId | - - - - - - - - - -## DetectionFrequency - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DetectionFrequency -``` - - - - -Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - - -> [!NOTE] -> There is a random variant of 0-4 hours applied to the scan frequency, which cannot be configured. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[1-22]` | -| Default Value | 22 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DetectionFrequency_Title | -| Friendly Name | Automatic Updates detection frequency | -| Element Name | interval (hours) | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - -## DisableDualScan +### DisableDualScan | Scope | Editions | Applicable OS | @@ -1665,122 +3205,8 @@ If this policy is disabled or not configured, then the Windows Update client may - -## DisableWUfBSafeguards - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards -``` - - - - -This policy setting specifies that a Windows Update for Business device should skip safeguards. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. | -| 1 | Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. | - - - - - - - - - -## DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18818] and later
    :heavy_check_mark: Windows 10, version 1607 [10.0.14393.4169] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063.2108] and later
    :heavy_check_mark: Windows 10, version 1709 [10.0.16299.2166] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1967] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1697] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1316] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1316] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.746] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.746] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection -``` - - - - -Do not enforce TLS certificate pinning for Windows Update client for detecting updates. - - - - -> [!NOTE] -> To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Element Name | Do not enforce TLS certificate pinning for Windows Update client for detecting updates. | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - -## EngagedRestartDeadline +### EngagedRestartDeadline | Scope | Editions | Applicable OS | @@ -1836,7 +3262,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic -## EngagedRestartDeadlineForFeatureUpdates +### EngagedRestartDeadlineForFeatureUpdates | Scope | Editions | Applicable OS | @@ -1892,7 +3318,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic -## EngagedRestartSnoozeSchedule +### EngagedRestartSnoozeSchedule | Scope | Editions | Applicable OS | @@ -1948,7 +3374,7 @@ For Quality Updates, this policy specifies the number of days a user can snooze -## EngagedRestartSnoozeScheduleForFeatureUpdates +### EngagedRestartSnoozeScheduleForFeatureUpdates | Scope | Editions | Applicable OS | @@ -2004,7 +3430,7 @@ For Feature Updates, this policy specifies the number of days a user can snooze -## EngagedRestartTransitionSchedule +### EngagedRestartTransitionSchedule | Scope | Editions | Applicable OS | @@ -2074,7 +3500,7 @@ Enabling any of the following policies will override the above policy: -## EngagedRestartTransitionScheduleForFeatureUpdates +### EngagedRestartTransitionScheduleForFeatureUpdates | Scope | Editions | Applicable OS | @@ -2129,1343 +3555,8 @@ For Feature Updates, this policy specifies the timing before transitioning from - -## ExcludeWUDriversInQualityUpdate - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ExcludeWUDriversInQualityUpdate -``` - - - - -Enable this policy to not include drivers with Windows quality updates. - -- If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Allow Windows Update drivers. | -| 1 | Exclude Windows Update drivers. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ExcludeWUDriversInQualityUpdate | -| Friendly Name | Do not include drivers with Windows Updates | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| Registry Value Name | ExcludeWUDriversInQualityUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## FillEmptyContentUrls - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/FillEmptyContentUrls -``` - - - - -Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL) - -> [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Element Name | Download files with no Url in the metadata if alternate download server is set. | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## IgnoreMOAppDownloadLimit - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOAppDownloadLimit -``` - - - - -Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in [TShell](/windows-hardware/manufacture/desktop/factoryos/connect-using-tshell): - - ```TShell - exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' - ``` - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Do not ignore MO download limit for apps and their updates. | -| 1 | Ignore MO download limit (allow unlimited downloading) for apps and their updates. | - - - - - - - - - -## IgnoreMOUpdateDownloadLimit - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOUpdateDownloadLimit -``` - - - - -Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - - - - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: - - ```TShell - exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' - ``` - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Do not ignore MO download limit for OS updates. | -| 1 | Ignore MO download limit (allow unlimited downloading) for OS updates. | - - - - - - - - - -## ManagePreviewBuilds - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ManagePreviewBuilds -``` - - - - -Used to manage Windows 10 Insider Preview builds. Value type is integer. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 3 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disable Preview builds. | -| 1 | Disable Preview builds once the next release is public. | -| 2 | Enable Preview builds. | -| 3 (Default) | Preview builds is left to user selection. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ManagePreviewBuilds | -| Friendly Name | Manage preview builds | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## NoUpdateNotificationsDuringActiveHours - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/NoUpdateNotificationsDuringActiveHours -``` - - - - -When enabled, notifications will only be disabled during active hours. Takes effect only if Update/UpdateNotificationLevel is configured to 1 or 2. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. - - - - -> [!NOTE] -> This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. If no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | NoUpdateNotificationsDuringActiveHours | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | NoUpdateNotificationsDuringActiveHours | - - - - - - - - - -## PauseDeferrals - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/PauseDeferrals -``` - - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Deferrals are not paused. | -| 1 | Deferrals are paused. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferUpgrade | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | PauseDeferralsId | - - - - - - - - - -## PauseFeatureUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdates -``` - - - - -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to pause Feature Updates for up to 60 days. - - - - -> [!NOTE] -> We recommend that you use the Update/PauseFeatureUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Feature Updates are not paused. | -| 1 | Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferFeatureUpdates | -| Friendly Name | Select when Preview Builds and Feature Updates are received | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## PauseFeatureUpdatesStartTime - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/PauseFeatureUpdatesStartTime -``` - - - - -Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferFeatureUpdates | -| Friendly Name | Select when Preview Builds and Feature Updates are received | -| Element Name | Pause Preview Builds or Feature Updates starting | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## PauseQualityUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates -``` - - - - -Allows IT Admins to pause Quality Updates. - - - - -> [!NOTE] -> We recommend that you use the Update/PauseQualityUpdatesStartTime policy, if you're running Windows 10, version 1703 or later. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Quality Updates are not paused. | -| 1 | Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferQualityUpdates | -| Friendly Name | Select when Quality Updates are received | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## PauseQualityUpdatesStartTime - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/PauseQualityUpdatesStartTime -``` - - - - -Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. - - - - -> [!NOTE] -> When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferQualityUpdates | -| Friendly Name | Select when Quality Updates are received | -| Element Name | Pause Quality Updates starting | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## PhoneUpdateRestrictions - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/PhoneUpdateRestrictions -``` - - - - -This policy is deprecated. Use Update/RequireUpdateApproval instead. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-4]` | -| Default Value | 4 | - - - - - - - - - -## ProductVersion - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
    :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
    :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ProductVersion -``` - - - - -Enables IT administrators to specify the product version associated with the target feature update they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows release information. - - - - -Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". By using this Windows Update for Business policy to upgrade devices to a new product (for example, Windows 11) you're agreeing that when applying this operating system to a device: - -1. The applicable Windows license was purchased through volume licensing, or -2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms found here: . - -> [!NOTE] -> If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ProductVersion | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat > DeferUpdateCat | -| Element Name | ProductVersionId | - - - - - - - - - -## RequireDeferUpgrade - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade -``` - - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | User gets upgrades from Semi-Annual Channel (Targeted). | -| 1 | User gets upgrades from Semi-Annual Channel. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferUpgrade | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | DeferUpgradePeriodId | - - - - - - - - - -## RequireUpdateApproval - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval -``` - - - - -> [!NOTE] -> If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. Supported operations are Get and Replace. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Not configured. The device installs all applicable updates. | -| 1 | The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. | - - - - - - - - - -## ScheduledInstallDay - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallDay -``` - - - - -Enables the IT admin to schedule the day of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. - - - - -> [!NOTE] -> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Every day. | -| 1 | Sunday. | -| 2 | Monday. | -| 3 | Tuesday. | -| 4 | Wednesday. | -| 5 | Thursday. | -| 6 | Friday. | -| 7 | Saturday. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | Scheduled install day | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ScheduledInstallEveryWeek - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallEveryWeek -``` - - - - -Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every week - - - - -> [!NOTE] -> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | No update in the schedule. | -| 1 (Default) | Update is scheduled every week. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | Every week | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ScheduledInstallFirstWeek - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFirstWeek -``` - - - - -Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every first week of the month - - - - -> [!NOTE] -> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | No update in the schedule. | -| 1 | Update is scheduled every first week of the month. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | First week of the month | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ScheduledInstallFourthWeek - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallFourthWeek -``` - - - - -Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every fourth week of the month - - - - -> [!NOTE] -> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | No update in the schedule. | -| 1 | Update is scheduled every fourth week of the month. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | Fourth week of the month | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ScheduledInstallSecondWeek - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallSecondWeek -``` - - - - -Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every second week of the month - - - - -> [!NOTE] -> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | No update in the schedule. | -| 1 | Update is scheduled every second week of the month. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | Second week of the month | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ScheduledInstallThirdWeek - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallThirdWeek -``` - - - - -Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:0 - no update in the schedule1 - update is scheduled every third week of the month - - - - -> [!NOTE] -> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | No update in the schedule. | -| 1 | Update is scheduled every third week of the month. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | Third week of the month | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## ScheduledInstallTime - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduledInstallTime -``` - - - - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile EnterpriseEnables the IT admin to schedule the time of the update installation. The data type is a integer. Supported operations are Add, Delete, Get, and Replace. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. - - - - -> [!NOTE] -> -> - This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. -> - There is a window of approximately 30 minutes to allow for higher success rates of installation. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-23]` | -| Default Value | 3 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoUpdateCfg | -| Friendly Name | Configure Automatic Updates | -| Element Name | Scheduled install time | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate\AU | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - -## ScheduleImminentRestartWarning +### ScheduleImminentRestartWarning | Scope | Editions | Applicable OS | @@ -3529,7 +3620,7 @@ Allows the IT Admin to specify the period for auto-restart imminent warning noti -## ScheduleRestartWarning +### ScheduleRestartWarning | Scope | Editions | Applicable OS | @@ -3601,7 +3692,7 @@ You can specify the amount of time prior to a scheduled restart to notify the us -## SetAutoRestartNotificationDisable +### SetAutoRestartNotificationDisable | Scope | Editions | Applicable OS | @@ -3662,98 +3753,153 @@ Allows the IT Admin to disable auto-restart notifications for update installatio - -## SetDisablePauseUXAccess +## Maintenance Scheduler - + +### AutomaticMaintenanceWakeUp + + | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | - +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + - + ```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetDisablePauseUXAccess +./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp ``` - + - + -This setting allows to remove access to "Pause updates" feature. +This policy setting allows you to configure Automatic Maintenance wake up policy. -Once enabled user access to pause updates is removed. - +The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - +- If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. + +- If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - +| Default Value | 1 | + - + **Allowed values**: | Value | Description | |:--|:--| -| 1 | Enable. | -| 0 (Default) | Disable. | - +| 0 | Disabled. | +| 1 (Default) | Enabled. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | DisablePauseUXAccess | -| Friendly Name | Remove access to "Pause updates" feature | +| Name | WakeUpPolicy | +| Friendly Name | Automatic Maintenance WakeUp Policy | | Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| Registry Value Name | SetDisablePauseUXAccess | -| ADMX File Name | WindowsUpdate.admx | - +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| Registry Value Name | WakeUp | +| ADMX File Name | msched.admx | + - + - + - + - -## SetDisableUXWUAccess +## Other policies - + +### AllowNonMicrosoftSignedUpdate + + | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | - +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + - + ```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetDisableUXWUAccess +./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate ``` - + - - -This setting allows you to remove access to scan Windows Update. + + +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + -- If you enable this setting user access to Windows Update scan, download and install is removed. - - - + - + - + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. | +| 1 (Default) | Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer. | + + + + + + + + + +### ConfigureDeadlineNoAutoRebootForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates +``` + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + **Description framework properties**: | Property name | Property value | @@ -3761,499 +3907,58 @@ This setting allows you to remove access to scan Windows Update. | Format | int | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | - + - + **Allowed values**: | Value | Description | |:--|:--| | 0 (Default) | Disabled. | | 1 | Enabled. | - + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | DisableUXWUAccess | -| Friendly Name | Remove access to use all Windows Update features | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| Registry Value Name | SetDisableUXWUAccess | -| ADMX File Name | WindowsUpdate.admx | - +| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | + - + - + - + - -## SetEDURestart + +### ConfigureDeadlineNoAutoRebootForQualityUpdates - + | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + - + ```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetEDURestart +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates ``` - + - - -Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the scheduled install time. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Not configured. | -| 1 | Configured. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | SetEDURestart | -| Friendly Name | Update Power Policy for Cart Restarts | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| Registry Value Name | SetEDURestart | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## SetPolicyDrivenUpdateSourceForDriverUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForDriverUpdates -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Detect, download and deploy Driver Updates from Windows Update. | -| 1 (Default) | Detect, download and deploy Driver Updates from Windows Server Update Services (WSUS). | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## SetPolicyDrivenUpdateSourceForFeatureUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForFeatureUpdates -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Detect, download and deploy Feature Updates from Windows Update. | -| 1 (Default) | Detect, download and deploy Feature Updates from Windows Server Update Services (WSUS). | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## SetPolicyDrivenUpdateSourceForOtherUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForOtherUpdates -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Detect, download and deploy other Updates from Windows Update. | -| 1 (Default) | Detect, download and deploy other Updates from Windows Server Update Services (WSUS). | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## SetPolicyDrivenUpdateSourceForQualityUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetPolicyDrivenUpdateSourceForQualityUpdates -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Detect, download and deploy Quality Updates from Windows Update. | -| 1 (Default) | Detect, download and deploy Quality Updates from Windows Server Update Services (WSUS). | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## SetProxyBehaviorForUpdateDetection - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240.18696] and later
    :heavy_check_mark: Windows 10, version 1607 [10.0.14393.3930] and later
    :heavy_check_mark: Windows 10, version 1703 [10.0.15063.2500] and later
    :heavy_check_mark: Windows 10, version 1709 [10.0.16299.2107] and later
    :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1726] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1457] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1082] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1082] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.508] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetProxyBehaviorForUpdateDetection -``` - - - - -Select the proxy behavior for Windows Update client for detecting updates - - - - -By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents. - -This policy setting doesn't impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. - -> [!NOTE] -> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Only use system proxy for detecting updates (default). | -| 1 | Allow user proxy to be used as a fallback if detection using system proxy fails. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Element Name | Select the proxy behavior for Windows Update client for detecting updates | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## TargetReleaseVersion - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1488] and later
    :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1217] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.836] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.836] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/TargetReleaseVersion -``` - - - + -Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see Windows 10 release information. - +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. + - + - + - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | TargetReleaseVersion | -| Friendly Name | Select the target Feature Update version | -| Element Name | Target Version for Feature Updates | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Update | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -## UpdateNotificationLevel - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/UpdateNotificationLevel -``` - - - - -0 (default) - Use the default Windows Update notifications -1 - Turn off all notifications, excluding restart warnings -2 - Turn off all notifications, including restart warnings - -This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. - -**Important** if you choose not to get update notifications and also define other Group policy so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. - -If you select "Apply only during active hours" in conjunction with Option 1 or 2, then notifications will only be disabled during active hours. You can set active hours by setting "Turn off auto-restart for updates during active hours" or allow the device to set active hours based on user behavior. To ensure that the device stays secure, a notification will still be shown if this option is selected once "Specify deadlines for automatic updates and restarts" deadline has been reached if configured, regardless of active hours. - - - - - - - + **Description framework properties**: | Property name | Property value | @@ -4261,148 +3966,603 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2 | Format | int | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | - + - + **Allowed values**: | Value | Description | |:--|:--| -| 0 (Default) | Use the default Windows Update notifications. | -| 1 | Turn off all notifications, excluding restart warnings. | -| 2 | Turn off all notifications, including restart warnings. | - +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | UpdateNotificationLevel | -| Friendly Name | Display options for update notifications | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage end user experience | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| Registry Value Name | SetUpdateNotificationLevel | -| ADMX File Name | WindowsUpdate.admx | - +| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | + - + - + - + - -## UpdateServiceUrl + +### ConfigureFeatureUpdateUninstallPeriod - + | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + - + ```Device -./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod ``` - + - + -> [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. Supported operations are Get and Replace. - +Enable enterprises/IT admin to configure feature update uninstall period + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| -| Format | chr (string) | +| Format | int | | Access Type | Add, Delete, Get, Replace | -| Default Value | CorpWSUS | - +| Allowed Values | Range: `[2-60]` | +| Default Value | 10 | + - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Element Name | Set the intranet update service for detecting updates | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - + - + - + - -## UpdateServiceUrlAlternate + +### DeferUpdatePeriod - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/Update/UpdateServiceUrlAlternate +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod ``` - + - + -Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two server name values the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. Value type is string and the default value is an empty string, . If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet + -> [!NOTE] -> If the Configure Automatic Updates Group Policy is disabled, then this policy has no effect. If the Alternate Download Server Group Policy is not set, it will use the WSUS server by default to download updates. This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - + - +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - +Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. + +- If the **Specify intranet Microsoft update service location** policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +OS upgrade: + +- Maximum deferral: Eight months +- Deferral increment: One month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 + +Update: + +- Maximum deferral: One month +- Deferral increment: One week +- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: + + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 + +Other/can't defer: + +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + + **Description framework properties**: | Property name | Property value | |:--|:--| -| Format | chr (string) | +| Format | int | | Access Type | Add, Delete, Get, Replace | - +| Allowed Values | Range: `[0-4]` | +| Default Value | 0 | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | CorpWuURL | -| Friendly Name | Specify intranet Microsoft update service location | -| Element Name | Set the alternate download server | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Manage updates offered from Windows Server Update Service | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpdatePeriodId | + - + - + - + + + +### DeferUpgradePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod +``` + + + + +Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-8]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + + + + + + + + + +### DisableWUfBSafeguards + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards +``` + + + + +This policy setting specifies that a Windows Update for Business device should skip safeguards. + + + + +Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. + +IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the **Disable safeguards for Feature Updates** Group Policy. + +> [!NOTE] +> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. +> +> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. +> +> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. | +| 1 | Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. | + + + + + + + + + +### IgnoreMOAppDownloadLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOAppDownloadLimit +``` + + + + +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + + +To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in [TShell](/windows-hardware/manufacture/desktop/factoryos/connect-using-tshell): + + ```TShell + exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' + ``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not ignore MO download limit for apps and their updates. | +| 1 | Ignore MO download limit (allow unlimited downloading) for apps and their updates. | + + + + + + + + + +### IgnoreMOUpdateDownloadLimit + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/IgnoreMOUpdateDownloadLimit +``` + + + + +Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + + + + +To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: + + ```TShell + exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' + ``` + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Do not ignore MO download limit for OS updates. | +| 1 | Ignore MO download limit (allow unlimited downloading) for OS updates. | + + + + + + + + + +### PauseDeferrals + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PauseDeferrals +``` + + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Deferrals are not paused. | +| 1 | Deferrals are paused. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | PauseDeferralsId | + + + + + + + + + +### PhoneUpdateRestrictions + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/PhoneUpdateRestrictions +``` + + + + +This policy is deprecated. Use Update/RequireUpdateApproval instead. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4]` | +| Default Value | 4 | + + + + + + + + + +### RequireDeferUpgrade + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade +``` + + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User gets upgrades from Semi-Annual Channel (Targeted). | +| 1 | User gets upgrades from Semi-Annual Channel. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + + + + + + + + + +### RequireUpdateApproval + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval +``` + + + + +> [!NOTE] +> If you previously used the Update/PhoneUpdateRestrictions policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not configured. The device installs all applicable updates. | +| 1 | The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. | + + + + + + + From 69fc6b84f610eece8b2c80ad93802d83437e9854 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 17 Jan 2023 16:29:13 -0500 Subject: [PATCH 135/152] Updates to Update CSP --- .../mdm/policy-csp-update.md | 107 +++++++++++++++--- 1 file changed, 89 insertions(+), 18 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index b4148eeeb1..3653bc7a0f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3221,9 +3221,23 @@ If this policy is disabled or not configured, then the Windows Update client may - -For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. Note. If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). -- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. + +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. + +- If you disable or do not configure this policy, the PC will restart following the default schedule. + +Enabling any of the following policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time + +3. Specify deadline before auto-restart for update installation @@ -3277,9 +3291,23 @@ For Quality Updates, this policy specifies the deadline in days before automatic - -For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. Value type is integer. Default is 14. Supported value range: 2 - 30. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e. g. pending user scheduling). -- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. + +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. + +- If you disable or do not configure this policy, the PC will restart following the default schedule. + +Enabling any of the following policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time + +3. Specify deadline before auto-restart for update installation @@ -3333,9 +3361,23 @@ For Feature Updates, this policy specifies the deadline in days before automatic - -For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. -- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. + +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. + +- If you disable or do not configure this policy, the PC will restart following the default schedule. + +Enabling any of the following policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time + +3. Specify deadline before auto-restart for update installation @@ -3389,9 +3431,23 @@ For Quality Updates, this policy specifies the number of days a user can snooze - -For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. Value type is integer. Default is 3 days. Supported value range: 1 - 3. -- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. + +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. + +- If you disable or do not configure this policy, the PC will restart following the default schedule. + +Enabling any of the following policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time + +3. Specify deadline before auto-restart for update installation @@ -3445,7 +3501,7 @@ For Feature Updates, this policy specifies the number of days a user can snooze - + Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. @@ -3515,9 +3571,23 @@ Enabling any of the following policies will override the above policy: - -For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. Value type is integer. Default value is 7 days. Supported value range: 2 - 30. -- If you disable or do not configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect:No auto-restart with logged on users for scheduled automatic updates installationsAlways automatically restart at scheduled timeSpecify deadline before auto-restart for update installation + +Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart becomes pending. + +You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. + +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. + +If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. + +- If you disable or do not configure this policy, the PC will restart following the default schedule. + +Enabling any of the following policies will override the above policy: + +1. No auto-restart with logged on users for scheduled automatic updates installations +2. Always automatically restart at scheduled time + +3. Specify deadline before auto-restart for update installation @@ -4050,7 +4120,7 @@ Enable enterprises/IT admin to configure feature update uninstall period - + @@ -4138,7 +4208,8 @@ Other/can't defer: -Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. From 086777dca6583370bbf309f74b3d5118d9dc225b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 17 Jan 2023 17:27:39 -0500 Subject: [PATCH 136/152] Updates to Update CSP --- .../mdm/policy-csp-update.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3653bc7a0f..8a1202686d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -20,6 +20,88 @@ ms.topic: reference +Update CSP Policies are listed below based on the group policy area: + +- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) + - [BranchReadinessLevel](#branchreadinesslevel) + - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays) + - [DeferQualityUpdatesPeriodInDays](#deferqualityupdatesperiodindays) + - [ExcludeWUDriversInQualityUpdate](#excludewudriversinqualityupdate) + - [ManagePreviewBuilds](#managepreviewbuilds) + - [PauseFeatureUpdates](#pausefeatureupdates) + - [PauseFeatureUpdatesStartTime](#pausefeatureupdatesstarttime) + - [PauseQualityUpdates](#pausequalityupdates) + - [PauseQualityUpdatesStartTime](#pausequalityupdatesstarttime) + - [ProductVersion](#productversion) + - [TargetReleaseVersion](#targetreleaseversion) +- [Manage updates offered from Windows Server Update Service](#manage-updates-offered-from-windows-server-update-service) + - [AllowUpdateService](#allowupdateservice) + - [DetectionFrequency](#detectionfrequency) + - [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](#donotenforceenterprisetlscertpinningforupdatedetection) + - [FillEmptyContentUrls](#fillemptycontenturls) + - [SetPolicyDrivenUpdateSourceForDriverUpdates](#setpolicydrivenupdatesourcefordriverupdates) + - [SetPolicyDrivenUpdateSourceForFeatureUpdates](#setpolicydrivenupdatesourceforfeatureupdates) + - [SetPolicyDrivenUpdateSourceForOtherUpdates](#setpolicydrivenupdatesourceforotherupdates) + - [SetPolicyDrivenUpdateSourceForQualityUpdates](#setpolicydrivenupdatesourceforqualityupdates) + - [SetProxyBehaviorForUpdateDetection](#setproxybehaviorforupdatedetection) + - [UpdateServiceUrl](#updateserviceurl) + - [UpdateServiceUrlAlternate](#updateserviceurlalternate) +- [Manage end user experience](#manage-end-user-experience) + - [ActiveHoursEnd](#activehoursend) + - [ActiveHoursMaxRange](#activehoursmaxrange) + - [ActiveHoursStart](#activehoursstart) + - [AllowAutoUpdate](#allowautoupdate) + - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](#allowautowindowsupdatedownloadovermeterednetwork) + - [AllowMUUpdateService](#allowmuupdateservice) + - [ConfigureDeadlineForFeatureUpdates](#configuredeadlineforfeatureupdates) + - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates) + - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod) + - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates) + - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot) + - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours) + - [ScheduledInstallDay](#scheduledinstallday) + - [ScheduledInstallEveryWeek](#scheduledinstalleveryweek) + - [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) + - [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) + - [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + - [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) + - [ScheduledInstallTime](#scheduledinstalltime) + - [SetDisablePauseUXAccess](#setdisablepauseuxaccess) + - [SetDisableUXWUAccess](#setdisableuxwuaccess) + - [SetEDURestart](#setedurestart) + - [UpdateNotificationLevel](#updatenotificationlevel) +- [Legacy Policies](#legacy-policies) + - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays) + - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates) + - [AutoRestartNotificationSchedule](#autorestartnotificationschedule) + - [AutoRestartRequiredNotificationDismissal](#autorestartrequirednotificationdismissal) + - [DisableDualScan](#disabledualscan) + - [EngagedRestartDeadline](#engagedrestartdeadline) + - [EngagedRestartDeadlineForFeatureUpdates](#engagedrestartdeadlineforfeatureupdates) + - [EngagedRestartSnoozeSchedule](#engagedrestartsnoozeschedule) + - [EngagedRestartSnoozeScheduleForFeatureUpdates](#engagedrestartsnoozescheduleforfeatureupdates) + - [EngagedRestartTransitionSchedule](#engagedrestarttransitionschedule) + - [EngagedRestartTransitionScheduleForFeatureUpdates](#engagedrestarttransitionscheduleforfeatureupdates) + - [ScheduleImminentRestartWarning](#scheduleimminentrestartwarning) + - [ScheduleRestartWarning](#schedulerestartwarning) + - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable) +- [Maintenance Scheduler](#maintenance-scheduler) + - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup) +- [Other policies](#other-policies) + - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate) + - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) + - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) + - [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod) + - [DeferUpdatePeriod](#deferupdateperiod) + - [DeferUpgradePeriod](#deferupgradeperiod) + - [DisableWUfBSafeguards](#disablewufbsafeguards) + - [IgnoreMOAppDownloadLimit](#ignoremoappdownloadlimit) + - [IgnoreMOUpdateDownloadLimit](#ignoremoupdatedownloadlimit) + - [PauseDeferrals](#pausedeferrals) + - [PhoneUpdateRestrictions](#phoneupdaterestrictions) + - [RequireDeferUpgrade](#requiredeferupgrade) + - [RequireUpdateApproval](#requireupdateapproval) + ## Manage updates offered from Windows Update From 745e263f5e13072fe1aad489a3129e9e20a02e73 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 17 Jan 2023 17:44:20 -0500 Subject: [PATCH 137/152] More Update CSP updates --- windows/client-management/mdm/policy-csp-update.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 8a1202686d..d426896468 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -20,7 +20,7 @@ ms.topic: reference -Update CSP Policies are listed below based on the group policy area: +Update CSP policies are listed below based on the group policy area: - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) - [BranchReadinessLevel](#branchreadinesslevel) @@ -4289,13 +4289,13 @@ Other/can't defer: - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + +Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. @@ -4474,7 +4474,7 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) To validate this policy: 1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in [TShell](/windows-hardware/manufacture/desktop/factoryos/connect-using-tshell): ```TShell exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' @@ -4524,7 +4524,7 @@ To validate this policy: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -4625,7 +4625,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in Changes in Windows 10, version 1607 for update management. You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. From 191db7487fff476762e62c85798f5104e9f32f04 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 17 Jan 2023 18:07:15 -0500 Subject: [PATCH 138/152] Update CSP --- .../mdm/policy-csp-update.md | 125 +++++++++--------- 1 file changed, 64 insertions(+), 61 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d426896468..04f5d87e6b 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -23,70 +23,70 @@ ms.topic: reference Update CSP policies are listed below based on the group policy area: - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) - - [BranchReadinessLevel](#branchreadinesslevel) - - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays) - - [DeferQualityUpdatesPeriodInDays](#deferqualityupdatesperiodindays) - - [ExcludeWUDriversInQualityUpdate](#excludewudriversinqualityupdate) - - [ManagePreviewBuilds](#managepreviewbuilds) - - [PauseFeatureUpdates](#pausefeatureupdates) - - [PauseFeatureUpdatesStartTime](#pausefeatureupdatesstarttime) - - [PauseQualityUpdates](#pausequalityupdates) - - [PauseQualityUpdatesStartTime](#pausequalityupdatesstarttime) - - [ProductVersion](#productversion) - - [TargetReleaseVersion](#targetreleaseversion) + - [BranchReadinessLevel](#branchreadinesslevel) (Select when Preview Builds and Feature Updates are received) + - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays) (Select when Preview Builds and Feature Updates are received) + - [DeferQualityUpdatesPeriodInDays](#deferqualityupdatesperiodindays) (Select when Quality Updates are received) + - [ExcludeWUDriversInQualityUpdate](#excludewudriversinqualityupdate) (Do not include drivers with Windows Updates) + - [ManagePreviewBuilds](#managepreviewbuilds) (Manage preview builds) + - [PauseFeatureUpdates](#pausefeatureupdates) (Select when Preview Builds and Feature Updates are received) + - [PauseFeatureUpdatesStartTime](#pausefeatureupdatesstarttime) (Select when Preview Builds and Feature Updates are received) + - [PauseQualityUpdates](#pausequalityupdates) (Select when Quality Updates are received) + - [PauseQualityUpdatesStartTime](#pausequalityupdatesstarttime) (Select when Quality Updates are received) + - [ProductVersion](#productversion) (Select the target Feature Update version) + - [TargetReleaseVersion](#targetreleaseversion) (Select the target Feature Update version) - [Manage updates offered from Windows Server Update Service](#manage-updates-offered-from-windows-server-update-service) - - [AllowUpdateService](#allowupdateservice) - - [DetectionFrequency](#detectionfrequency) - - [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](#donotenforceenterprisetlscertpinningforupdatedetection) - - [FillEmptyContentUrls](#fillemptycontenturls) - - [SetPolicyDrivenUpdateSourceForDriverUpdates](#setpolicydrivenupdatesourcefordriverupdates) - - [SetPolicyDrivenUpdateSourceForFeatureUpdates](#setpolicydrivenupdatesourceforfeatureupdates) - - [SetPolicyDrivenUpdateSourceForOtherUpdates](#setpolicydrivenupdatesourceforotherupdates) - - [SetPolicyDrivenUpdateSourceForQualityUpdates](#setpolicydrivenupdatesourceforqualityupdates) - - [SetProxyBehaviorForUpdateDetection](#setproxybehaviorforupdatedetection) - - [UpdateServiceUrl](#updateserviceurl) - - [UpdateServiceUrlAlternate](#updateserviceurlalternate) + - [AllowUpdateService](#allowupdateservice) (Specify intranet Microsoft update service location) + - [DetectionFrequency](#detectionfrequency) (Automatic Updates detection frequency) + - [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](#donotenforceenterprisetlscertpinningforupdatedetection) (Specify intranet Microsoft update service location) + - [FillEmptyContentUrls](#fillemptycontenturls) (Specify intranet Microsoft update service location) + - [SetPolicyDrivenUpdateSourceForDriverUpdates](#setpolicydrivenupdatesourcefordriverupdates) (Specify intranet Microsoft update service location) + - [SetPolicyDrivenUpdateSourceForFeatureUpdates](#setpolicydrivenupdatesourceforfeatureupdates) (Specify intranet Microsoft update service location) + - [SetPolicyDrivenUpdateSourceForOtherUpdates](#setpolicydrivenupdatesourceforotherupdates) (Specify intranet Microsoft update service location) + - [SetPolicyDrivenUpdateSourceForQualityUpdates](#setpolicydrivenupdatesourceforqualityupdates) (Specify intranet Microsoft update service location) + - [SetProxyBehaviorForUpdateDetection](#setproxybehaviorforupdatedetection) (Specify intranet Microsoft update service location) + - [UpdateServiceUrl](#updateserviceurl) (Specify intranet Microsoft update service location) + - [UpdateServiceUrlAlternate](#updateserviceurlalternate) (Specify intranet Microsoft update service location) - [Manage end user experience](#manage-end-user-experience) - - [ActiveHoursEnd](#activehoursend) - - [ActiveHoursMaxRange](#activehoursmaxrange) - - [ActiveHoursStart](#activehoursstart) - - [AllowAutoUpdate](#allowautoupdate) - - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](#allowautowindowsupdatedownloadovermeterednetwork) - - [AllowMUUpdateService](#allowmuupdateservice) - - [ConfigureDeadlineForFeatureUpdates](#configuredeadlineforfeatureupdates) - - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates) - - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod) - - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates) - - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot) - - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours) - - [ScheduledInstallDay](#scheduledinstallday) - - [ScheduledInstallEveryWeek](#scheduledinstalleveryweek) - - [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) - - [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) - - [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) - - [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) - - [ScheduledInstallTime](#scheduledinstalltime) - - [SetDisablePauseUXAccess](#setdisablepauseuxaccess) - - [SetDisableUXWUAccess](#setdisableuxwuaccess) - - [SetEDURestart](#setedurestart) - - [UpdateNotificationLevel](#updatenotificationlevel) + - [ActiveHoursEnd](#activehoursend) (Turn off auto-restart for updates during active hours) + - [ActiveHoursMaxRange](#activehoursmaxrange) (Specify active hours range for auto-restarts) + - [ActiveHoursStart](#activehoursstart) (Turn off auto-restart for updates during active hours) + - [AllowAutoUpdate](#allowautoupdate) (Configure Automatic Updates) + - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](#allowautowindowsupdatedownloadovermeterednetwork) (Allow updates to be downloaded automatically over metered connections) + - [AllowMUUpdateService](#allowmuupdateservice) (Configure Automatic Updates) + - [ConfigureDeadlineForFeatureUpdates](#configuredeadlineforfeatureupdates) (Specify deadlines for automatic updates and restarts) + - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates) (Specify deadlines for automatic updates and restarts) + - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod) (Specify deadlines for automatic updates and restarts) + - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates) (Specify deadlines for automatic updates and restarts) + - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot) (Specify deadlines for automatic updates and restarts) + - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours) (Display options for update notifications) + - [ScheduledInstallDay](#scheduledinstallday) (Configure Automatic Updates) + - [ScheduledInstallEveryWeek](#scheduledinstalleveryweek) (Configure Automatic Updates) + - [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) (Configure Automatic Updates) + - [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) (Configure Automatic Updates) + - [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) (Configure Automatic Updates) + - [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) (Configure Automatic Updates) + - [ScheduledInstallTime](#scheduledinstalltime) (Configure Automatic Updates) + - [SetDisablePauseUXAccess](#setdisablepauseuxaccess) (Remove access to "Pause updates" feature) + - [SetDisableUXWUAccess](#setdisableuxwuaccess) (Remove access to use all Windows Update features) + - [SetEDURestart](#setedurestart) (Update Power Policy for Cart Restarts) + - [UpdateNotificationLevel](#updatenotificationlevel) (Display options for update notifications) - [Legacy Policies](#legacy-policies) - - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays) - - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates) - - [AutoRestartNotificationSchedule](#autorestartnotificationschedule) - - [AutoRestartRequiredNotificationDismissal](#autorestartrequirednotificationdismissal) - - [DisableDualScan](#disabledualscan) - - [EngagedRestartDeadline](#engagedrestartdeadline) - - [EngagedRestartDeadlineForFeatureUpdates](#engagedrestartdeadlineforfeatureupdates) - - [EngagedRestartSnoozeSchedule](#engagedrestartsnoozeschedule) - - [EngagedRestartSnoozeScheduleForFeatureUpdates](#engagedrestartsnoozescheduleforfeatureupdates) - - [EngagedRestartTransitionSchedule](#engagedrestarttransitionschedule) - - [EngagedRestartTransitionScheduleForFeatureUpdates](#engagedrestarttransitionscheduleforfeatureupdates) - - [ScheduleImminentRestartWarning](#scheduleimminentrestartwarning) - - [ScheduleRestartWarning](#schedulerestartwarning) - - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable) + - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays) (Specify deadline before auto-restart for update installation) + - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates) (Specify deadline before auto-restart for update installation) + - [AutoRestartNotificationSchedule](#autorestartnotificationschedule) (Configure auto-restart reminder notifications for updates) + - [AutoRestartRequiredNotificationDismissal](#autorestartrequirednotificationdismissal) (Configure auto-restart required notification for updates) + - [DisableDualScan](#disabledualscan) (Do not allow update deferral policies to cause scans against Windows Update) + - [EngagedRestartDeadline](#engagedrestartdeadline) (Specify Engaged restart transition and notification schedule for updates) + - [EngagedRestartDeadlineForFeatureUpdates](#engagedrestartdeadlineforfeatureupdates) (Specify Engaged restart transition and notification schedule for updates) + - [EngagedRestartSnoozeSchedule](#engagedrestartsnoozeschedule) (Specify Engaged restart transition and notification schedule for updates) + - [EngagedRestartSnoozeScheduleForFeatureUpdates](#engagedrestartsnoozescheduleforfeatureupdates) (Specify Engaged restart transition and notification schedule for updates) + - [EngagedRestartTransitionSchedule](#engagedrestarttransitionschedule) (Specify Engaged restart transition and notification schedule for updates) + - [EngagedRestartTransitionScheduleForFeatureUpdates](#engagedrestarttransitionscheduleforfeatureupdates) (Specify Engaged restart transition and notification schedule for updates) + - [ScheduleImminentRestartWarning](#scheduleimminentrestartwarning) (Configure auto-restart warning notifications schedule for updates) + - [ScheduleRestartWarning](#schedulerestartwarning) (Configure auto-restart warning notifications schedule for updates) + - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable) (Turn off auto-restart notifications for update installations) - [Maintenance Scheduler](#maintenance-scheduler) - - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup) + - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup) (Automatic Maintenance WakeUp Policy) - [Other policies](#other-policies) - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) @@ -4294,7 +4294,10 @@ Other/can't defer: -Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. + +- If the **Specify intranet Microsoft update service location** policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. From 8a8f371c2ffa48942f536625891b018c0baf7fb2 Mon Sep 17 00:00:00 2001 From: Subhash Sharma <101168840+subshar@users.noreply.github.com> Date: Wed, 18 Jan 2023 20:43:10 +0530 Subject: [PATCH 139/152] Replace 'without Intune' with 'using Intune' The text should say "disable WHfB enrollment using Intune". Steps for how to disable without Intune are in the next section. --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 004083bb85..1fa69a9a0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -47,7 +47,7 @@ We recommend that you disable or manage Windows Hello for Business provisioning ### Disable Windows Hello for Business using Intune Enrollment policy -The following method explains how to disable Windows Hello for Business enrollment without Intune. +The following method explains how to disable Windows Hello for Business enrollment using Intune. 1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. From 57dda95fd759e66fc065e3c2228168a683a2bc89 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 18 Jan 2023 11:43:28 -0500 Subject: [PATCH 140/152] More changes to Update CSP --- .../mdm/policies-in-policy-csp-admx-backed.md | 2 +- ...in-policy-csp-supported-by-group-policy.md | 2 +- .../mdm/policy-csp-update.md | 1499 ++++++++--------- 3 files changed, 750 insertions(+), 753 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 36696838f9..c45d67308a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/17/2023 +ms.date: 01/18/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 7c231966ef..b5b7fa8d91 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/17/2023 +ms.date: 01/18/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 04f5d87e6b..040028b422 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/17/2023 +ms.date: 01/18/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -22,88 +22,325 @@ ms.topic: reference Update CSP policies are listed below based on the group policy area: -- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) - - [BranchReadinessLevel](#branchreadinesslevel) (Select when Preview Builds and Feature Updates are received) - - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays) (Select when Preview Builds and Feature Updates are received) - - [DeferQualityUpdatesPeriodInDays](#deferqualityupdatesperiodindays) (Select when Quality Updates are received) - - [ExcludeWUDriversInQualityUpdate](#excludewudriversinqualityupdate) (Do not include drivers with Windows Updates) - - [ManagePreviewBuilds](#managepreviewbuilds) (Manage preview builds) - - [PauseFeatureUpdates](#pausefeatureupdates) (Select when Preview Builds and Feature Updates are received) - - [PauseFeatureUpdatesStartTime](#pausefeatureupdatesstarttime) (Select when Preview Builds and Feature Updates are received) - - [PauseQualityUpdates](#pausequalityupdates) (Select when Quality Updates are received) - - [PauseQualityUpdatesStartTime](#pausequalityupdatesstarttime) (Select when Quality Updates are received) - - [ProductVersion](#productversion) (Select the target Feature Update version) - - [TargetReleaseVersion](#targetreleaseversion) (Select the target Feature Update version) -- [Manage updates offered from Windows Server Update Service](#manage-updates-offered-from-windows-server-update-service) - - [AllowUpdateService](#allowupdateservice) (Specify intranet Microsoft update service location) - - [DetectionFrequency](#detectionfrequency) (Automatic Updates detection frequency) - - [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](#donotenforceenterprisetlscertpinningforupdatedetection) (Specify intranet Microsoft update service location) - - [FillEmptyContentUrls](#fillemptycontenturls) (Specify intranet Microsoft update service location) - - [SetPolicyDrivenUpdateSourceForDriverUpdates](#setpolicydrivenupdatesourcefordriverupdates) (Specify intranet Microsoft update service location) - - [SetPolicyDrivenUpdateSourceForFeatureUpdates](#setpolicydrivenupdatesourceforfeatureupdates) (Specify intranet Microsoft update service location) - - [SetPolicyDrivenUpdateSourceForOtherUpdates](#setpolicydrivenupdatesourceforotherupdates) (Specify intranet Microsoft update service location) - - [SetPolicyDrivenUpdateSourceForQualityUpdates](#setpolicydrivenupdatesourceforqualityupdates) (Specify intranet Microsoft update service location) - - [SetProxyBehaviorForUpdateDetection](#setproxybehaviorforupdatedetection) (Specify intranet Microsoft update service location) - - [UpdateServiceUrl](#updateserviceurl) (Specify intranet Microsoft update service location) - - [UpdateServiceUrlAlternate](#updateserviceurlalternate) (Specify intranet Microsoft update service location) -- [Manage end user experience](#manage-end-user-experience) - - [ActiveHoursEnd](#activehoursend) (Turn off auto-restart for updates during active hours) - - [ActiveHoursMaxRange](#activehoursmaxrange) (Specify active hours range for auto-restarts) - - [ActiveHoursStart](#activehoursstart) (Turn off auto-restart for updates during active hours) - - [AllowAutoUpdate](#allowautoupdate) (Configure Automatic Updates) - - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](#allowautowindowsupdatedownloadovermeterednetwork) (Allow updates to be downloaded automatically over metered connections) - - [AllowMUUpdateService](#allowmuupdateservice) (Configure Automatic Updates) - - [ConfigureDeadlineForFeatureUpdates](#configuredeadlineforfeatureupdates) (Specify deadlines for automatic updates and restarts) - - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates) (Specify deadlines for automatic updates and restarts) - - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod) (Specify deadlines for automatic updates and restarts) - - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates) (Specify deadlines for automatic updates and restarts) - - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot) (Specify deadlines for automatic updates and restarts) - - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours) (Display options for update notifications) - - [ScheduledInstallDay](#scheduledinstallday) (Configure Automatic Updates) - - [ScheduledInstallEveryWeek](#scheduledinstalleveryweek) (Configure Automatic Updates) - - [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) (Configure Automatic Updates) - - [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) (Configure Automatic Updates) - - [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) (Configure Automatic Updates) - - [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) (Configure Automatic Updates) - - [ScheduledInstallTime](#scheduledinstalltime) (Configure Automatic Updates) - - [SetDisablePauseUXAccess](#setdisablepauseuxaccess) (Remove access to "Pause updates" feature) - - [SetDisableUXWUAccess](#setdisableuxwuaccess) (Remove access to use all Windows Update features) - - [SetEDURestart](#setedurestart) (Update Power Policy for Cart Restarts) - - [UpdateNotificationLevel](#updatenotificationlevel) (Display options for update notifications) -- [Legacy Policies](#legacy-policies) - - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays) (Specify deadline before auto-restart for update installation) - - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates) (Specify deadline before auto-restart for update installation) - - [AutoRestartNotificationSchedule](#autorestartnotificationschedule) (Configure auto-restart reminder notifications for updates) - - [AutoRestartRequiredNotificationDismissal](#autorestartrequirednotificationdismissal) (Configure auto-restart required notification for updates) - - [DisableDualScan](#disabledualscan) (Do not allow update deferral policies to cause scans against Windows Update) - - [EngagedRestartDeadline](#engagedrestartdeadline) (Specify Engaged restart transition and notification schedule for updates) - - [EngagedRestartDeadlineForFeatureUpdates](#engagedrestartdeadlineforfeatureupdates) (Specify Engaged restart transition and notification schedule for updates) - - [EngagedRestartSnoozeSchedule](#engagedrestartsnoozeschedule) (Specify Engaged restart transition and notification schedule for updates) - - [EngagedRestartSnoozeScheduleForFeatureUpdates](#engagedrestartsnoozescheduleforfeatureupdates) (Specify Engaged restart transition and notification schedule for updates) - - [EngagedRestartTransitionSchedule](#engagedrestarttransitionschedule) (Specify Engaged restart transition and notification schedule for updates) - - [EngagedRestartTransitionScheduleForFeatureUpdates](#engagedrestarttransitionscheduleforfeatureupdates) (Specify Engaged restart transition and notification schedule for updates) - - [ScheduleImminentRestartWarning](#scheduleimminentrestartwarning) (Configure auto-restart warning notifications schedule for updates) - - [ScheduleRestartWarning](#schedulerestartwarning) (Configure auto-restart warning notifications schedule for updates) - - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable) (Turn off auto-restart notifications for update installations) -- [Maintenance Scheduler](#maintenance-scheduler) - - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup) (Automatic Maintenance WakeUp Policy) -- [Other policies](#other-policies) - - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate) +- [Windows Insider Preview](#windows-insider-preview) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) +- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) + - [AllowNonMicrosoftSignedUpdate](#allownonmicrosoftsignedupdate) + - [AutomaticMaintenanceWakeUp](#automaticmaintenancewakeup) + - [BranchReadinessLevel](#branchreadinesslevel) + - [DeferFeatureUpdatesPeriodInDays](#deferfeatureupdatesperiodindays) + - [DeferQualityUpdatesPeriodInDays](#deferqualityupdatesperiodindays) + - [DisableWUfBSafeguards](#disablewufbsafeguards) + - [ExcludeWUDriversInQualityUpdate](#excludewudriversinqualityupdate) + - [ManagePreviewBuilds](#managepreviewbuilds) + - [PauseFeatureUpdates](#pausefeatureupdates) + - [PauseFeatureUpdatesStartTime](#pausefeatureupdatesstarttime) + - [PauseQualityUpdates](#pausequalityupdates) + - [PauseQualityUpdatesStartTime](#pausequalityupdatesstarttime) + - [ProductVersion](#productversion) + - [TargetReleaseVersion](#targetreleaseversion) +- [Manage updates offered from Windows Server Update Service](#manage-updates-offered-from-windows-server-update-service) + - [AllowUpdateService](#allowupdateservice) + - [DetectionFrequency](#detectionfrequency) + - [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](#donotenforceenterprisetlscertpinningforupdatedetection) + - [FillEmptyContentUrls](#fillemptycontenturls) + - [SetPolicyDrivenUpdateSourceForDriverUpdates](#setpolicydrivenupdatesourcefordriverupdates) + - [SetPolicyDrivenUpdateSourceForFeatureUpdates](#setpolicydrivenupdatesourceforfeatureupdates) + - [SetPolicyDrivenUpdateSourceForOtherUpdates](#setpolicydrivenupdatesourceforotherupdates) + - [SetPolicyDrivenUpdateSourceForQualityUpdates](#setpolicydrivenupdatesourceforqualityupdates) + - [SetProxyBehaviorForUpdateDetection](#setproxybehaviorforupdatedetection) + - [UpdateServiceUrl](#updateserviceurl) + - [UpdateServiceUrlAlternate](#updateserviceurlalternate) +- [Manage end user experience](#manage-end-user-experience) + - [ActiveHoursEnd](#activehoursend) + - [ActiveHoursMaxRange](#activehoursmaxrange) + - [ActiveHoursStart](#activehoursstart) + - [AllowAutoUpdate](#allowautoupdate) + - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](#allowautowindowsupdatedownloadovermeterednetwork) + - [AllowMUUpdateService](#allowmuupdateservice) + - [ConfigureDeadlineForFeatureUpdates](#configuredeadlineforfeatureupdates) + - [ConfigureDeadlineForQualityUpdates](#configuredeadlineforqualityupdates) + - [ConfigureDeadlineGracePeriod](#configuredeadlinegraceperiod) + - [ConfigureDeadlineGracePeriodForFeatureUpdates](#configuredeadlinegraceperiodforfeatureupdates) + - [ConfigureDeadlineNoAutoReboot](#configuredeadlinenoautoreboot) - [ConfigureFeatureUpdateUninstallPeriod](#configurefeatureupdateuninstallperiod) + - [NoUpdateNotificationsDuringActiveHours](#noupdatenotificationsduringactivehours) + - [ScheduledInstallDay](#scheduledinstallday) + - [ScheduledInstallEveryWeek](#scheduledinstalleveryweek) + - [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) + - [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) + - [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + - [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) + - [ScheduledInstallTime](#scheduledinstalltime) + - [SetDisablePauseUXAccess](#setdisablepauseuxaccess) + - [SetDisableUXWUAccess](#setdisableuxwuaccess) + - [SetEDURestart](#setedurestart) + - [UpdateNotificationLevel](#updatenotificationlevel) +- [Legacy Policies](#legacy-policies) + - [AutoRestartDeadlinePeriodInDays](#autorestartdeadlineperiodindays) + - [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#autorestartdeadlineperiodindaysforfeatureupdates) + - [AutoRestartNotificationSchedule](#autorestartnotificationschedule) + - [AutoRestartRequiredNotificationDismissal](#autorestartrequirednotificationdismissal) - [DeferUpdatePeriod](#deferupdateperiod) - [DeferUpgradePeriod](#deferupgradeperiod) - - [DisableWUfBSafeguards](#disablewufbsafeguards) + - [DisableDualScan](#disabledualscan) + - [EngagedRestartDeadline](#engagedrestartdeadline) + - [EngagedRestartDeadlineForFeatureUpdates](#engagedrestartdeadlineforfeatureupdates) + - [EngagedRestartSnoozeSchedule](#engagedrestartsnoozeschedule) + - [EngagedRestartSnoozeScheduleForFeatureUpdates](#engagedrestartsnoozescheduleforfeatureupdates) + - [EngagedRestartTransitionSchedule](#engagedrestarttransitionschedule) + - [EngagedRestartTransitionScheduleForFeatureUpdates](#engagedrestarttransitionscheduleforfeatureupdates) - [IgnoreMOAppDownloadLimit](#ignoremoappdownloadlimit) - [IgnoreMOUpdateDownloadLimit](#ignoremoupdatedownloadlimit) - [PauseDeferrals](#pausedeferrals) - [PhoneUpdateRestrictions](#phoneupdaterestrictions) - [RequireDeferUpgrade](#requiredeferupgrade) - [RequireUpdateApproval](#requireupdateapproval) + - [ScheduleImminentRestartWarning](#scheduleimminentrestartwarning) + - [ScheduleRestartWarning](#schedulerestartwarning) + - [SetAutoRestartNotificationDisable](#setautorestartnotificationdisable) + +## Windows Insider Preview + + +### ConfigureDeadlineNoAutoRebootForFeatureUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates +``` + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | + + + + + + + + + +### ConfigureDeadlineNoAutoRebootForQualityUpdates + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates +``` + + + + +When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | + + + + + + + ## Manage updates offered from Windows Update + +### AllowNonMicrosoftSignedUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate +``` + + + + +Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. | +| 1 (Default) | Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer. | + + + + + + + + + +### AutomaticMaintenanceWakeUp + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp +``` + + + + +This policy setting allows you to configure Automatic Maintenance wake up policy. + +The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. + +- If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. + +- If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | WakeUpPolicy | +| Friendly Name | Automatic Maintenance WakeUp Policy | +| Location | Computer Configuration | +| Path | Windows Components > Maintenance Scheduler | +| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | +| Registry Value Name | WakeUp | +| ADMX File Name | msched.admx | + + + + + + + + ### BranchReadinessLevel @@ -283,6 +520,65 @@ Defers Quality Updates for the specified number of days. Supported values are 0- + +### DisableWUfBSafeguards + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards +``` + + + + +This policy setting specifies that a Windows Update for Business device should skip safeguards. + + + + +Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. + +IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the **Disable safeguards for Feature Updates** Group Policy. + +> [!NOTE] +> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. +> +> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. +> +> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. | +| 1 | Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. | + + + + + + + + ### ExcludeWUDriversInQualityUpdate @@ -2162,6 +2458,47 @@ When enabled, devices will not automatically restart outside of active hours unt + +### ConfigureFeatureUpdateUninstallPeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod +``` + + + + +Enable enterprises/IT admin to configure feature update uninstall period + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[2-60]` | +| Default Value | 10 | + + + + + + + + ### NoUpdateNotificationsDuringActiveHours @@ -3218,6 +3555,150 @@ The method can be set to require user action to dismiss the notification. + +### DeferUpdatePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod +``` + + + + + + + + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + +Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. + +- If the **Specify intranet Microsoft update service location** policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +OS upgrade: + +- Maximum deferral: Eight months +- Deferral increment: One month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 + +Update: + +- Maximum deferral: One month +- Deferral increment: One week +- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: + + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 + +Other/can't defer: + +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-4]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpdatePeriodId | + + + + + + + + + +### DeferUpgradePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod +``` + + + + + + + + +Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. + +- If the **Specify intranet Microsoft update service location** policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. + +> [!NOTE] +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-8]` | +| Default Value | 0 | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DeferUpgrade | +| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | +| Element Name | DeferUpgradePeriodId | + + + + + + + + ### DisableDualScan @@ -3707,688 +4188,6 @@ Enabling any of the following policies will override the above policy: - -### ScheduleImminentRestartWarning - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduleImminentRestartWarning -``` - - - - -Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 15 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 15 (Default) | 15 Minutes. | -| 30 | 30 Minutes. | -| 60 | 60 Minutes. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | RestartWarnRemind | -| Friendly Name | Configure auto-restart warning notifications schedule for updates | -| Element Name | Warning (mins) | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Legacy Policies | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -### ScheduleRestartWarning - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ScheduleRestartWarning -``` - - - - -Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed. - -Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user. - -You can specify the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work. - -- If you disable or do not configure this policy, the default notification behaviors will be used. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 4 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 2 | 2 Hours. | -| 4 (Default) | 4 Hours. | -| 8 | 8 Hours. | -| 12 | 12 Hours. | -| 24 | 24 Hours. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | RestartWarnRemind | -| Friendly Name | Configure auto-restart warning notifications schedule for updates | -| Element Name | Reminder (hours) | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Legacy Policies | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - - -### SetAutoRestartNotificationDisable - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable -``` - - - - -Allows the IT Admin to disable auto-restart notifications for update installations. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Enabled. | -| 1 | Disabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | AutoRestartNotificationDisable | -| Friendly Name | Turn off auto-restart notifications for update installations | -| Location | Computer Configuration | -| Path | Windows Components > Windows Update > Legacy Policies | -| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | -| ADMX File Name | WindowsUpdate.admx | - - - - - - - - -## Maintenance Scheduler - - -### AutomaticMaintenanceWakeUp - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/AutomaticMaintenanceWakeUp -``` - - - - -This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -- If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -- If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | WakeUpPolicy | -| Friendly Name | Automatic Maintenance WakeUp Policy | -| Location | Computer Configuration | -| Path | Windows Components > Maintenance Scheduler | -| Registry Key Name | Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance | -| Registry Value Name | WakeUp | -| ADMX File Name | msched.admx | - - - - - - - - -## Other policies - - -### AllowNonMicrosoftSignedUpdate - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/AllowNonMicrosoftSignedUpdate -``` - - - - -Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. | -| 1 (Default) | Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the 'Trusted Publishers' certificate store of the local computer. | - - - - - - - - - -### ConfigureDeadlineNoAutoRebootForFeatureUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForFeatureUpdates -``` - - - - -When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for feature updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForFeatureUpdates is configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineNoAutoRebootForFeatureUpdates | - - - - - - - - - -### ConfigureDeadlineNoAutoRebootForQualityUpdates - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureDeadlineNoAutoRebootForQualityUpdates -``` - - - - -When enabled, devices will not automatically restart outside of active hours until the deadline and grace period have expired for quality updates, even if an update is ready for restart. When disabled, an automatic restart may be attempted outside of active hours after update is ready for restart before the deadline is reached. Takes effect only if Update/ConfigureDeadlineForQualityUpdates is configured. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | ConfigureDeadlineNoAutoRebootForQualityUpdates | - - - - - - - - - -### ConfigureFeatureUpdateUninstallPeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/ConfigureFeatureUpdateUninstallPeriod -``` - - - - -Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[2-60]` | -| Default Value | 10 | - - - - - - - - - -### DeferUpdatePeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod -``` - - - - - - - - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - -Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. - -- If the **Specify intranet Microsoft update service location** policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - -OS upgrade: - -- Maximum deferral: Eight months -- Deferral increment: One month -- Update type/notes: - - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -Update: - -- Maximum deferral: One month -- Deferral increment: One week -- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic: - - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -Other/can't defer: - -- Maximum deferral: No deferral -- Deferral increment: No deferral -- Update type/notes: - Any update category not enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-4]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferUpgrade | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | DeferUpdatePeriodId | - - - - - - - - - -### DeferUpgradePeriod - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DeferUpgradePeriod -``` - - - - - - - - -Allows IT Admins to specify additional upgrade delays for up to 8 months. Supported values are 0-8, which refers to the number of months to defer upgrades. - -- If the **Specify intranet Microsoft update service location** policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. -- If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. - -> [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-8]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | DeferUpgrade | -| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat | -| Element Name | DeferUpgradePeriodId | - - - - - - - - - -### DisableWUfBSafeguards - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763.1490] and later
    :heavy_check_mark: Windows 10, version 1903 [10.0.18362.1110] and later
    :heavy_check_mark: Windows 10, version 1909 [10.0.18363.1110] and later
    :heavy_check_mark: Windows 10, version 2004 [10.0.19041.546] and later
    :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards -``` - - - - -This policy setting specifies that a Windows Update for Business device should skip safeguards. - - - - -Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. - -IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the **Disable safeguards for Feature Updates** Group Policy. - -> [!NOTE] -> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. -> -> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. -> -> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared. | -| 1 | Safeguards are not enabled and upgrades will be deployed without blocking on safeguards. | - - - - - - - - ### IgnoreMOAppDownloadLimit @@ -4720,6 +4519,204 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. + +### ScheduleImminentRestartWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduleImminentRestartWarning +``` + + + + +Allows the IT Admin to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 15 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 15 (Default) | 15 Minutes. | +| 30 | 30 Minutes. | +| 60 | 60 Minutes. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestartWarnRemind | +| Friendly Name | Configure auto-restart warning notifications schedule for updates | +| Element Name | Warning (mins) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### ScheduleRestartWarning + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/ScheduleRestartWarning +``` + + + + +Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart is automatically executed. + +Specifies the amount of time prior to a scheduled restart to display the warning reminder to the user. + +You can specify the amount of time prior to a scheduled restart to notify the user that the auto restart is imminent to allow them time to save their work. + +- If you disable or do not configure this policy, the default notification behaviors will be used. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 4 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 2 | 2 Hours. | +| 4 (Default) | 4 Hours. | +| 8 | 8 Hours. | +| 12 | 12 Hours. | +| 24 | 24 Hours. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | RestartWarnRemind | +| Friendly Name | Configure auto-restart warning notifications schedule for updates | +| Element Name | Reminder (hours) | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + + +### SetAutoRestartNotificationDisable + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/SetAutoRestartNotificationDisable +``` + + + + +Allows the IT Admin to disable auto-restart notifications for update installations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Enabled. | +| 1 | Disabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AutoRestartNotificationDisable | +| Friendly Name | Turn off auto-restart notifications for update installations | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Legacy Policies | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + From f8cd35e285c88deded61ec5df9792651a67c6b5c Mon Sep 17 00:00:00 2001 From: Quentin BRUSA <122641985+qbrusa@users.noreply.github.com> Date: Thu, 19 Jan 2023 08:59:17 -0500 Subject: [PATCH 141/152] Move Event Volume section Move Event Volume section before EID table recommandation --- .../auditing/audit-authorization-policy-change.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index b7fd89b268..caa5d33848 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -20,6 +20,8 @@ ms.topic: reference Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. +**Event volume**: Medium to High. + | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
    However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
    If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | @@ -40,5 +42,3 @@ Audit Authorization Policy Change allows you to audit assignment and removal of - [4913](event-4913.md)(S): Central Access Policy on the object was changed. -**Event volume**: Medium to High. - From 1c791fd89916f35635ddb5cc333568960b52397f Mon Sep 17 00:00:00 2001 From: Quentin BRUSA <122641985+qbrusa@users.noreply.github.com> Date: Thu, 19 Jan 2023 09:03:05 -0500 Subject: [PATCH 142/152] Add missing link for EID 4902, 4907, 4904, 4905 --- .../auditing/audit-audit-policy-change.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index c5cdf8c616..74134a5bd9 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -49,13 +49,13 @@ Changes to audit policy that are audited include: The following events will be enabled with Success auditing in this subcategory: -- 4902(S): The Per-user audit policy table was created. +- [4902](event-4902.md)(S): The Per-user audit policy table was created. -- 4907(S): Auditing settings on object were changed. +- [4907](event-4907.md)(S): Auditing settings on object were changed. -- 4904(S): An attempt was made to register a security event source. +- [4904](event-4904.md)(S): An attempt was made to register a security event source. -- 4905(S): An attempt was made to unregister a security event source. +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting. @@ -79,4 +79,4 @@ All other events in this subcategory will be logged regardless of the "Audit Pol - [4904](event-4904.md)(S): An attempt was made to register a security event source. -- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. \ No newline at end of file +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. From c79a1c4be6c835f6a884fe19a6d9ee3ef106a962 Mon Sep 17 00:00:00 2001 From: JHayes-MS <91642326+JHayes-MS@users.noreply.github.com> Date: Thu, 19 Jan 2023 06:36:58 -0800 Subject: [PATCH 143/152] Added links for How to Articles for CA Policies Added 2 links with details on configuring CA Policies and about the exception itself. --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index c34e8342eb..1190cc13fb 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f, from their device compliance policy using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access polices see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From 3684ad6e122aa53bead6d9df78864dbfd7a90680 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Mon, 23 Jan 2023 13:58:03 -0800 Subject: [PATCH 144/152] Update windowsdefenderapplicationguard-csp.md --- .../mdm/windowsdefenderapplicationguard-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 32799b0ffd..8e0ff9f02d 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -334,7 +334,7 @@ Value type is integer. Supported operation is Get. -- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. +- Bit 0 - Set to 1 when Application Guard is enabled into Windows Isolated environment mode. - Bit 1 - Set to 1 when the client machine is Hyper-V capable. - Bit 2 - Reserved for Microsoft. - Bit 3 - Set to 1 when Application Guard is installed on the client machine. From 32ac215c1f511a2de3e4fe5e6406d94374512df1 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 23 Jan 2023 16:23:30 -0800 Subject: [PATCH 145/152] Added warnings for deploying signed base policies to HVCI. Clarified support for root level rules. --- .../deploy-wdac-policies-with-script.md | 17 ++++++++++++----- ...ation-control-policies-using-group-policy.md | 11 +++++++++-- ...application-control-policies-using-intune.md | 9 ++++++++- .../select-types-of-rules-to-create.md | 4 ++-- ...nder-application-control-deployment-guide.md | 9 ++++++++- 5 files changed, 39 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index da03a2f08c..178418a530 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -9,7 +9,7 @@ ms.reviewer: aaroncz ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 12/03/2022 +ms.date: 01/23/2023 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -26,13 +26,20 @@ ms.localizationpriority: medium >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. +This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The following instructions use PowerShell but can work with any scripting host. You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). +> [!IMPORTANT] +> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Skip all steps below that use citool.exe, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, follow the steps to copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. +> +> Updates to signed Base policies that are already active on the system can be done rebootlessly. +> +> This bug doesn't affect deployment of any unsigned policies or any supplemental policies (signed or unsigned). + ## Deploying policies for Windows 11 22H2 and above -You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the example below with the actual path to your WDAC policy binary file. +You can use [citool.exe](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands) to apply policies on Windows 11 22H2 with the following commands. Be sure to replace **<Path to policy binary file to deploy>** in the following example with the actual path to your WDAC policy binary file. ```powershell # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = from the Policy XML) @@ -92,9 +99,9 @@ Use WMI to apply policies on all other versions of Windows and Windows Server. ## Deploying signed policies -If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. +If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. -1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: +1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: ```powershell $MountPoint = 'C:\EFIMount' diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index f0c1ff7b47..c7d7ada2c1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -13,7 +13,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 10/06/2022 +ms.date: 01/23/2023 ms.technology: itpro-security ms.topic: article --- @@ -31,7 +31,14 @@ ms.topic: article > > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. -Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. +> [!IMPORTANT] +> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Group Policy, deploy new signed WDAC Base policies [via script](deployment/deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> +> Updates to signed Base policies that are already active on the system can be done rebootlessly and using Group Policy. +> +> This bug doesn't affect deployment of any unsigned policies. + +Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 14716db117..e01a471d80 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -8,7 +8,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 10/06/2022 +ms.date: 01/23/2023 ms.topic: how-to --- @@ -25,6 +25,13 @@ ms.topic: how-to You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. +> [!IMPORTANT] +> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deployment/deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> +> Updates to signed Base policies that are already active on the system can be done rebootlessly and using MDM. +> +> This bug doesn't affect deployment of any unsigned policies. + ## Use Intune's built-in policies Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run: diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index d14c84c13f..9672782041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -13,7 +13,7 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz -ms.date: 08/29/2022 +ms.date: 01/23/2023 ms.technology: itpro-security ms.topic: article --- @@ -96,7 +96,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the | **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | | **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. | | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). | -| **RootCertificate** | Currently unsupported. | +| **RootCertificate** | This level may produce an overly permissive policy and isn't recommended for most use cases. | | **WHQL** | Trusts binaries if they've been validated and signed by WHQL. This level is primarily for kernel binaries. | | **WHQLPublisher** | This level combines the WHQL level and the CN on the leaf certificate, and is primarily for kernel binaries. | | **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This level is primarily for kernel binaries. | diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 938e4370ae..67ed4d80fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -8,7 +8,7 @@ author: jgeurten ms.reviewer: aaroncz ms.author: jogeurte manager: jsuther -ms.date: 10/06/2022 +ms.date: 01/23/2023 ms.topic: overview --- @@ -55,6 +55,13 @@ All Windows Defender Application Control policy changes should be deployed in au ## Choose how to deploy WDAC policies +> [!IMPORTANT] +> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead, deploy new signed WDAC Base policies [via script](deployment/deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> +> Updates to signed Base policies that are already active on the system can be done rebootlessly. +> +> This bug doesn't affect deployment of any unsigned policies or any supplemental policies (signed or unsigned). + There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: - [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune From 840bfd288539bfadc7e065cc19ad96021b049b0c Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Mon, 23 Jan 2023 16:33:01 -0800 Subject: [PATCH 146/152] Fixed links --- ...-defender-application-control-policies-using-group-policy.md | 2 +- ...indows-defender-application-control-policies-using-intune.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index c7d7ada2c1..717cebb32d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -32,7 +32,7 @@ ms.topic: article > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. > [!IMPORTANT] -> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Group Policy, deploy new signed WDAC Base policies [via script](deployment/deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Group Policy, deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. > > Updates to signed Base policies that are already active on the system can be done rebootlessly and using Group Policy. > diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index e01a471d80..d680ad56d0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -26,7 +26,7 @@ ms.topic: how-to You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. > [!IMPORTANT] -> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deployment/deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. > > Updates to signed Base policies that are already active on the system can be done rebootlessly and using MDM. > From a9b089c4eb02c14868a15c06c2710efbed7e799a Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 24 Jan 2023 08:25:30 -0800 Subject: [PATCH 147/152] Addressed feedback --- .../deployment/deploy-wdac-policies-with-script.md | 6 ++---- ...application-control-policies-using-group-policy.md | 11 +++++------ ...ender-application-control-policies-using-intune.md | 6 ++---- ...s-defender-application-control-deployment-guide.md | 6 ++---- 4 files changed, 11 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 178418a530..ca978a53c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -31,11 +31,9 @@ This article describes how to deploy Windows Defender Application Control (WDAC) You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). > [!IMPORTANT] -> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Skip all steps below that use citool.exe, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, follow the steps to copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Skip all steps below that use citool.exe, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart. > -> Updates to signed Base policies that are already active on the system can be done rebootlessly. -> -> This bug doesn't affect deployment of any unsigned policies or any supplemental policies (signed or unsigned). +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. ## Deploying policies for Windows 11 22H2 and above diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md index 717cebb32d..6562b00f12 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -28,18 +28,17 @@ ms.topic: article > [!NOTE] > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -> -> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. > [!IMPORTANT] -> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Group Policy, deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Group Policy, deploy new signed WDAC Base policies [via script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies) and activate the policy with a system restart. > -> Updates to signed Base policies that are already active on the system can be done rebootlessly and using Group Policy. -> -> This bug doesn't affect deployment of any unsigned policies. +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. +> [!IMPORTANT] +> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. + You should now have a WDAC policy converted into binary form. If not, follow the steps described in [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). The following procedure walks you through how to deploy a WDAC policy called **SiPolicy.p7b** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index d680ad56d0..804ef93a26 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -26,11 +26,9 @@ ms.topic: how-to You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. > [!IMPORTANT] -> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** WDAC Base policies *with a reboot* on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. Instead of Mobile Device Management (MDM), deploy new signed WDAC Base policies [via script](deploy-wdac-policies-with-script.md) and activate the policy with a system restart. > -> Updates to signed Base policies that are already active on the system can be done rebootlessly and using MDM. -> -> This bug doesn't affect deployment of any unsigned policies. +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. ## Use Intune's built-in policies diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 67ed4d80fb..a961918d5c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -56,11 +56,9 @@ All Windows Defender Application Control policy changes should be deployed in au ## Choose how to deploy WDAC policies > [!IMPORTANT] -> Due to an existing bug, you should avoid rebootlessly activating new **signed** WDAC Base policies on systems with **memory integrity** enabled (also known as hypervisor-protected code integrity or HVCI). Instead, deploy new signed WDAC Base policies [via script](deployment/deploy-wdac-policies-with-script.md) and activate the policy with a system restart. +> Due to a known issue, you should always activate new **signed** WDAC Base policies with a reboot on systems with [**memory integrity**](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) enabled. We recommend [deploying via script](deployment/deploy-wdac-policies-with-script.md) in this case. > -> Updates to signed Base policies that are already active on the system can be done rebootlessly. -> -> This bug doesn't affect deployment of any unsigned policies or any supplemental policies (signed or unsigned). +> This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity. There are several options to deploy Windows Defender Application Control policies to managed endpoints, including: From 0bd181c70a6e4481e837bc13914fd8c271b4336f Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 24 Jan 2023 09:17:34 -0800 Subject: [PATCH 148/152] Removed unused/incorrect information and corrected link. --- .../operate/windows-autopatch-fu-overview.md | 4 ++-- .../operate/windows-autopatch-wqu-signals.md | 4 +--- .../references/windows-autopatch-changes-to-tenant.md | 4 +--- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 020359528b..ef3dba90f8 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -30,8 +30,8 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut | Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | -| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | +| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-wqu-unsupported-policies.md). | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | ## Windows feature update releases diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index 2a4c33b67a..b27a0d0447 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -1,7 +1,7 @@ --- title: Windows quality update signals description: This article explains the Windows quality update signals -ms.date: 05/30/2022 +ms.date: 01/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -57,5 +57,3 @@ Autopatch monitors the following reliability signals: | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. - -Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 10fa706030..3b6cc306de 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 12/01/2022 +ms.date: 01/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -56,13 +56,11 @@ Windows Autopatch will create Azure Active Directory groups that are required to - Windows Autopatch - Set MDM to Win Over GPO - Windows Autopatch - Data Collection -- Windows Autopatch-Window Update Detection Frequency | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | | Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked | | Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    |
    1. [Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)
    2. [Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)
    3. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
    4. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
    5. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
    6. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
    |
    1. Enable telemetry change notifications
    2. Enable Telemetry opt-in Settings
    3. Full
    4. Enabled
    5. Enabled
    6. Enabled
    | -| Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency

    Assigned to:

    • Modern Workplace Devices-Windows Autopatch-Test
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace Devices-Windows Autopatch-Fast
    • Modern Workplace Devices-Windows Autopatch-Broad
    | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | ## Deployment rings for Windows 10 and later From 699d10a08e834f5bacd13616ff9170a1e833aa0c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 24 Jan 2023 10:05:24 -0800 Subject: [PATCH 149/152] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 1190cc13fb..4f8562a41b 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access polices see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From 9a9287f76695310a7fe6ee8d1ee05465e90af92e Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 24 Jan 2023 11:49:50 -0800 Subject: [PATCH 150/152] Updated Whats new with baseline config update. --- .../whats-new/windows-autopatch-whats-new-2023.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index bb56fa10e7..2432b4ddca 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -31,4 +31,5 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Message center post number | Description | | ----- | ----- | +| [MC500889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 Windows baseline configuration update | | [MC494386](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 (2023.01 B) Windows quality update deployment | From f163c55f03a4b52e335fa971772f5c47b42155b0 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 24 Jan 2023 12:10:57 -0800 Subject: [PATCH 151/152] hah fixed silly typo. --- .../whats-new/windows-autopatch-whats-new-2023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 2432b4ddca..cbc9b52878 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -31,5 +31,5 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Message center post number | Description | | ----- | ----- | -| [MC500889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 Windows baseline configuration update | +| [MC500889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 Windows Autopatch baseline configuration update | | [MC494386](https://admin.microsoft.com/adminportal/home#/MessageCenter) | January 2023 (2023.01 B) Windows quality update deployment | From 1832c140314553c9f6339ed3760c8a7e1f3081fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Wed, 25 Jan 2023 11:25:35 +0100 Subject: [PATCH 152/152] Update event-4670.md --- .../security/threat-protection/auditing/event-4670.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 9509f490e5..f20653ded7 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -235,14 +235,14 @@ Example: D:(A;;FA;;;WD) | "GR" | GENERIC READ | "SD" | Delete | | "GW" | GENERIC WRITE | "WD" | Modify Permissions | | "GX" | GENERIC EXECUTE | "WO" | Modify Owner | -| File access rights | "RP" | Read All Properties | +| File access rights | | "RP" | Read All Properties | | "FA" | FILE ALL ACCESS | "WP" | Write All Properties | | "FR" | FILE GENERIC READ | "CC" | Create All Child Objects | | "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects | | "FX" | FILE GENERIC EXECUTE | "LC" | List Contents | -| Registry key access rights | "SW" | All Validated Writes | -| "KA" | "LO" | "LO" | List Object | -| "K" | KEY READ | "DT" | Delete Subtree | +| Registry key access rights | | "SW" | Self Write | +| "KA" | KEY ALL ACCESS | "LO" | List Object | +| "KR" | KEY READ | "DT" | Delete Subtree | | "KW" | KEY WRITE | "CR" | All Extended Rights | | "KX" | KEY EXECUTE | | | @@ -272,4 +272,4 @@ For file system and registry objects, the following recommendations apply. - If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.** -- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. \ No newline at end of file +- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.